Recently, Fidelity National Information Services, Inc. (FIS), a company providing payment processing and other services to banks and other financial institutions, reportedly was the subject of a critical assessment by the FDIC. The FDIC report comes in the aftermath of a 2011 security breach at the company and a subsequent examination by the FDIC, OCC, and the Federal Reserve Bank of Atlanta. According to the report, the FDIC demanded that FIS immediately address eight issues, including risk management and information security issues. The FDIC allegedly also stated that actions taken by the company to date were insufficient given the regulatory concerns and weaknesses identified by the FDIC. The NCUA received the FDIC report and forwarded to credit unions with an advisory note to use the report in managing vendor relations with FIS. The report on FIS comes as regulators are placing enhanced scrutiny on financial institutions’ relationships with third party service providers. In April, the CFPB issued Bulletin 2012-03, providing guidance to regulated entities on the oversight of business relationships with service providers. The CFPB bulletin states that “[t]he CFPB expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships” and lists specific minimum steps that should be a part of service provider oversight.
On December 5, the California Department of Corporations issued Bulletin No: 001-12 to caution lenders and other institutions about the vetting and management of third-party service providers. The bulletin explains that in response to guidance from the CFPB earlier this year regarding supervision of vendors, third-party risk management companies have emerged to pre-screen potential vendors for bank and nonbank financial service providers. The bulletin generally advises lenders to be cautious about delegating vendor vetting to third-parties and mindful of their ultimate responsibilities for such vendors. The bulletin specifically (i) reminds escrow agents of the prohibition in California Financial Code section 17420 against the payment of referral fees for soliciting escrow accounts, (ii) advises lenders that mandating the use of a particular service provider on a third-party risk management company’s list, or prohibiting the use of a service provider not appearing on such list, may be violating the California Buyer’s Choice Act, and (iii) highlights potential RESPA violations and unfair business practices.