Responding to the FDIC’s Letter to Avoid Vendor Contract Gaps

A letter from the Federal Deposit Insurance Corp. (FDIC) issued Tuesday, April 2, contained a warning that caught the attention of many financial institutions and their vendors. Specifically, the FDIC stated that it had encountered a number of situations where banks were not sufficiently controlling the risk associated with their supplier relationships.

The agency emphasized that when banks utilize third-party service providers, their “board of directors and senior management are responsible for managing the risks posed by those services as if they were performed within the institution.” The letter noted that over the course of recent examinations, the agency observed some banks’ contracts with their vendors had “not adequately defined the rights and responsibilities regarding business continuity and incident response, or provide sufficient detail to allow financial institutions to manage those processes and risks.”

In short, the FDIC wants the formal agreement between an institution and a vendor to clearly outline the responsibilities (and liabilities) of each of party in the event of an incident, like a systems failure, for example. This sounds reasonable and prudent, but, as with most rules, the specifics can make achieving the desired outcome very difficult.  One factor in play in that is complicating an institution’s ability to ensure compliance in this area is the influx of startup and early stage companies across the financial services industry.

By their very natures, these companies do not have the kind of balance sheets, public market oversight and history bankers (and regulators) prefer to see when doing their due diligence on a vendor.  These companies cannot accept exposure to large levels of liability. That is why in the years running up the digital revolution, large, publicly-traded vendors with a one-stop shopping inventory of products and services were so successful.  So, why don’t financial institutions continue to do business with these lower risk options?

In some instances, they do – usually across areas of the institution that are less dynamic, where the rate of change is slower and the change agents manageable. Note, however, there are fewer and fewer areas in banking to which this description applies.  Within digital banking – on both the consumer and commercial sides of the institution – the rate of change and the unpredictable impact of various change drivers are causing a number of banks to abandon the one-stop shop relationship they have had with the large, less risky, publicly traded companies. 

They are changing their approach because they need products and services that can keep pace with the ever-changing need of consumers. And, products and services with these attributes are almost exclusively found within startup and early stage fintechs. To paraphrase a well-known analyst from a very large research firm, “The large companies simply cannot keep pace with the rate of change in the market. Financial institutions must find a way to do business with startups and emerging fintechs if they wish to succeed at digital.”

But how does an institution satisfy the FDIC and, at the same time, remain competitive in the digital age, especially with the proliferation of these organizations across the landscape? 

Culture is Key. Technology is important and as Marc Andresen famously said, “Software is eating the world.” Even banking. However, the time spent doing the work required to build successful relationships with fintechs and meet regulatory requirements will be wasted without first focusing on culture. Concerning digital, you need to have or work toward having positive answers to these questions:

• Do you have a digital officer?
• Are there at least two people on your board that are digitally savvy?
• Are your compliance and legal experts on board with the digital strategy?

• Consider options for transfer of IP to in-house IT or to another hosting option in the event the fintech encounters enough volatility to make its failure a possibility.
• Adapt and adjust IT and procurement risk assessments to better manage the risk tolerance of a fintech’s viability, size and technology.
• Consider the value the fintech partnership brings to the financial institution in terms of innovation, improved customer satisfaction, and modernization of the bank’s IT infrastructure.

The Bottom Line: The FDIC’s focus on ensuring that both parties clarify liabilities and responsibilities do not preclude any of the suggestions above. Its direction just makes good sense. It does not change the fact that the greatest risk in the current environment is doing nothing, and the second is doing the same thing over and over expecting a different outcome.  These are both the most obvious and most difficult axioms of the digital age to convey, but to quote Yoda, “Do or do not. There is no try.”