Federal banking regulators recently released guidance on managing third-party risk. This guidance literally applies only to national banks, bank holding companies, and banks that are members of the federal reserve system. This excludes many community banks, which are state-chartered, not part of a holding company system or members of the federal reserve system, and regulated by state regulators and the Federal Deposit Insurance Company (FDIC). The FDIC has not joined the OCC and FRB in issuing new guidance on management of third-party risk. But recent actions by the FDIC related to compliance failures suggest that the boards of all community banks should carefully consider the compliance frameworks published by the OCC and FRB.
In one recent action, the FDIC entered into a consent order with Banesco USA, a Florida bank based on a finding of deficiencies in the bank’s practices for anti-money laundering and Bank Secrecy Act compliance. In another consolidated action, the FDIC entered into a consent order with two technology service providers to banks, BSERV of Nevada and Fundtech of New Jersey, for compliance-program deficiencies related to failure to monitor third-party relationships. Although this order is with a vendor and not a bank directly, it underscores the emphasis regulators are placing on compliance programs and vendor oversight.
Of particular note for boards of directors, all three orders stipulated that the board would become more involved in the design, operation, and oversight of the entities’ compliance programs.
For more information, please contact our banking group or call 208.344.6000.