Time to Admit the Limits of the Bank Service Company Act

Heidi is a regulatory strategist and former senior financial services regulator. She led the policy function at the Australian Prudential Regulation Authority (APRA), where she implemented major pillars of international banking policy and financial sector regulatory reforms. As an independent consultant, Heidi now advises financial institutions, fintech and regtech start-ups and government agencies on regulatory strategy. She has conducted research into open banking and was appointed as the independent reviewer of Australia's credit reporting framework. Previously, she held senior roles across banking, payments and securities regulation at the US Federal Reserve, the US Treasury and the Reserve Bank of Australia.

After the failure of major fintech partner Synapse, some commentators are calling for US banking regulators to get more directly involved in overseeing fintechs and other technology providers, using powers under an obscure law - the Bank Service Company Act (BSC Act). 

Is this law even still relevant? What are the policy implications of a more activist regulatory approach with respect to tech companies or those that have managed to manoeuvre themselves to stay just outside the traditional bank regulatory perimeter? Could the banking regulators even take this on effectively?

The BSC Act and how it is administered today

In the late ‘50s and early ‘60s, small banks were setting up joint ventures to take advantage of processing efficiencies in check clearing and other operational tasks, to help them compete against larger banks. This was the birth of the outsourcing trend, and regulators started to take note.

The original 1962 BSC Act required the banks to contractually ensure regulator access to their service companies. Bank services that were covered by the law included all manner of accounting, clerical and payment services, whether in paper or electronic form. 

The IT examination program

As well as outsourcing of operations, computers in banking were perceived as a seismic shift - the AI of the 1960s. Only a few years later, the FDIC was developing an examination program to review bank systems and technology-related risks.^[1]

This resulted in the federal banking agencies training a specialized cadre of “EDP” bank examiners.^[2] There are probably around 600 of these examiners out of the estimated 10,000 total number of federal bank examiners.^[3]

For more than four decades, IT examiners have had a separate career track, as well as their own examination procedures and bank risk rating system. They schedule their own exams and issue their own examination reports to banks. 

As smaller banks that could not afford in-house IT expertise increasingly used software developed by specialised vendors, or shared platforms, IT examiners naturally looked to better understand these activities and their risks to bank clients. The BSC Act was strengthened in 1978 to provide more direct regulatory authority over third-party service providers. 

With the expanded authority, federal bank examiners started visiting these vendors directly to “kick the tires.” Service provider visits over time became formal examinations with reports and findings, and came to cover over two hundred bank technology vendors of various types. 

Originally, this was probably an efficiency measure, where examiners could leverage information from one client bank examination for another. But it came to be seen by examiners as a critical pillar in managing perceived risks in banks' use of third-parties, and in particular, concentration risks in relying on a few large vendors.

The FFIEC and the MDPS program

The Federal Financial Institutions Examination Council (FFIEC) was established in 1979 to run training programs and coordinate policy and supervision activities across the federal banking agencies (and also maintains the excellent and publicly accessible bank Call Report database). 

The FFIEC IT Subcommittee, with representatives from each agency, was set up to deal with technology matters, at that time considered an arcane area which most 'safety and soundness' policy and supervision staff would rather not touch. The IT Subcommittee collaborated to produce the FFIEC IT examination handbook, which, to this day, remains the IT examiner’s bible and covers the methodologies for third-party service provider examinations. 

The Subcommittee’s mandate included responsibility for "promoting interagency coordination and cooperation in matters concerning the examination of data processing operations providing automated services to federally regulated financial institutions.”^[4]

By 1982, the core of the inter-agency efforts were focused on the MDPS (Multi-Regional Data Processing Servicer) program.^[5] The MDPS program comprised the largest, nation-wide bank tech vendors including core banking platform providers, payment processors and even some of the major global payment networks. The actual list of MDPS companies has never been published, but the number has fluctuated in the range of 12-20. 

The MDPS companies were complex organizations, often with systems that were equally as sophisticated as the largest banks. 

An aside: there is an unwritten pecking order within regulatory agencies. The highest status examiner roles lead the supervision programs for the largest commercial banks. Below them are leads for mid-size and regional banks, and further down are specialist risk examiners who are typically rotated to help out on bank safety and soundness examinations. 

For an IT examiner, leading an MDPS review conferred the status equivalent to being the examiner-in-charge for a large money-center bank. So these lead agency assignments were jealously guarded.

The banking agencies distributed the service provider reports of examination to client banks only, and neither the bank nor the service provider was allowed to disclose any aspect of these examinations. This was due to the (probably very well founded) fear that service providers would use federal examination as a marketing advantage and regulatory 'good housekeeping seal of approval.' There were occasionally service providers who pushed back on being examined, but as far as I know this was never formally tested. 

In the late 1990s, I was a bright eyed, newly promoted manager of the IT supervision program at the Federal Reserve Board, and sat on the FFIEC IT Subcommittee. There were concerns within the Fed that these examinations were not adding a lot of value. My marching orders were to try to scale back the program or at least focus it on real, not just theoretical, risks.

This was the Greenspan era, so there was a general anti-regulation sentiment at play. But there were also concerns about expanding the scope of regulatory accountability into areas that the agencies were not staffed or funded to cover. IT examiners with often dated technical skills were waltzing into global tech companies every few years, and telling them how often to change passwords (only a slight exaggeration).

The other agencies were less keen to make any real changes to the program. We did eventually manage to reach agreement on an examination schedule based on some objective risk indicators, resulting in this guidance on risk-rating of service providers issued in 2001: 

But whether this led to any real improvements in the program is doubtful. It appears that in 2018 the MDPS program was restructured and renamed, and little public mention can be found of it today. Was the service provider examination program ever really an important part of the bank supervision framework? Or just a training ground for IT examiners?

The BSC Act in action

Aside from the examination program, there is very limited tangible evidence of how the agencies’ have used the BSC Act authority.

The Act was amended to give the federal banking agencies explicit authority to issue administrative rules. They issued a rule in 2021 requiring service providers to notify the relevant federal banking regulators in the event of a cybersecurity incident.^[6] This seems a sensible use of this power.

There have also been a few public enforcement actions. In 1999, the federal banking agencies jointly agreed an undertaking with First Data to remedy Year 2000 deficiencies.^[7] Then in 2016, Jack Henry, a major bank software vendor, was cited for ‘unsafe and unsound practices’ in its disaster recovery and business continuity planning and processes.^[8]

These actions were public written agreements, a softer form of enforcement. It is by no means clear that other harsher enforcement actions typically used by banking regulators, such as civil penalties or cease and desist orders, could be applied. As was seen in the Synapse case, the FDIC does not have any authority to force a failing service provider into administration or take over its operations.

How effective has the BSC Act been in practice?

There have been a few internal reviews touching on service provider examinations, which have tended to paint a picture of a program that is administered in a fairly ad hoc way, without clear governance and accountability. These reviews tended to focus on administrative matters rather than program effectiveness, however. 

At the Fed, the OIG in 2017 found that there was no formal oversight or governance structure for the MDPS program, and that examiners lacked guidance on how to apply the Bank Service Company Act in "today’s environment." 

At the FDIC, a 2023 OIG audit found the agency had “not formally established performance goals, metrics, and indicators to measure the overall program effectiveness and efficiency.” The process to distribute examination reports to serviced banks took up to 6 months. As a result “these reports are often outdated or no longer useful once received.”^[9]

The very limited rule-making and enforcement experience suggests that the BSC Act has not been used to its original potential.

Could the BSC Act be used to regulate fintechs and other technology partners?

As should be evident from the previous commentary, my view is: not likely, under the current framework, due to:

• Constraints on resources and expertise. Given what we know about the methodology of traditional IT examinations and IT examiners, the banking agencies are not well placed to assess risk and risk management at highly sophisticated global technology companies or innovative fintech start-ups. Even if adequate resourcing were available, effective oversight would require wholesale revamp of the governance, policy design and risk methodologies. 

• Current regime lacks boundaries or accountability. Expanding the reach of the federal banking regulators into unregulated industries without any transparency, accountability or even clearly defined objectives is the worst kind of scope creep. For example, the scope of ‘bank services’ would need to be clarified in a modern context, and the objectives and nature of enforcement powers set out in legislation. 

• Significant implications of extending the regulatory perimeter. Enthusiastic application of BSC Act powers could vastly expand the bank regulatory perimeter well into the technology industry. In addition to adverse impacts on commercial incentives, distraction of regulators onto non-core issues is widely regarded as an underlying contributor to past bank failures.

So how could the BSC Act be used?

In my view, the BSC Act authority can be useful to achieve narrowly targeted and well-defined aims. The 2021 rule requiring incident reporting by service providers is a good example of where use of the BSC Act authority seems appropriate: directed at a specific information access problem and imposing minimal ongoing compliance burden. 

The BSC Act could be more effective as a sort of emergency crisis intervention power, rather than an ongoing regulatory program. The banking agencies should have clearer authority to intervene if a service provider, particularly one that deals directly with end-customers, is in trouble - to compel timely production of information, cancel contracts or even to take over operations of a failing company. 

Conclusions

The Bank Service Company Act is not a silver bullet to manage risks at the bank-technology perimeter. The authority has not been exercised effectively and has instead spawned opaque regulatory programs with little demonstrable public benefit. This is not to say it couldn't be revamped to be much more useful. But this would take a rethink of its powers and scope, and an overhaul of the implementing infrastructure.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

^[1] KA Randall, FDIC Chairman, speech “The Significant of Automation for Bank Supervision and Bank Examination,” FDIC, 1968.

^[2]  Electronic Data Processing, though the term was quickly replaced by the now-familiar “IT” examiner.

^[3] Based on attendance at annual IT supervisors conference, FFIEC 2023 Annual Report, p. 28.

^[4] FFIEC 1980 Annual Report p. 9. https://www.ffiec.gov/PDF/annrpt80.pdf

^[5] Kopchik, Jeff and Donald Saxinger (FDIC staff) “From the examiner’s desk: The evolution of bank information technology examinations,” summer 2013.

^[6] Federal Register, "Computer-security incident notification requirements for banking organizations and their bank service providers," final rule November 17, 2021. 

^[7]  Agreement between First Data Corporation and the Federal Banking Agencies, 30 March 1999. https://www.federalreserve.gov/boarddocs/press/enforcement/1999/19990330/Attachment.pdf

^[8] Agreement by and between Jack Henry & Associates, Inc. and the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Federal Reserve Bank of St. Louis, November 13, 2013. https://www.federalreserve.gov/newsevents/pressreleases/files/enf20140311a1.pdf

^[9] FDIC Office of the Inspector General, “Implementation of the FDIC’s Information Technology Risk Examination (InTREx) Program,” January 2023.  

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at operations@open-banker.com.

Here’s Why Over 4 Million Professionals Read Morning Brew

• Business news explained in plain English

• Straight facts, zero fluff, & plenty of puns

• 100% free

See for yourself