State regulators push bill to coordinate exams of third-party service providers
WASHINGTON — State banking regulators are pushing Congress to pass legislation to allow state and federal regulators to coordinate on examinations of banks’ third-party technology service providers in certain states.
The Conference of State Bank Supervisors is supporting a bill introduced by Rep. Roger Williams, R-Texas, that would amend the Bank Service Company Act, which authorized federal regulators to examine third-party technology service providers to assess the potential risks they post to individual client banks and the broader system.
The bill, which is set to be marked up by the House Financial Services Committee on Tuesday, would eliminate duplication in exams of third-party technology service providers and reduce regulatory burdens, according to the CSBS.
“Exam coordination and improved information sharing among state and federal regulators will allow regulators to use limited resources more effectively to avoid duplicative examinations and reduce regulatory burden,” John Ryan, the president and chief executive of the bank supervisor group, said in a letter to Williams.
Banks partner with third-party technology service providers to outsource certain banking services, such as process and management services for loan and deposit taking, payment services, information technology security and testing, and call centers.
Currently, 38 states already have the authority to examine third-party technology service providers, or TSPs. But the Bank Service Company Act did not create a new authority at the state level and is “silent” regarding roles of state banking regulators, the CSBS said.
“The BSCA silence results in duplication and inefficient supervision,” Ryan said in the letter. “Amending the BSCA to appropriately reflect states’ authority to examine TSPs will improve state-federal coordination and information sharing and promote more efficient supervision of TSPs that provide critical services to a broad range of banks.”
The group says the response by state regulators to the Equifax data breach highlights the value of coordination between state and federal regulators.
Several states initiated exams of Equifax to evaluate its cybersecurity, internal audit, risk management and controls after the breach was disclosed. Last month, several state financial regulatory agencies entered into a consent order with Equifax requiring the company to restructure its risk management processes, strengthen internal controls and processes, and enhance oversight by the company’s board on the information security program.
In its 2017 annual report, the Financial Stability Oversight Council also suggested that federal regulators coordinate with states in examining third-party service providers.
“The authority to supervise third-party service providers continues to vary across financial regulators,” the report said. “The Council recommends that Congress pass legislation that grants examination and enforcement powers to the SEC, CFTC, FHFA, and NCUA to oversee third-party service providers and encourages coordination among federal and state regulators in the oversight of these providers. This will both reduce potentially conflicting and duplicative regulatory oversight and promote more consistency in cybersecurity.”