Proving an important reminder for financial institutions, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency entered into a joint cease and desist order with two technology service providers based on “unsafe or unsound banking practices” in the performance of their services.
The action comes on the heels of guidance issued by the OCC offering national banks advice on third-party risk management (click here to view our previous newsletter).
Las Vegas-based BServ and New Jersey’s FUNDtech Corporation both offer technology services for financial institutions. But the FDIC and OCC determined that the agencies “had reason to believe [the companies] engaged in unsafe or unsound banking practices in the performance of the services that [were provided] to insured depositor institutions.”
The consent order listed six examples of how BServ and FUNDtech did so:
- “Operating without an internal auditor or an integrated risk-focused audit program, with no effective process to ensure that all high-risk areas [were] audited;
- Operating without a comprehensive due diligence program or formalized policies and procedures to monitor, measure, and evaluate vendor risk or determine which vendors [had] access to non-public customer information;
- Operating without an enterprise-wide risk assessment to determine related risks and vulnerabilities of assets throughout the company;
- Operating without effective business continuity or disaster recovery planning;
- Operating without effective patch management procedures to identify and address software vulnerabilities; and
- Operating without an effective log review program to detect, identify, and act on potential threats in a timely manner.”
Pursuant to the order, the vendors are required to increase the participation of their boards to take on full responsibility for establishing policies and supervising the companies’ activities. New management must be hired (including an independent Internal Auditor and a senior Vendor Management Coordinator) and new programs and procedures put in place, from audit and vendor management programs to a full information security risk assessment.
BServ and FUNDtech also promised to provide progress reports to client banks and the agencies on a quarterly basis.
To read the consent decree in In the Matter of FUNDtech Corp., click here.
Why it matters: The agencies’ action and consent order reinforces the message that regulators are keeping an eye on financial institutions’ third-party relationships. Entities would be well advised to review and take into account the OCC’s guidance so as to ensure compliance.