The Federal Deposit Insurance Corp. does not have a clear way to measure whether its oversight of big third-party banking technology providers is actually working, according to a watchdog audit.
The August audit by the FDIC's Office of Inspector General found that the agency has taken certain steps to improve its oversight of the tech providers, such as creating a comprehensive provider inventory and updating provider examination timelines. But the OIG said these efforts do not yet clearly define programmatic success or enable the agency to measure outcomes.
Without clear goals and metrics, the FDIC "has limited assurance" that its program, known as the Significant Service Provider Examination Program, "is achieving its intended purpose," the OIG said in a report.
"Developing program-level goals and metrics will allow the FDIC to define programmatic success, measure the effectiveness of the SSP Examination Program, and support the FDIC's efforts to achieve its strategic objectives related to risk management for third-party service providers."
The Bank Service Company Act gives the FDIC, the Federal Reserve, and the Office of the Comptroller of the Currency the power to examine third-party companies, assessing how much risk those providers pose, how well they manage that risk and whether regulators need to step in.
Between 2020 and 2023, bank regulators examined 16 significant service providers, conducting 12 to 15 exams each year. After each exam, the agency issues a report detailing its findings, recommendations, and an information technology risk management rating. If a provider earns a poor score, banks are notified so they can adjust accordingly.
Technology vendors play an important role in keeping banks' various operations running. If a third-party provider fails or falls victim to a cyberattack, it can cause substantial disruptions.
The FDIC classifies the technology vendor in two tiers: Significant Service Providers, which pose higher risk, and Regional Service Providers, which are smaller and less complex. But the OIG found that the FDIC's current approach to picking which providers to examine and how often is too subjective and poorly documented.
The FDIC is in the process of developing a new tool, called an Inherent Risk Methodology Analysis, that would bring more rigor by evaluating and ranking vendors using metrics such as the number of client banks, asset size, payment volume and fungibility. The agency will need to finish updating its processes in order to effectively evaluate whether it's targeting the riskiest providers or using its resources wisely, the OIG said.
The audit also found that banks often get outdated examination reports, though the FDIC is developing new guidance, in response to a December 2023 OIG report that establishes a 45-day turnaround and tracking process for reports on service providers.
The most recent OIG report recommends that the agency finalize and implement program-level goals, metrics, and the new Inherent Risk Methodology Analysis framework for oversight of both significant and regional providers. The FDIC agreed to the recommendation and is set to complete the work by March 31, 2026.
The report follows the targeting of financial regulatory agencies in cybersecurity incidents this year, highlighting the ongoing vulnerabilities of federal cybersecurity systems, particularly with respect to their reliance on third-party services.
The Treasury breach was significant for the hackers' use of an advanced persistent threat method of attack, allowing them to remain undetected within a system for months, gradually transferring sensitive information from the system.
Separately, the OCC
