While what happens in Vegas may sometimes stay in Vegas, when a community bank experiences customer data breaches that typically makes the news. So what steps should a financial institution take to ensure it meets the requirements of the Gramm-Leach-Bliley Act (GLBA)?
From loan reviews to service organization controls (SOC) reports, community banks often choose to outsource a spectrum of services. While outsourcing allows a financial institution to shift daily functions to a third-party vendor, it still retains responsibility for those activities. Therefore, federal regulations require community banks to develop and maintain a vendor risk management program designed to protect customer data.
The GLBA requires financial institutions to take various steps to provide physical, technical, and administrative safeguards for customer records and data. These requirements include vendor oversight, and for compliance, a community bank must:
- Apply appropriate due diligence when choosing service providers,
• Require service providers via contract to implement proper data security processes, and
• Monitor service providers through activities such as reviewing audits and test results as directed by the bank’s risk assessment. Additionally, for high-risk vendors (such as outsourced core processors and Internet-banking providers), the bank should monitor and validate controls through periodic self-assessments or other means.
3 Steps for Completing a Community Bank Vendor Risk Assessment
The GLBA emphasizes a risk-based approach to compliance, which can minimize the burden for smaller community banks. The appropriate vendor management program scope depends on the bank’s size and risk profile. Therefore banks should begin by conducting a risk assessment, as outlined in the below three steps.
(1) Inventory all vendors with access to customer data.
(2) Detail each vendor’s access including whether it is physical, remote, on-site electronic access, and others.
(3) Prioritize vendors according to access levels and the potential impact of a related breach on the bank and its customers. Remember that access is not necessarily defined by job function. For example, a janitorial service may not deal with customer data, but it may have physical access if it works unsupervised in a room with unlocked filing cabinets.
Know When to Hold ‘Em.
Based on the community bank’s risk assessment and available resources, management can establish appropriate policies and procedures for selecting vendors, reviewing service contracts, and overseeing vendor operations. Does your community bank have established vendor risk management policies? If you have questions about how to protect customer data, contact CRI.