22 wrzesień 2021
Glba Vendor Confidentiality Agreement
Autor: Anna Pilsniak. Kategorie: Bez kategorii .
This article aims to focus on certain issues that financial institutions wish to take into account when concluding service contracts. Nor is it intended to replace legal advice. Legal contracts should always be verified by the legal counsel or lawyer of a company or financial institution before an agreement is reached. Compliance with laws. The Provider represents and warrants that the Services are provided in accordance with all applicable laws, rules and regulations and that it will immediately renew at its own expense all Services that do not meet this standard. Seller acknowledges that BANK is subject to the GLB Act, Title V („GLBA”) and that Seller is considered a service provider under GLBA. During the term of this Agreement, Seller shall have appropriate administrative, technical and physical security measures in place to protect against unauthorized access to or use of Customer Information managed by Seller or its subcontractors or suppliers that may result in significant damage or inconvenience to bank or a customer, as set forth in GLBA, (i) ensure the security and confidentiality of such data; (ii) contribute to the protection against expected or reasonably probable threats or threats to the security or integrity of such banking data; (iii) contribute to the protection against unauthorized access to or use of such bank data; and (iv) ensure that bank details are properly disposed of. Using a risk-based vendor due diligence approach solves this problem. It focuses your efforts where it is most advantageous, which coincidentally corresponds to the areas highlighted by regulatory guidelines.
There are four important steps towards risk-based due diligence vendor: demanding contractual liability. Most providers contain contractual exclusions of liability for consequential damages and a general (surprisingly low) liability cap, but banks should insist on certain exceptions to the cap, including obligations for compensation in the event of a breach of confidentiality or security procedures by providers. Compliance with legal provisions. If the third party has access to personal data, certain security procedures are mandatory by law. For example, the Gramm-Leach-Bliley Act requires service providers to comply with the safeguards rule, which requires organizations to have a security program in place that ensures the security and privacy of customer data. And that`s sufficient due diligence for all your general suppliers – the risk category that probably makes up the vast majority of your supplier list. No one likes to be told what to do; It`s just human nature. It`s no wonder that banks continue to align with recently strengthened regulatory guidelines for supplier management and audit auditing. But remember that knowing your suppliers and understanding the risks they pose to your institution is much more than just a compliance requirement. In today`s complex interconnected environment, it is necessary to successfully operate.
Regulators have stressed the importance of applying a comprehensive risk management process throughout the lifecycle of the supplier relationship, from supplier selection and performance monitoring to the end of the relationship. Transactions between financial institutions and their technology service providers are often regulated by GLBA. Lawyers must determine whether the transaction contains personally identifiable financial information and, if so, whether the seller will have access to the records at any time. These two questions determine whether the provider is a service provider under the GLBA security rule. . . .