The breach of a card loyalty marketing company this week has reignited discussions about the roles banking institutions, regulators and others play when it comes to mitigating third-party risks (see Vendor Breach Exposes Card Data, PII).

U.S. banking regulators have made it clear they're looking to banking institutions and others to ensure the security standards of the payments processors and vendors with which they work are up to par. But banking institutions have repeatedly said ensuring ongoing security of outside entities is difficult - and they need regulators to step in and help.

 Banking institutions should scrutinize the security practices of the third parties to which they outsource. ... But they can't bear all of the responsibility. 

The problem is, while everyone is debating the lines that should be drawn, breaches are still occurring.But perhaps publicity about these incidents will serve as a catalyst for regulatory action.

Need for Oversight

Al Pascual, senior analyst for the consultancy Javelin Strategy & Research, says breaches like the one that struck Loyaltybuild, the third-party loyalty branding company in Ireland, reinforce the need for more oversight of outsourcers and other third parties.

Earlier this year, the National Association of Federal Credit Unions asked Congress to hold breached retailers, processors and other third parties accountable when their lax security practices result in the leakage of card data. The Five-Point Plan for Regulatory Relief recommends establishing national standards for the protection of all financial information, including payment card data. It also recommends holding merchants and others accountable for expenses, such as costs associated with card re-issuance, if card numbers and details are exposed during a breach.

The NAFCU also is asking that merchants, in particular, be required to share their data security policies with customers. And it recommends that the burden of proof after data breaches fall back onto the entity that is attacked, rather than, as is the current practice, relying on card issuers to trace the fraud back to a common point of suspected compromise.

Additionally, the trade association's plan calls for creating uniform federal enforcement standards for data security, which would prevent merchants and other outside parties from storing card and other financial information.

That kind of enforcement might have made a difference in a breach like the one suffered by Loyaltybuild,says Neira Jones, a card fraud expert in the United Kingdom. "The third party was obviously storing data, which was not protected with common sense security practices," Jones says.

Data storage by a third party is addressed in the most recent version of the Payment Card Industry Data Security Standard, which was issued Nov. 7 and takes effect in January (see PCI Update: Focus on Third-Party Risks).

Security Complacency

Banking regulators have addressed third-party risks, too. But they contend the onus to ensure third-party security falls on the banking institutions.

The Office of the Comptroller of the Currency recently issued updated guidance about how to address third-party risks (see OCC: New Guidance for Third-Party Risks).

The OCC's updated guidelines note eight specific areas where banking institutions need to make improvements to their vendor management programs. And the OCC points out that banking institutions face new and increased operational, compliance, reputation, strategic and credit risks when dealing with third parties.

Other federal banking regulators, such as the Federal Deposit Insurance Corp., have issued similar warnings for banks (see FDIC: Improve Vendor Management).

And now it seems even some banking associations are jumping into the game by working to develop best practices banking institutions can follow to ensure they are adequately addressing third-party risks.