Proving an important reminder for financial institutions, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency entered into a joint cease and desist order with two technology service providers based on “unsafe or unsound banking practices” in the performance of their services.
The action comes on the heels of guidance issued by the OCC offering national banks advice on third-party risk management.
Las Vegas-based BServ and New Jersey’s FUNDtech Corp. both offer technology services for financial institutions. But the FDIC and OCC determined that the agencies “had reason to believe [the companies] engaged in unsafe or unsound banking practices in the performance of the services that [were provided] to insured depositor institutions.”
The consent order listed six examples of how BServ and FUNDtech did so:
Pursuant to the order, the vendors are required to increase the participation of their boards to take on full responsibility for establishing policies and supervising the companies’ activities. New management must be hired (including an independent Internal Auditor and a senior Vendor Management Coordinator) and new programs and procedures put in place, from audit and vendor management programs to a full information security risk assessment.
BServ and FUNDtech also promised to provide progress reports to client banks and the agencies on a quarterly basis.
Why it matters:
The agencies’ action and consent order reinforces the message that regulators are keeping an eye on financial institutions’ third-party relationships. Entities would be well advised to review and take into account the OCC’s guidance so as to ensure compliance.