Just when the banking industry was seemingly recovering from the failure of Silicon Valley Bank (which was fueled in large part by social media), we are again being reminded of the dangers of the interconnectedness of the internet for organizations, including banks, experiencing business disruptions on a global scale related to a July 19 update to Windows released by CrowdStrike. Although most outage concerns are related to ransomware or hacker attacks, this outage appears to have been caused by a defect in a single content update for Windows. For banks, this is a stark reminder of the need for redundancy and business resumption policies.
Third-party risk management is top of mind for the prudential bank regulators. On June 3, 2023, the federal bank regulatory agencies issued a final joint Interagency Guidance on Third-Party Relationships: Risk Management (Interagency Guidance) designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology (fintech) companies. This guidance sets forth principles and considerations for banking organizations' risk management of third-party relationships for each stage of the life cycle of those relationships. On May 3, 2024, the federal banking regulators issued Third-Party Management, A Guide for Community Banks to assist community banks with developing and implementing third-party risk management practices. The guide serves as a resource for bank management in accordance with the principles set out in the Interagency Guidance and the 2021 Guide for Community Banking Organizations Conducting Due Diligence on Financial Technology Companies. In the wake of the May 3, 2024, issuance, Federal Deposit Insurance Corporation (FDIC) board member Jonathan McKernan suggested the guidance should go further to address situations where a bank works through a service provider, as opposed to merely obtaining services from a service provider. Federal Reserve Vice Chair for Supervision Michael Barr has urged banks to ensure their risk management and legal compliance functions are keeping pace with product and service innovations to access financial services, especially when third parties are involved in providing such services.
Finally, a large percentage of enforcement actions recently issued by the prudential bank regulators have been against banks with substantial fintech relationships, relating to the lack of oversight and attendant Bank Secrecy Act/Countering the Financing of Terrorism (BSA/CFT) risks — as illustrated by the April collapse of Synapse Financial Technologies, a middleware provider that sought to serve as a bridge between licensed banks and nonbank entities looking to take deposits and make loans. The collapse of Synapse froze numerous transactions and left approximately $85 million in customer deposits unaccounted for, according to the firm's Chapter 11 filings.
Of the seven May 2024 Cease and Desist Orders publicized by the FDIC at the end of June, five related to liquidity, but four involved provisions concerning third-party relationships and BSA/CFT. One of these Orders went as far as to require an information technology audit focusing on penetration and vulnerability tests and assessment of information security, as well as updating of a business continuity management plan and third-party security policies to correspond with digital operations. More importantly, the bank's board was required to implement procedures to improve initial vendor analysis processes and to conduct a full-scope test of a business continuity management plan and incident response plan.
Another Order required a bank's board to review and approve risk tolerance thresholds for individual fintech partners based on an enterprise-wide analysis of each fintech partner's financial projections under expected adverse scenarios similar to the Synapse issue. This bank was also required to ensure that internal controls were sufficient to maintain compliance with BSA/CFT laws and regulations concerning all products, services, geographic locations, types of customers, business lines, and third-party partners, including fintech companies. The order also addressed the bank's oversight of its Banking-as-a-Service programs (BaaS), including Loans-as-a-Service (LaaS) programs requiring its third-party risk program was sufficient to ensure that risks posed by the fintech partners were properly identified, measured, monitored, and controlled, with a documented risk assessment of each fintech partner and a process to verify third-party partners are meeting the requirements of the bank's BSA/CFT program and policies. The Order also required a plan for monitoring all fintech relationships — including third-, fourth-, and fifth-party service providers — for service interruptions, with a vendor exit strategy and a response process for customers and regulators.
Each of the other two Orders involving BSA/CFT concerned the bank's ability to monitor its BSA/CFT program, since deficiencies in such programs have served as an open door to criticism involving third-party service providers’ noncompliance.
With the CrowdStrike outage, there will be increased regulator focus on BSA/CFT compliance with respect to third-party service providers as well as resiliency plans not only for the bank but also for each service provider, extending down to the fourth or fifth levels. Banks need to be prepared to show testing of contingency plans and resiliency given the widespread outages experienced by financial institutions on July 19 and fears of a Silicon Valley Bank-like customer response.