Rising Enforcement of FDIC Section 7 Assessments in Vendor Management

If you’ve been in the finance industry a while, you’ve seen the extraordinary evolution of the regulatory environment over the last decade. It seems there is a regulation for every aspect of operations for banks and credit unions, and it isn’t uncommon for older regulations that were never really implemented (or should I say enforced by our regulators) to suddenly be required. 

How has this come to be, and what does this mean going forward? Before we can fully wrap our heads around the current regulatory climate, it’s important to review a few important pitstops within the industry’s regulatory history.

The History of the Bank Service Company Act

The Bank Service Company Act (BSCA, July 1999) is one of the regulations that has more recently become enforced after a bit of a sabbatical. Both BSCA and the Gramm-Leach Bliley Act (GLBA, November 1999), are two of the legislative acts that have sections that address some of the same issues and that are, shall we say, enforced differently depending upon the regulatory agency performing the exam and the team of examiners.

The Bank Service Company Act (BSCA; P.L.87-856) and the Gramm-Leach-Bliley Act (GLBA; P.L. 106-102) both have so called “forgotten requirements.” One of these forgotten requirements you’ll find in the BSCA Section 7 is the requirement to notify your prudential regulator of your contractual relationships with service providers (who provide certain banking related services.)

The BSCA provides federal depository institution regulators with authority to examine and regulate third-party technology service providers (TSPs) who are providing check and deposit sorting and posting, preparation of statements, notices, bookkeeping and accounting services to banks and credit unions.

Evolution of the Bank Service Company Act

To understand this a bit more clearly, let’s look at a timeline around how the Bank Service Company Act evolved:

In 2001: Regulators issued interagency guidelines requiring banks to establish information security programs that regularly assess the risks to consumer information (in paper, electronic or other form) and implemented appropriate policies, procedures, testing and training to mitigate risks that could cause substantial harm and inconvenience to customers.

In 2008: The guidance began to require banks to provide continuous oversight of vendors to ensure that appropriate security measures are maintained. Regulators continually update guidance pertaining to vendors. For example, the Federal Deposit Insurance Company (FDIC) emphasized in a Financial Institution Letter, Guidance for Managing Third-Party Risk, that a financial institution’s management is ultimately responsible for risks arising when activities are conducted through third-party relationships.

In June 2008, the FDIC also stated that contracts should prohibit TSPs from subcontracting unless the same due diligence standards used to select the TSP are met by subcontractors. The OIG-FDIC didn’t find sufficient evidence that comprehensive due diligence was performed by some banking firms.

In 2012: The Federal Financial Institutions Council (FFIEC) issued a revised Supervision of Technology Service Providers booklet. The Federal Reserve System, the FDIC and the Office of the Comptroller of the Currency (OCC) concurrently issued new Administrative Guidelines for the Implementation of the Interagency Program for the Supervision of Technology Service Providers.

In 2014: The FDIC re-issued suggested guidelines for bank directors to consider when outsourcing essential banking functions to TSPs. The National Credit Administration (NCUA), the primary regulator for the credit union system, shared similar concerns.

The Office of Inspector General at the FDIC (OIG-FDIC) also began to frequently audit the FDIC’s oversight process for identifying and monitoring TSPs used by FDIC-supervised institutions and for prioritizing examination coverage.

In the 2017 audit, the OIG-FDIC reviewed 48 contracts negotiated between TSPs and 19 banking firms and underscored the following concerns: 

• Contracts lacked provisions that would contractually require TSPs to implement appropriate measures to meet objectives stated in the Interagency Guidelines (e.g., protecting against unauthorized access to or use of sensitive nonpublic personal information).
• Contracts lacked provisions that would establish business continuity plans, or provisions specifying how quickly operating systems would be restored after a cyber related disruption.
• Some contracts had limited information and assurance that TSPs would have sufficient recovery capabilities if their systems were compromised.
• Contracts lacked provisions that would require TSPs to provide incident response reports after an adverse incident. OIG-FDIC stated that banks should be notified when incidents, such as unauthorized access or misuse of customer information stored in a TSP’s data system, occur, the actions taken, the response times and controls taken to prevent further adverse incidents.
• TSPs drafted most of the contracts reviewed by the OIG-FDIC. As a result, some contracts' terms may not have been clearly defined, making it difficult to understand the rights and responsibilities of both parties. Although contracts negotiated between larger banks and TSPs typically contain more detailed provisions, the OIG-FDIC still noted inconsistencies in operational risk-mitigation procedures and expectations.
• The OIG-FDIC noted that 41 of the 48 contracts it reviewed allowed TSPs to use subcontractors, further increasing compliance, operational and reputational risks.

The Major Change to the Enforcement of Section 7 

Since July 1999, Section 7 of the BSCA requires depository institutions to notify their respective federal banking agency, in writing, of contracts or relationships with service providers that provide certain services.

From the date the Act took effect until about five years ago, the only enforcement of the action by any member of the FFIEC was a casual suggestion dropped during an exam. Over the last two or three years, I’ve seen examiners “suggest” a financial institution perform this task. Today, we’re seeing examiners of banks and credit unions require financial institutions to comply with this guidance. This is a big change!

The specific technical services covered by the Act include:

• Check and deposit sorting and posting
• Computation and posting of interest
• Preparation and mailing of checks or statements
• Miscellaneous clerical, bookkeeping, accounting, statistical or similar functions.

By any interpretation, that pretty much covers all financial institution’s critical and high-risk vendors.

The various federal agencies charged with examining financial institutions have also interpreted the notification requirement to include third parties that provide data processing, internet banking and mobile banking services. The BSCA subjects these same service providers to regulation and examination by the federal banking agencies to the exact same extent as though the services were being performed by the financial institution itself. Over the last three years, we’ve seen some fintechs struggle to meet the same regulatory requirements every other type of financial institution has to meet.

What You Need to Do to Comply

Today, as examiners are making their rounds, they’ll ask every bank or credit union to provide them with the information you can find on Notification of Performance of Bank Services form, which you can find here. 

The bad news. Examiners (FDIC, OCC, Federal Reserve, NCUA) are indicating that banks and credit unions will have to provide their prudential regulators with this information going forward. The form itself is not a requirement; however, the information on the form for all your critical and high-risk vendors is required. So, find a format that works for your organization and send the information to your regulator(s). I’ve begun to hear of financial institutions receiving a Matter Requiring Attention (MRA) for non-compliance.

The good news. A third-party risk management platform, like Venminder, can give you a report with the information you need in a very timely and efficient manner.

Don’t receive an MRA. Be proactive and start implementing this into your process today.

Make sure you are keeping your board in the loop throughout the entire compliance management process. Download the toolkit.