Answer:
Unless DirectPointe is working under a preexisting contract (prior to the grandfather date of March 5, 2001), the bank must have a contract which requires the service provider to have an InfoSec Program which is designed to achieve the objectives of the InfoSec Guidelines for financial institutions. This is no small burden. If the service provider was a professional who already has a duty under a professional code of conduct to protect customer information, like attorneys and CPAs do, then the bank would have the discretion to decide whether you will oversee his program on a continuing basis. DirectPointe does not qualify for this exception, so the bank is responsible for monitoring DirectPointe's InfoSec program. A service provider's program does not have to meet the InfoSec Guidelines required of banks, but must be designed to achieve the same goals. This means it has to be an honest attempt at a comprehensive approach to information security. DirectPointe will want to make it as easy for the bank to monitor its program as possible, so it will be providing reports on a regular basis (quarterly is the very least I would consider).
In my opinion DirectPointe should also sign a confidentiality agreement and that can be a part of the contract. That would just be good practice, not essential but there is also no reason to leave it out of the contract.
First published on BankersOnline.com 12/3/01
print
share