The financial services market used to be dominated by legacy banks, limiting the role of MSPs. However, as more direct-to-consumer financial services become available outside traditional banking (online banks, cash advances, brokerages, etc.), MSPs are seeing increased demand for their services, and this has caught the eye of federal regulators.
MSPs must practice effective risk management
“There is a real opportunity for MSPs in the financial sector, but there are also genuine risks of fines and penalties if something goes wrong on your watch,” advises Dale Mackey, an independent cybersecurity consultant in Portland, Oregon, who works with MSPs and community banks.
The Office of the Comptroller and Currency (OCC) recently released its annual Cybersecurity and Financial System Resiliency Report. An independent bureau of the U.S. Department of the Treasury and led by the Comptroller of the Currency, the OCC regulates and supervises all national banks, federal savings associations, federal branches, and agencies of foreign banks.
In its report, the OCC clearly outlines concern at the federal level that the MSPs can pose a risk to financial clients. “Service providers can pose a significant risk to their bank clients and the banking system if providers have operational or financial issues that affect the delivery of critical services,” the report states.
Increased government oversight means MSPs must have their books in order and a have clear operating plan.
“The feds don’t want to see any third-party providers that look like they are struggling to stay afloat or don’t have a best practice plan already in place,” explains Mackey. Indeed, the OCC’s report states: “Effective risk management for critical third-party relationships is important for safe and sound operations.”
Service provider exam program holds third-parties accountable
While the program has been around for a while, the OCC will be emphasizing its “service provider examination program,” which will hold MSPs, and other third-party entities involved in the banking ecosystem to the same standards of security and regulatory rules that the banks themselves are held to. Parts of the program will include:
- Examination activities at service providers follow interagency guidelines and use the FFIEC Information Technology Examination Handbook and other applicable guidance.
- Annual strategies are developed for service provider examination activities. The strategies define supervisory goals for a specific service provider based on its risk profile of services provided, including cybersecurity-related activities.
The OCC says that like the supervision of banks, examination reports are issued for service providers and that emphasis will be placed on this going forward.
In recent years, there has been a spate of third-party problems related to the financial services sector, resulting in fines, losses, and reputational damage. Here are some headlines from recent years involving third party-related bank breaches:
- In 2020, Nedbank disclosed a security breach at a third-party supplier that had compromised the details of as many as 1.7 million of its clients.
- U.S. digital bank Dave reported a customer data breach after hackers gained access through a third-party technology supplier.
- In April 2017, Scottrade Bank acknowledged a data breach that exposed the personal information of 20,000 of its customers because a third-party vendor uploaded a file to a server without adequate cybersecurity protection.
- In October 2022, U.S. Bank notified some customers that their personal information was accidentally shared by a third-party vendor, according to letters posted to the California Attorney General’s website. This incident involved a third-party collections recovery group that accidentally shared the names, addresses, Social Security numbers, birthdays, closed account numbers, and outstanding balances of about 11,000 customers; a U.S. Bank spokesperson told Banking Dive.
“The federal regulators see these breaches and want to bring in the whole supply chain around the banking system, and that is not a bad plan,” Mackey says.
“Whenever I work with MSPs that handle banking clients I always tell them to look very closely at the software vendors, the more all-under-one-roof they are and the more vetted they are, the less risk, and that is more important today than ever,” Mackey concludes.
Photo: Pixels Hunter / Shutterstock