Comptroller Curry Takes Vendor Management Message To Third-Party Providers

OCC Vendors Community Banks Privacy/Cyber Risk & Data Security

On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”