Could federal banking agencies do more to oversee the risks posed by third-party companies?
While federal bank regulators mostly focus on chartered financial institutions, they have the power to examine third parties that have significant relationships with banks. But given the explosion of providers serving the industry and the pace of technological change, some are raising questions about the effectiveness of those exams, which are secretive and limited in number.
More than 50 years ago, Congress passed the Bank Service Company Act, which stipulates that bank regulators may supervise the services that a third party performs on behalf of banks. The BSCA led to the creation of what’s today known as the significant service provider exam, the framework of which is outlined in a 2012 exam booklet from the Federal Financial Institutions Examination Council.
The SSP exams focus on the “largest, systemically important” service providers and are performed on an interagency basis by the Federal Deposit Insurance Corp., the Federal Reserve and the Office of the Comptroller of the Currency. The concern is that a data breach, operational issue or bankruptcy of a large, third-party firm would impact a significant number of financial institutions.
Jay Gallagher, senior deputy comptroller for supervision risk and analysis at the OCC, says a firm’s scale, magnitude and exposure to the banking system can merit supervision and that it’s a “constant process of reevaluating” how to rank firms for supervision. He adds that the agencies examine between “a dozen and 20” providers in the “significant” program and between 50 and 100 in the OCC’s exam program for “regional” service providers.
The list of examined companies is private. There are hints as to their identities, though. A Duke Law Journal 2024 paper on the subject found 14 firms disclosed supervision under the BSCA: They include the three major cloud service providers, several payment processors, the neobank Chime Financial and one core provider, Jack Henry & Associates.
The SSP’s report of examination includes an open section with significant findings and conclusions, which is available to existing bank clients of the service provider. But there may be some inconsistency and confusion around this practice. In an October 2024 comment letter to regulators, the Independent Community Bankers of America wrote that some members were “simply unaware” that exam findings were available or had been told by field examiners they must proactively request them. Some found the report was 24 months old when they received it and contained “stale” information. The confidential nature of exam findings means that prospective bank clients can’t receive exam findings and must move forward in their due diligence without them.
For bank regulators, Gallagher says there is a concern the exam could be perceived as an endorsement or a seal of approval: a firm might include it in its marketing, or financial institutions might opt to work with a firm that is examined over a competitor that is not.
The exam, which has a cadence of 24, 36 or 48 months, is risk-based and touches on a number of risk areas at the service provider with an overarching focus on information technology. SSP exams are “a very deep, burdensome, costly experience” for the examined entity, says Alexandra Steinberg Barrage, a partner at Troutman Pepper Locke. At a prior firm, she represented a cloud service provider that was examined. Questions outside of IT and information security range from audit, compliance, governance and change management, she says.
Last year, Federal Reserve Governor Michelle Bowman called the Bank Service Company Act a “potentially underused tool” that regulators could use to exercise more oversight of third parties. But the BSCA hasn’t been updated since it was written in the 1960s and there has been “limited rulemaking” done under the act, mostly implementing recordkeeping requirements, according to the 2024 paper.
Steinberg Barrage also points out that the SSP exam manual hasn’t been formally updated since 2012. She says if regulators aren’t going to publish specific rules about how banks can partner with fintechs, they could offer the industry “a set of modernized exam manuals” that are broadened to include more types of service providers, as compared to the narrow band of providers that the exam focuses on today.
For his part, Gallagher at the OCC knows that the significant service provider program and the BSCA are of interest to the industry. Ultimately, those exams are but one limited tool for overseeing a growing plethora of service providers that want to work with banks. Even in 2012, the FFIEC was thinking about this: The exam manual states client banks must conduct due diligence on service providers, even if the banking agencies examine a service provider.
Apparently, when it comes to third-party risk management, banks can’t do the regulators’ job, and the regulators can’t do the bank’s job.
Previous