As regulators pressure banks to strengthen oversight of their "critical" vendors, many are scrambling to adjust their contracts, reporting, systems and staffing.
In interviews with executives at several vendors to the financial services industry, their level of concern varies according to their size and experience with examiners. But even those who have long been subject to scrutiny say they are getting more questions from customers and staffing up to deal with the added compliance chores.
Some vendors say regulators are taking vendor risk more seriously than ever before, and expect the issues they raise in their exams to be addressed immediately. Others report that the new rules have dramatically elongated their sales cycle. There are even those who say they are just doing what they've always done, but with larger staffs and greater resources devoted to compliance.
"The regulators are very serious and they are raising the bar in terms of their expectations of banks and key technology service providers to safeguard U.S. financial systems," says Edward Ho, president of Fundtech, a payment processing company based in Jersey City that works with more than 400 banks, credit unions and government-sponsored entities.
The major bank regulators, including the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corp. and the Federal Reserve have all issued updated rules in recent months that require banks to step up their oversight of third-party vendors deemed crucial to their operations. That includes risk-scoring them, micro-analyzing their numbers, and conducting on-site audits.
Some vendors have already been caught up by the higher expectations. Fundtech received a consent order from the Office of the Comptroller of the Currency in December, based on an exam conducted the year before, prior to Ho's arrival.
The consent order says Fundtech lacked formalized vendor risk policies and procedures and an enterprise-wide asset risk assessment. It also found the company's business continuity planning, patch management and log review programs to be inadequate.
Ho, who was recruited by Fundtech's private equity owners in 2013, says the company has made the fixes sought by regulators. A March exam went well with no significant comments, according to Ho, but the order can't technically be terminated until the fourth quarter of 2014.
"Banks and tech service providers need to pay sufficient attention and respect to the regulators' requests and respond without delays, to show they are serious," Ho says. "The organization has to be focused at the highest level on remediation efforts."
One item regulators are looking for is true independence of functions such as compliance and security. "I think we're at the forefront of a wave of intense scrutiny by regulators," Ho says.
Overall, small vendors seem far more concerned with the new rules than large ones.
"I have started to see this elongate my sales cycles," says Jeff Sant, executive vice president, Primatics Financial, a maker of software that automates stress tests. "I was in midst of negotiating a deal, and a new policy was written at the bank, and we had to start over."
Sant says he believes the new rules favor larger companies with the staff and resources to deal with more compliance. He worries that the new standards are thwarting innovation.
"Innovation comes up through these tertiary companies," he says. "The more you make it difficult for innovation to enter this space, you're going to lose something."
The same dynamic will adversely affect small banks, which can't deal with the cost of regulations and are used to a simpler process of vendor selection and management, according to Sant.
"Smaller banks are used to going out to dinner and signing something on a piece of napkin," he says.
One aspect of the revised rules that's tough on smaller vendors is the need to show financial stability, Sant says.
"We grow 30% a year, we look different every year," he explains. "You're not going to have a lot of small vendors who can show five years of steady growth and low leverage."
But the risk-scoring and onsite audits don't concern Sant, because as a vendor to large banks Primatics already does them.
Other large vendors used to working with bigger banks say they're used to strict regulations. Jacksonville, Fla.-based FIS, for instance, is already regulated as a technology service provider by the Federal Financial Institutions Examination Council's multiregional data processing program.
"I think we're in a good position to address the requirements," says Greg Montana, chief risk officer at FIS, which is the largest vendor of core banking technology to U.S. banks.
At the same time, Montana has expanded the company's compliance efforts as a result of regulators' intensified focus on vendors. FIS has had a dedicated risk information security and compliance program in place for nearly three years. The company has hired executives from Bank of America, Wells Fargo, AT&T and Verizon, as well as former regulators and law enforcement officers, into the program.