ABA Bank Compliance - July/August 2014

ing enforcement actions, to address identified issues by the bank or its third party.

Direct approach

Federal banking agencies can directly influence the actions of certain third-party service providers through the conduct of examinations of those providers. While we don’t often hear the outcome of such exams, the extent of agency influence can be significant. An example is the 2013 formal agreement between the OCC, FDIC, Federal Reserve, and a technology service provider, Jack Henry & Associates. The agreement required Jack Henry to address weaknesses in its disaster recovery and business continuity program because they pose substantial risk to its client institutions.

As we consider cases where a major provider is not receptive to implement corrective action, the indirect and the direct approaches can work in concert. For example, risk initially identified at a client bank can serve as a catalyst for, or contributor to, the scope of an agency’s examination of a provider. While risks hastening an exam typically pose significant potential exposure to the bank, those exacerbated by a provider’s inability to implement corrective action could escalate the agency’s decision regarding an examination.

A Framework for Agency Reviews

Information technology service providers are one of the common critical vendors subject to examination. Using these entities as a general frame of reference, the following is a framework of key elements considered:

Authority to Exam

Federal banking agencies are authorized by statute, such as the Bank Service Company Act (BSCA) to regulate and examine the services performed by certain third parties, such as technology service providers of financial institutions. The agency engages a risk-based approach to the examination program, and the examinations may be conducted independently or in conjunction with a safety and soundness examination.

Information Technology (IT)

Examination Examples:

■ ■ ■ Technology Service Provider (TSP)

Examinations––Aimed at higher-risk independent data centers (IDCs), to identify risks that could adversely affect serviced financial institutions (IDCs are generally defined as TSPs that are not owned, controlled by, or otherwise affiliated with a financial institution).

■ ■ ■ Multi-Regional Data Processing Servicer (MDPS) Examinations––Aimed at provider that processes mission-critical applications, such as general ledger or loan and deposit systems, for a large number of financial institutions with multiple regulators or geographically dispersed data centers.

■ ■ ■ Interagency Shared Application Software Reviews (SASR)––Aimed at software programs or systems used by numerous financial institutions. The review is an interagency shared effort to reduce the time and resources required to conduct examination at individual institutions.

■ ■ ■ Follow-Up Reviews––Aimed at maintaining communications with providers between on-site examinations; identifying significant changes in management, products, services, or risk management practices affecting financial institutions; following-up on previously identified issues; and confirming business-line or service provider risk designations and their examination priority in order to update supervisory strategies.

Alternate Review Methodologies

For lower risk providers, i.e., those that
pose a low degree of risk to the serviced
financial institutions, an agency’s assess-
ment is facilitated through the review of
the financial institution’s vendor man-
agement program.

Examination Frequency

The number, frequency and timing of supervisory reviews depends on the provider’s risk profile. The risk-based examination frequency schedule ranges between 24 and 48 months. Details are outlined in the Federal Regulatory Agencies’ Administrative Guidelines for Implementation of Interagency Programs for the Supervision of Technology Service Providers (October 2012) available at http://ithandbook.ffiec.gov/ media/153533/10-10-12_-administra- tive_guidelines_sup_of_tsps.pdf.

Examination Findings

Like bank examination reports, regulators are generally prohibited from disclosing what they discover during an exam of a vendor. However, client institutions may request the reports from the vendor.

Are There Specific Steps that
Can Help Advance Corrective
Action?

The goal is to demonstrate the bank’s concerted responsiveness to examination findings and facilitate corrective action. Key questions to answer to help achieve this goal:

Is it only your institution?

■ ■ ■ Confirm with the service provider their rationale for the inability to implement corrective action. Do they have no alternatives to delivering the service, or service feature at issue?

While banking institutions understand they are responsible for actions executed on their behalf, getting vendors to take the corrective action needed can be difficult and costly. This is the case particularly when the vendor service’s mission-critical functions are the only (or the major) game in town.