Can someone give me the regulatory site where it says that banks have to have confidentiality agreements with third-party vendors who might have access to their customer's non-public information. I know it is from the G-L-B Act but have not been able to find the information security site to reference. Thank you in advance.

HeeereYaaaGo.
I believe this it the FDIC IT Handbook
The IT Handbook’s “Outsourcing Technology Services Booklet” lists detailed contract recommendations for TSPs. Institutions should tailor these recommendations to e-banking services as necessary.

It's in the section pertaining to safeguarding customer information - 508, I want to say, although I've been reading obscure laws for three days now and that might not be the right number. Anyway, it's in the section regarding vendor management. The regulatory agencies FILs on the topic also give some guidance.

Section 501(b) of title V of the GLBA requires us to safeguard customer information and it required the regulatory agencies to issue guidelines. The OTS guidelines for safeguarding of customer information can be found in Appendix B of 12 CFR part 570. Here is the text of section III. D. of the guidelines.

"D. OVERSEE SERVICE PROVIDER ARRANGEMENTS. You shall:
1. Exercise appropriate due diligence in selecting your service providers;
2. Require your service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines ; and
3. Where indicated by your risk assessment, monitor your service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, you should review audits, summaries of test results, or other equivalent evaluations of your service providers."

There is also something in the privacy regulations that requires something in your contract if you enter into a joint marketing agreement. Here is the text of section 573.13 of the OTS regulations.

"§ 573.13 Exception to opt out requirements for service providers and joint marketing.
(a) General rule.
(1) The opt out requirements in §§573.7 and 573.10 do not apply when you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf, if you:
(i) Provide the initial notice in accordance with §573.4; and
(ii) Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in §573.14 or 573.15 in the ordinary course of business to carry out those purposes.
(2) EXAMPLE. If you disclose nonpublic personal information under this section to a financial institution with which you perform joint marketing, your contractual agreement with that institution meets the requirements of paragraph (a)(1)(ii) of this section if it prohibits the institution from disclosing or using the nonpublic personal information except as necessary to carry out the joint marketing or under an exception in §573.14 or 573.15 in the ordinary course of business to carry out that joint marketing."

(501, 508, whatever works. ) Thanks for posting the data, regs!

Ellis, I have a confidentiality that we have been using for vendors, if you send me your email address, I can send it to you.

it's in the "interagency guidelines establishing standards for information security." new guidelines came out this month though, which add another provision for the agreements, called "guidance on response programs for unauthorized access to customer information and customer notice."

Here are the Exam Procedures for this.