The Office of Inspector General of the Federal Deposit Insurance Corporation has issued its audit memorandum on The FDIC’s Regional Service Provider Examination Program.
Banks routinely rely on third parties for numerous activities, including information technology services, accounting, compliance, human resources, and loan servicing. Under the Bank Service Company Act, the FDIC has the statutory authority to examine third‑party entities (or “service providers”) that provide technology services to its regulated financial institutions. Specifically, the Act states that the services authorized under the Act are “…subject to regulation and examination …to the same extent as if such services were being performed by the bank itself on its own premises.”
The FDIC conducts examinations of service providers to evaluate their overall risk exposure and risk management performance, and determine the degree of supervisory attention needed to ensure weaknesses are addressed and risks are properly managed by the financial institutions using these service providers. The FDIC performs service provider examinations using two risk tiers: Significant Service Providers and Regional Service Providers (RSP). Our audit focused on RSPs, which are smaller in size, less complex, and provide services to banks within a local region.
The audit objective was to assess the effectiveness of the FDIC’s RSP examination program related to third-party risks to financial institutions. These examinations are typically performed jointly with the Federal Reserve Board and Office of the Comptroller of the Currency, and in compliance with interagency guidance established by the Federal Financial Institutions Examination Council.
Overall, we found that the FDIC has not formally established performance goals, metrics, and indicators to measure overall program effectiveness and efficiency. As a result, we were unable to conclude on the program’s effectiveness; however, we identified opportunities to improve the RSP examination program. Specifically, we identified several opportunities to improve the RSP examination program: (1) monitor reports of examination distribution timeliness; (2) comply with examination frequency guidelines; (3) provide additional guidance on how to use RSP examinations in support of the FDIC’s InTREx program; and (4) establish a comprehensive inventory of FDIC‑supervised bank service providers and the financial institutions serviced.
We recommended that the FDIC conduct a formal assessment of the RSP examination program to establish program-level goals, metrics, and indicators and determine whether additional resources and controls are needed to improve the effectiveness of the program, as identified in the memorandum. The FDIC agreed to take action on the recommendation by December 31, 2024.