Last week we notified you about
In re Fundtech et. al., a joint FDIC/OCC enforcement
action against financial services technology service providers. In
the Fundtech action, the regulators found that the service
providers operated without: (1) an internal auditor or an
integrated risk-focused audit program; (2) a comprehensive due
diligence program; (3) an enterprise-wide risk assessment program
to determine related risks and vulnerabilities of assets; (4) an
effective business continuity or disaster recovery plan; (e)
effective patch management procedures to identify and address
software vulnerabilities; or (f) an effective log review program to
detect, identify and act on potential threats in a timely
We believe In re Fundtech signals federal banking
regulators' increased focus on risk management and heralds the
coming of further enforcement actions against community and midsize
banks that do not quickly take steps to comply with the OCC's
Oct. 30, 2013, Guidance on Third-Party Relationships
("the Third-Party Guidance"). The Third-Party Guidance
directs national banks and federal savings associations on how to
assess and manage risks associated with third-party
The Third-Party Guidance requires comprehensive supervision
through each phase of a bank's relationship with third parties,
including, but not limited to, loan servicers, underwriters,
consultants, subsidiaries, payment processors, and computer network
and security contractors. The guidance is not strictly
prescriptive. Rather, in keeping with other regulatory guidance in
this area issued by the FFIEC and the SEC, the guidance instructs
banks to adopt risk-based processes proportionate with the level of
risk inherent in the third-party relationship. This means detailed
oversight of "critical activities" and less oversight of
The Third-Party Guidance is detailed and provides in-depth
direction for monitoring third-party relationships. Effective
third-party risk management programs will include the following
Due Diligence and Third-Party Selection
Oversight and Accountability
Documentation and Reporting
We expect small to midsize banks will face increased pressure to
meet these goals quickly and economically. McGuireWoods LLP's
community banking, data privacy and security, procurement and
sourcing and regulatory lawyers have experience helping financial
services clients create, implement and sustain risk-based
third-party relationship monitoring programs efficiently, and we
are prepared to help guide our clients through this era of
increased regulatory burden.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A federal district court in Minnesota recently held that the Bank Secrecy Act permits the Financial Crimes Enforcement Network to bring suit against individuals for willfully violating the BSA's AML program requirement.
Regulators were busy at the end of 2015, especially in the United States, perhaps being motivated to push forward new rule proposals in anticipation of a change in administration after the presidential elections later this year.
There is a generally subscribed to notion that "my bank or mortgage company" will not be held accountable for compliance and will not be the subject of close regulatory scrutiny given its business model, size, history, etc.
On January 15, 2016, the Consumer Financial Protection Bureau Office of Enforcement asserted that claims pursued in administrative enforcement actions are not subject to the three-year statute of limitations...
On January 14, 2016, the Basel Committee on Banking Supervision (BCBS) published a final rule for minimum capital requirements for market risk as a conclusion to the BCBS' fundamental review of the trading book or, as it is commonly known, the FRTB.