Financial services firms that receive approval to become bank holding companies will need to review and potentially amend their and their subsidiary banks' agreements with outsourcing vendors to ensure that they are compliant with the higher level of bank holding company and bank supervision and regulation. These new banking organizations and their subsidiary banks will now need to comply with regulations and guidelines issued by various agencies (e.g., the Federal Reserve Board, the Office of the Comptroller of the Currency, The Federal Deposit Insurance Corporation, and State banking supervisors). These agencies have issued bulletins, handbooks, procedural letters and other guidelines (for example, the FRB, OCC, FDIC, OTS and US Department of the Treasury have promulgated the Interagency Guidelines Establishing Information Security Standards) which instruct bank holding companies and their subsidiary banks on how to meet their statutory and regulatory obligations and to manage and operate their outsourced functions in a "safe and sound" manner, compliant with laws such as the Bank Holding Company Act, Bank Service Corporation Act, National Bank Act, the Bank Secrecy Act, the Fair Credit Reporting Act and other consumer protection statutes and regulations.
Bank supervisors look at an institution's outsourced relationships as extensions of the bank itself. The purpose of the agency guidelines are to set expectation levels regarding the quality of controls and risk management policies required to safely transmit sensitive information to outside vendors, and to mitigate the risk that vendor personnel will engage in money laundering or other corrupt practices. Hence, new bank holding companies and their subsidiary banks will be expected to have the internal and external controls, reporting and risk management structures in place with their vendors to ensure that those vendors are supervised similarly to how the banks would manage those functions internally.
Reopening and amending long-standing outsourcing relationships may appear to be a daunting task. However, many outsourcing service providers went through a similar process several years ago when their existing bank customers had to adapt to newly enacted Gramm–Leach-Bliley Act. These vendors are familiar with what is expected from them and should understand the compliance obligations being imposed by newly converted banks.