Bank Service Company Act – Compliance Guru

What do Social Media, Cloud Computing, Virtualization, Data Vaulting, Mobile Banking, and Core Services have in common? For most community financial institutions, all these products or technologies involve outsourcing, either wholly or in part.

When it comes to offering the latest products and services, outsourcing allows even the smallest institution to compete with the largest. And outsourcing makes sense, because it means that you don’t have to build and maintain the infrastructure yourself. As the FFIEC stated in their 2004 guidance “In many situations, outsourcing offers the institution a cost effective alternative to inhouse capabilities.” But the FFIEC also makes it clear that you are still responsible for the security of the data wherever it may reside. So given the increased reliance of financial institutions on outside vendors, and the regulators’ expectations, my third regulatory compliance trend for 2011 is:

Vendor Management

This is based on the following criteria:

A recent interview with the head of regulatory compliance with the FFIEC made it clear that new technologies like social media require overwhelming reliance on third parties.
The FDIC changed Part 5 of their IT Examiners Questionnaire from GLBA to Vendor Management
The largest recent data breaches were with third-party vendors (i.e. Heartland), not the financial institution itself.
The Bank Service Company Act requires financial institutions to report all service provider relationships that directly support banking functions. IT vendors are one of the dependency layers that supports the business process, and as such MAY qualify as a direct support component. I addressed this here.

I had this as a trend for 2010, and I’m carrying it over for 2011 as well. I believe that there are some very compelling reasons why the regulators will (and should) increase scrutiny in this area as asset quality issues abate. In the meantime, don’t wait. Update your vendor management program now. Include an analysis in your vendor risk assessment to determine if the vendor should be considered “reportable” under the Bank Service Company Act.

And as you request their third-party reviews, bear in mind that the vendor management process will be a bit more challenging this year with the phase-out of the SAS 70 report. There is some speculation that the new SSAE 16 will become the functional replacement, but be prepared to review and interpret whatever report the vendor provides you.

UPDATE: For further guidance, refer to the Outsourcing and Supervision FFIEC IT Handbooks.

In my last post, I asked you to weigh in on what question you wanted me to address in this final post of the series. This one came from a bank that was in the process of actually filling out the questionnaire, and it’s a good one. It’s found in the Vendor Management section:

“Has the bank identified and reported its service provider relationships (both domestic and foreign-based) to the FDIC (Y/N)?”

At first glance, you may be tempted to interpret this as asking “Has the bank identified and reported its MAJOR or CRITICAL service provider relationships…?”, but the question does not seem to limit your reporting requirement to a particular class or size of service provider. So are you really obligated to report ALL vendor relationships, from your core provider to your cleaning crew? Taken a face value it would certainly seem so.

To figure out exactly what is required you have to look at the 2 references listed under the question:

“Notification of Performance of Bank Services” FDIC Rules and Regulations 304.3, and
12USC1867 Section 7(c)(2) Bank Service Company Act (BCSA)

In researching this, it appeared at first that it only applied to Banks that owned more than 1% of a bank service provider. But upon further review (sorry, it’s football season), Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party “shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first.” So again, this looks like ALL vendor relationships need to be reported.

However, in a recent interview at bankinfosecurity.com with Donald Saxinger (senior examination specialist with the FDIC), this exact issue was addressed in the context of reporting social media vendors. Simply put, his response was that only if the vendor provides “banking functions” does it need to be reported to the regulators. Banking functions are defined in Section 3 of the Bank Service Company Act as:

check and deposit sorting and posting,
computation and posting of interest and other credits and charges,
preparation and mailing of checks, statements, notices, and similar items, and
any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution

Using this list as a reference, only core vendors, item processors and outsourced accounting firms fall into these categories. (Whether or not IT vendors fall into this category will be addressed in a future post. Mr Saxinger makes the point that IT vendors are one of the dependency layers that supports the business process, and as such MAY fall into one of the categories above, depending on the outcome of your risk assessment.) To be safe, since there is no penalty for over reporting, it’s best to report all vendor relationships that even come close to fitting the definition of a bank service company.

So the correct answer is “Yes, we report all of our service provider relationships that provide banking functions to us, as well as any vendors providing a critical dependency to those service providers, as determined by our risk assessment.” Of course, make sure that you do report them. The FDIC form is here, other regulators may have their own reporting mechanism.

Tag: Bank Service Company Act

Top 5 Compliance Trends for 2011 – Part 3

The 5 trickiest FDIC IT examination questions (part 5).