The Inspector General suggests more distinct objectives are required for FDIC's supervision of significant third parties.
The Federal Deposit Insurance Corporation (FDIC) is taking steps to enhance its oversight of large third-party providers of banking technology, following a report by the FDIC's Office of the Inspector General (OIG) that highlighted deficiencies in the agency's approach.
Currently, the FDIC lacks clear, measurable goals and metrics to effectively gauge its oversight of these providers. This deficiency limits the agency's ability to determine whether its Significant Service Provider (SSP) Examination Program is achieving its intended purpose in managing risks associated with these third parties.
To address this issue, the FDIC is considering several measures. One such measure is the development of program-level goals and measurable metrics that directly link to the SSP Examination Program's success factors. This would provide a framework to define what programmatic success looks like, enabling assessment of effectiveness and strategic alignment with third-party risk management objectives.
Another proposed measure is increased scrutiny of specific practices, such as "for benefit of" (FBO) accounts used in bank-FinTech partnerships. The FDIC is contemplating regulatory proposals requiring banks to maintain detailed ledgers and conduct daily reconciliations of these third-party account data to better track customer deposits and protect deposit insurance coverage.
The FDIC is also modernising its IT and supervisory processes through initiatives like the IT Modernization Program and the Supervision360 project. These initiatives aim to leverage cloud platforms and improved technology to enhance examination capabilities and efficiency for bank supervision, including third-party risk oversight.
The FDIC is developing a tool called the Inherent Risk Methodology Analysis (IRMA) to risk-rank service providers. Qualitative factors such as service provider's business line, mission criticality, substitutability of services, and potential impact of disruption should guide the FDIC's prioritization effort once IRMA is implemented.
The OIG's report, published on Tuesday, suggests that developing program-level goals and metrics will help the FDIC address these issues and improve its oversight of third-party service providers. The report also found that the Regional Service Provider Examination Program (RSP Examination Program) also lacked goals and metrics to properly evaluate service providers.
Ryan Billingsley, acting director of the FDIC's division of risk management, agrees that the FDIC should develop program-level goals for both the SSP and RSP examination programs, including the finalization and implementation of IRMA. Billingsley wrote that the FDIC appreciates the OIG's diligence and professionalism in its evaluations.
The FDIC's response to the OIG's report indicates a commitment to addressing the issues identified and improving its oversight of third-party service providers. However, formal implementation timelines for some proposed regulations and metric frameworks have not yet been announced.
The FDIC is contemplating regulatory proposals requiring banks to maintain detailed ledgers and conduct daily reconciliations of third-party account data, linking to the business of banking and technology.
The FDIC's development of the Inherent Risk Methodology Analysis (IRMA) aims to risk-rank service providers, considering factors from the realm of business and finance.
