On December 21, the Office of Inspector General (OIG) of the FDIC issued its audit memorandum on the FDIC’s Regional Service Provider (RSP) Examination Program. The OIG’s objective was to assess the effectiveness of the FDIC’s RSP Examination Program related to third-party risks to banks, including for compliance with interagency service provider guidance (we discussed this final guidance in a previous blog post here).
Under its RSP Examination Program, the FDIC examines RSPs to evaluate their overall risk exposure and risk management performance, and determine the degree of supervisory attention needed to ensure weaknesses are addressed and risks are properly managed by the banks using these RSPs. Here, RSPs are smaller in size, less complex, and provide services to banks within a local region.
Overall, the OIG found that the FDIC has not formally established performance goals, metrics, and indicators to measure overall program effectiveness and efficiency. As a result, the OIG was unable to conclude on the program’s effectiveness; however, it identified opportunities to improve the RSP examination program: (1) monitor reports of examination distribution timeliness; (2) comply with examination frequency guidelines; (3) provide additional guidance on how to use RSP examinations in support of the FDIC’s IT Risk Examination program; and (4) establish a comprehensive inventory of FDIC‑supervised bank service providers and the financial institutions serviced. The OIG recommended that the FDIC conduct a formal assessment of the RSP examination program to establish program-level goals, metrics, and indicators and determine whether additional resources and controls are needed to improve the effectiveness of the program, as identified in the memorandum. The FDIC agreed to take action on the recommendation by December 31, 2024.
Putting It Into Practice: In light of this recent audit calling attention to the FDIC’s RSP Examination Program, we are likely to see an uptick in service provider examinations, specifically of fintechs partnering with banks. We have already seen increasing enforcement from bank regulators based on bank and fintech partnerships with additional requirements for banks to implement stricter oversight of their fintech partners (see here, here, and here). Fintechs and other non-bank companies should be aware of the potential of increased oversight on their bank-fintech relationships, and diligently address the points in recent interagency guidance.