As more lenders turn to third parties, regulators are emphasizing the importance of gauging the potential risks involved.
“You have to assess not only the vendor; you may also have to assess the vendor’s relationships. Some of these third parties have connections to other institutions and servicers,” Comptroller of the Currency Thomas Curry said in a speech to the Independent Community Bankers of America.
“Each new relationship and connection provides potential access points to all of the connected networks, thereby introducing more complexity as well as new and different weaknesses into the system,” Curry added.
This follows a report last week that the source code for an Android mobile banking Trojan application was released on an underground forum, breaking down the door for a large number of cyber attacks.
With the increased threat, Curry outlined three areas to be concerned about.
1. The extent that service providers are consolidating
“This means that more financial institutions are dependent upon a single vendor. Where that happens, deficiencies at one vendor have the potential to affect a large number of banks simultaneously.”
2. The rising reliance by banks, directly and indirectly, on foreign-based subcontractors to support critical activities
“Third-party service providers and subcontractors of third parties that operate in foreign jurisdictions present unique problems,” He said. “Banks need to consider the legal and regulatory implications of where their data is stored or transmitted, and make a determination as to whether geographic limitations are needed in their contracts.”
3. The access third parties have to large amounts of sensitive bank or customer data
“For an industry in which reputation means everything, a single data breach involving confidential customer information can be extremely costly,” Curry said. Banks open themselves up to be particularly vulnerable to events that erode trust, and once an institution’s reputation is damaged, it can take years to repair.