Last week we notified you about
In re Fundtech et. al., a joint FDIC/OCC enforcement
action against financial services technology service providers. In
the Fundtech action, the regulators found that the service
providers operated without: (1) an internal auditor or an
integrated risk-focused audit program; (2) a comprehensive due
diligence program; (3) an enterprise-wide risk assessment program
to determine related risks and vulnerabilities of assets; (4) an
effective business continuity or disaster recovery plan; (e)
effective patch management procedures to identify and address
software vulnerabilities; or (f) an effective log review program to
detect, identify and act on potential threats in a timely
We believe In re Fundtech signals federal banking
regulators' increased focus on risk management and heralds the
coming of further enforcement actions against community and midsize
banks that do not quickly take steps to comply with the OCC's
Oct. 30, 2013, Guidance on Third-Party Relationships
("the Third-Party Guidance"). The Third-Party Guidance
directs national banks and federal savings associations on how to
assess and manage risks associated with third-party
The Third-Party Guidance requires comprehensive supervision
through each phase of a bank's relationship with third parties,
including, but not limited to, loan servicers, underwriters,
consultants, subsidiaries, payment processors, and computer network
and security contractors. The guidance is not strictly
prescriptive. Rather, in keeping with other regulatory guidance in
this area issued by the FFIEC and the SEC, the guidance instructs
banks to adopt risk-based processes proportionate with the level of
risk inherent in the third-party relationship. This means detailed
oversight of "critical activities" and less oversight of
The Third-Party Guidance is detailed and provides in-depth
direction for monitoring third-party relationships. Effective
third-party risk management programs will include the following
Due Diligence and Third-Party Selection
Oversight and Accountability
Documentation and Reporting
We expect small to midsize banks will face increased pressure to
meet these goals quickly and economically. McGuireWoods LLP's
community banking, data privacy and security, procurement and
sourcing and regulatory lawyers have experience helping financial
services clients create, implement and sustain risk-based
third-party relationship monitoring programs efficiently, and we
are prepared to help guide our clients through this era of
increased regulatory burden.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Proposed Rule revises the prior proposed rule the Regulators published in 2011 (the "2011 Rule"), implements section 956 of the Dodd-Frank Act, and attempts to strengthen supervision of banking organizations.
The industry generally is positive about the announcement, because the CFPB's guidance on the TRID rule to date (other than the original December 31, 2013, Federal Register issuance) has been presented as non-binding and informal.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).