July 26, 2018
Technology Service Providers for Banks
Recent surveys indicate that convenience is the primary
customers. The guidance requires banks to provide
reason why consumers select their preferred bank or credit
continuous oversight of third-party service providers to
union. Convenience in the form of mobile and online
ensure that appropriate security measures are maintained.
banking has become an important contributor to consumer
satisfaction. As more banking transactions are delivered
The regulators periodically update guidance pertaining to
through digital channels, financial institutions that lack the
third-party vendors. For example, the Federal Deposit
in-house expertise are increasingly relying upon third-party
Insurance Company (FDIC) emphasized in a 2008
vendors, specifically technology service providers (TSPs).
Financial Institutions Letter (Guidance for Managing
TSPs develop the software and customer interfaces for
Third-Party Risk) that a financial institution’s management
customer account and payment services as well as maintain
is ultimately responsible for risks arising when activities are
the digital technology.
conducted through third-party relationships. In October
2012, the Federal Financial Institutions Council (FFIEC)
In light of growing reliance on TSPs, regulators are
issued a revised Supervision of Technology Service
scrutinizing how banks manage their operational risks, the
Providers booklet; the Federal Reserve System, the FDIC,
risk of loss having to do with failed internal controls,
and the Office of the Comptroller of the Currency
people, and systems, or from external events (as defined by
concurrently issued new Administrative Guidelines for the
the Basel Committee of Bank Supervision). Rising
Implementation of the Interagency Program for the
operational risks, specifically in the form of cyber risks
Supervision of Technology Service Providers. In April
(e.g., data breaches, insufficient customer data backups, and
2014, the FDIC re-issued suggested guidelines for bank
operating system hijackings), have compelled regulators to
directors to consider when outsourcing essential banking
scrutinize security programs aimed at mitigating operational
functions to TSPs.
risk. Cyber-related disruptions can potentially weaken
public trust and confidence in the financial system, thus
Concerns Related to TSP Relationships
increasing the potential of a systemic risk panic (i.e., run on
The Office of Inspector General at the FDIC (OIG-FDIC)
bank) event. Consequently, managing cyber-related risks
frequently audits the FDIC’s oversight process for
(relative to other types of financial risks) and the associated
identifying and monitoring TSPs used by FDIC-supervised
costs have grown in importance.
institutions and for prioritizing examination coverage. In
the recent 2017 audit, the OIG-FDIC reviewed 48 contracts
Regulatory Background
negotiated between TSPs and 19 banking firms and
Banking regulators have a broad set of authorities to
underscored the following concerns.
supervise third-party servicers, such as TSPs, that have
contractual relationships with banks. In addition, an
Some contracts lacked provisions that would
institution’s use of a TSP does not reduce the institution’s
contractually require TSPs to implement appropriate
responsibility to ensure that actions are performed in a safe
measures to meet objectives stated in the Interagency
and sound manner. Activities taken through a TSP must
Guidelines (e.g., protecting against unauthorized access
meet the same regulatory requirements as if they were
to or use of sensitive nonpublic personal information).
performed by the supervised depository institution itself.
Some contracts lacked provisions that would establish
Two laws are of interest: the Bank Service Company Act
business continuity plans, or provisions specifying how
(BSCA; P.L.87-856) and the Gramm-Leach-Bliley Act
quickly operating systems would be restored after a
(GLBA; P.L. 106-102). The BSCA provided federal
cyber-related disruption. Some contracts had limited
depository institution regulators with authority to examine
information and assurance that TSPs would have
and regulate TSPs that provide services to banks, including
sufficient recovery capabilities if their systems were
check and deposit sorting and posting, preparation of
compromised.
statements, notices, bookkeeping, and accounting. Section
501 of GLBA requires federal agencies to establish
Some contracts lacked provisions that would require
appropriate standards for financial institutions to ensure the
TSPs to provide incident response reports after an
security and confidentiality of customer information. In
adverse incident. Banks should be notified when
2001, the prudential depository regulators issued
incidents, such as unauthorized access or misuse of
interagency guidelines requiring banks to establish
customer information stored in a TSP’s data system,
information security programs that, among other things,
occur; the actions taken; the response times; and
regularly assess the risks to consumer information (in
controls taken to prevent further adverse incidents.
paper, electronic, or other form) and implement appropriate
policies, procedures, testing, and training to mitigate risks
The TSPs drafted most of the contracts reviewed by the
that could cause substantial harm and inconvenience to
OIG-FDIC. As a result, some contracts’ terms may not
https://crsreports.congress.gov
Technology Service Providers for Banks
have been clearly defined or subjective, making it
Additional Resources
difficult to understand the rights and responsibilities of
Michael B. Benardo, Kathryn M. Weatherby, and Robert J.
both parties. Although contracts negotiated between
Wirtz, “Managing Risks in Third-Party Payment Processor
larger banks and TSPs typically contain more detailed
Relationships,” Supervisory Insights, Summer 2011.
provisions, the OIG-FDIC noted inconsistencies.
Office of Inspector General—Federal Deposit Insurance
The OIG-FDIC noted that 41 of the 48 contracts allowed Corporation, Technology Service Provider Contracts with
TSPs to use subcontractors, further increasing the
FDIC-Supervised Institutions, Office of Audits and
possibility of compliance, operational, and reputational
Evaluations, Report No. EVAL-17-004, February 2017.
risks. In June 2008, however, the FDIC stated that
contracts should prohibit TSPs from subcontracting
Interagency Guidelines Establishing Standards for
unless the same due diligence standards used to select
Safeguarding Customer Information, 12 C.F.R. Part 364,
the TSP are met by subcontractors. The OIG-FDIC did
February 2001, at https://ithandbook.ffiec.gov/media/
not find sufficient evidence that comprehensive due
resources/3530/occ-
diligence was performed by some banking firms.
12cfr30_ap_b_inter_guid_estab_stand_safe_info.pdf.
Coordination Among Regulators
Interagency Guidelines Establishing Standards for
Collaboration among financial regulators arguably
Safeguarding Customer Information, Federal Reserve
facilitates detection of potential financial risks. Federal,
System Examiner Guidance, at
state, and self-regulatory organizations have entered into
https://www.federalreserve.gov/boarddocs/srletters/2001/
information-sharing agreements to facilitate oversight
sr0115a1.pdf.
responsibilities and coordinate compliance challenges. U.S.
federal financial regulators on the Financial Stability
International Convergence of Capital Measurement and
Oversight Council share information to detect systemic
Capital Standards: A Revised Framework Comprehensive
risks to the U.S. financial system. H.R. 3626, the Bank
Version, Basel Committee on Banking Supervision, June
Service Company Examination Coordination Act, would
2006, at https://www.bis.org/publ/bcbs128.pdf.
clarify the authority of state regulators to examine certain
TSPs in coordination with federal regulators. The bill also
Federal Deposit Insurance Corporation, Guidance for
provides for information sharing between state and federal
Managing Third-Party Risk, FIL-44-2008, June 6, 2008.
regulators with respect to TSPs, thus facilitating the
detection of operational risks related to cyber disruptions.
Federal Deposit Insurance Corporation, Technology
Outsourcing: Informational Tools for Community Bankers,
Challenges for Financial Institutions
FIL-13-2014, April 7, 2014.
Despite concerns pertaining to an operational risk event,
enhanced compliance standards may still pose challenges
Government Accountability Office, Better Information
particularly for community banks and small credit unions.
Sharing Among Financial Services Regulators Could
Improve Protections for Consumers,” GAO-04-882R, June
Greater due diligence in selecting TSPs and improved
29, 2004, at https://www.gao.gov/products/GAO-04-882R.
contract structuring may still be costly for institutions
lacking sufficient contracting and IT knowledge
Government Accountability Office, Financial Technology:
expertise to gauge potential TSP risks. Some banks may
Additional Steps by Regulators Could Better Protect
also lack the resources to monitor contract compliance
Consumers and Aid Regulatory Oversight,” GAO-18-254,
to insure that the TSPs are adhering to GLBA and other
March 2018, at https://www.gao.gov/assets/700/
regulatory requirements.
691290.pdf.
Although the industry consists of many TSPs, only a
Penny Crosman, “Can Big Four Core Banking Vendors
few large TSPs currently provide the majority of digital
Oligopoly Be Broken?” American Banker, October 7, 2013.
products to the financial industry. Some bankers suspect
that the large TSPs may practice oligopolistic pricing.
Bryan Yurcan, “Automation is Leveling the Commercial
Banks’ vendor choices may be limited, however, to the
Lending Playing Field,” American Banker, October 19,
extent operational risks may be greater with some
2017.
smaller and perhaps less experienced TSPs.
CRS InFocus CRS In Focus IF10163, Cybersecurity and
Given lower transaction volumes and costly digital
Information Sharing, by N. Eric Weiss.
services, some industry observers report that community
banks have adopted digital processing technology at
CRS Report R44429, Financial Services and
slower rates relative to larger banking and fintech firms,
Cybersecurity: The Federal Role, by N. Eric Weiss and M.
possibly inhibiting the ability to compete in various
Maureen Murphy.
niche product markets. Additional requirements placed
on TSP contracts will likely increase the costs and,
Darryl E. Getter, Specialist in Financial Economics
therefore, the difficulty for some of the small depository
institutions to close existing technology gaps.
IF10935
https://crsreports.congress.gov
Technology Service Providers for Banks
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10935 · VERSION 3 · NEW