Written by Shari R. Pogach, Regulatory Paralegal
The Federal Financial Institutions Examination Council (FFIEC) has revised its Business Continuity Planning Booklet with a new appendix entitled, Appendix J: Strengthening the Resilience of Outsourced Technology Services. In addition to providing guidance for examiners in evaluating financial institution and service provider risk management processes, the booklet was also designed to help financial institutions with business continuity process implementation.
The FFIEC recognizes that many financial institutions depend on third-party service providers to perform or support critical operations but warns that this does not relieve the institution from its responsibility to ensure that outsourced technology activities are conducted in a safe and sound manner. Oversight of these outsourced relationships is the responsibility of the institution’s board of directors and senior managements. To be effective, a third-party management program will provide the framework for management to identify, measure, monitor and mitigate the risks associated with outsourcing.
In its release the FFIEC states, “Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner.”
The appendix discusses four key elements of business continuity planning that should be addressed to ensure that an institution is contracting with technology service providers that are strengthening the resilience of technology services. The appendix covers:
- Third-Party Management - addresses management’s responsibility to control the business continuity risks associated with its technology service providers and their subcontractors.
- Third-Party Capacity - addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.
- Testing with Third-Party Technology Service Providers - addresses the importance of validating business continuity plans with technology service providers and considerations for a robust third-party testing program.
- Cyber Resilience - covers aspects of business continuity planning unique to disruptions caused by cyber events.
314(a) Fact Sheet. The Financial Crimes Enforcement Network (FinCEN) most recent 314(a) Fact Sheet indicates the agency’s 314 Program Office has processed 2,391 law enforcement requests as of February 3, 2015. FinCEN’s regulations under Section 314(a) allow federal, state, local and European Union law enforcement agencies to contact and work with more than 22,000 financial institutions to locate financial assets and transactions of subjects of criminal investigations. As a result, the program has afforded productive leads for both terrorist financing (464 cases) and money laundering (1,927 cases) investigations. According to current feedback from law enforcement to the agency, 95 percent of 314(a)
requests have contributed to arrests or indictments.
SAR Stats. FinCEN’s January 15 quarterly update of suspicious activity report (SAR) filings by depository institutions indicates credit unions filed 77,972 SARs in 2014, up 24 percent from a total of 62, 877 the previous year. FinCEN’s statistics track filings from March 1, 2012 through December 31, 2014. The top five types of suspicious activity reported covered: multiple transactions below the currency transaction reporting threshold; suspicions regarding the source of funds; transaction with no apparent economic business or lawful purpose; transaction not in customer’s normal pattern and suspicious usage of multiple locations. The top five states for overall filings: California, New York, Ohio, Texas and Florida.