The Office of the Comptroller of the Currency received “an earful from bankers and examiners” after issuing a request for information last November on community banks’ engagement with core service providers, according to Banking Dive. Comptroller Jonathan Gould highlighted concerns about the “very uneven” commercial negotiating relationship between smaller banks and major providers like Fiserv, Fidelity National Information Services, and Jack Henry & Associates during the American Bankers Association’s Washington summit.
This regulatory scrutiny signals a shift that community bank CTOs and compliance officers need to prepare for now. When regulatory investigations into core provider relationships intensify, banks that document their vendor management processes properly will fare better than those scrambling to compile evidence after the fact.
Why This OCC Investigation Matters More Than Previous Vendor Reviews
According to Banking Dive, the three largest core providers are Fiserv, Fidelity National Information Services and Jack Henry & Associates, with nearly 20 other companies providing core services in the U.S. This concentration means that compliance issues at major providers can impact hundreds of community banks simultaneously.
Badri Sridhar, a managing director in FTI Consulting’s financial services practice, told Banking Dive that core service provider compliance teams have disagreed with regulatory assessments “on at least three occasions” in his experience. He noted being “3-0 at this point” in dispute resolutions, but emphasized that “for banks who haven’t hired a consultant, who don’t have that expertise in-house, they could just be taking the service provider’s word for it.”
The investigation focuses on specific pain points that affect day-to-day operations: core conversions, system updates, and associated costs. Small banks and credit unions rely on these companies not only for essential back-end functions like account management and deposit processing, but also for payment processing and regulatory compliance updates.
The timing matters because regulatory requirements continue evolving while core providers face technical debt from legacy systems. Many still operate on mainframe-based systems requiring specialized knowledge in programming languages like COBOL, creating bottlenecks when compliance updates are needed quickly.
The Documentation Gap That Puts Community Banks at Risk
When regulatory reviews begin, examiners will ask specific questions about your core provider relationship that many community banks cannot answer comprehensively. The lack of systematic documentation becomes a liability when you need to demonstrate due diligence in vendor oversight.
Most community banks track basic contract terms and SLA metrics, but regulatory investigations dig deeper into compliance-specific vendor management. Examiners want to see evidence that you’ve actively monitored your provider’s regulatory responsiveness, not just their uptime statistics.
The challenge intensifies because many banks have layered custom code on top of their core systems over years of operation. As Sridhar explained to Banking Dive, institutions often choose to implement regulatory updates in-house rather than pay providers for modifications. This creates “custom code, maybe on top of other custom code, on top of more custom code” that becomes “very hard to untangle.”
Without proper documentation of these modifications and their compliance implications, banks cannot clearly delineate responsibility when regulatory issues arise. This ambiguity becomes problematic during investigations when regulators need to understand whether compliance failures stem from the core provider’s system or the bank’s customizations.
4-Step Response Checklist for OCC Core Provider Investigations
Step 1: Compile Your Core Provider Compliance Communications Archive (Week 1)
Your compliance officer should create a chronological file of all compliance-related communications with your core provider from the past 24 months. This includes emails about regulatory updates, system modification requests, and any disputes about compliance interpretations.
Document response times for each compliance-related request. Track how long your provider took to acknowledge regulatory update requirements and implement necessary changes. Include any instances where your provider disagreed with your compliance assessment or delayed implementing updates.
Assign this task to your vendor management coordinator and compliance analyst. Budget 12-15 hours for a thorough review of email archives, support tickets, and meeting minutes. Use a simple spreadsheet with columns for date, issue type, response time, and resolution status.
Step 2: Map Your Custom Code Dependencies (Week 2)
Your IT director needs to document all custom code layers added to your core system for regulatory compliance purposes. Create a visual map showing which compliance requirements are handled by your provider’s standard system versus your custom modifications.
This mapping exercise reveals your risk exposure if core provider issues arise. When you can clearly delineate which compliance functions depend on provider updates versus in-house code, you can respond more effectively to regulatory questions about responsibility and remediation plans.
Allow your senior developer or IT manager 20-25 hours spread across two weeks for this documentation. If you lack internal technical expertise, consider engaging a consultant familiar with your specific core platform. The investment typically ranges from $3,000-$8,000 but provides crucial clarity for regulatory discussions.
Step 3: Establish Alternative Compliance Verification Procedures (Week 3)
Develop independent methods to verify that your core provider’s compliance updates actually address regulatory requirements correctly. This protects you from situations where providers dismiss legitimate compliance concerns.
Create testing protocols for major regulatory updates before implementing them in production. Document your verification process so regulators can see you’re not blindly accepting provider assurances about compliance functionality.
Your compliance team should dedicate 8-10 hours monthly to this verification process going forward. Consider using compliance management platforms like MetricStream or Thomson Reuters to systematize your testing and documentation workflow.
Step 4: Prepare Your Regulatory Response Packet (Week 4)
Compile a comprehensive packet that demonstrates proactive vendor oversight. Include your vendor risk assessment, compliance monitoring procedures, escalation protocols, and contingency plans for provider service disruptions.
Document specific examples of how you’ve pushed back on provider decisions or sought clarification on compliance matters. This shows regulators that you’re actively managing the relationship rather than passively accepting provider guidance.
Your chief risk officer or compliance director should oversee this compilation, investing 15-20 hours to ensure comprehensive coverage. The packet should be maintained as a living document, updated quarterly with new compliance interactions and provider performance metrics.
Common Mistakes That Escalate Regulatory Scrutiny
Many community banks assume their core provider handles all compliance obligations automatically. This passive approach becomes problematic when regulators investigate specific compliance failures and banks cannot demonstrate active oversight of their provider’s performance.
Another frequent error involves inadequate documentation of compliance disputes with providers. Banks often resolve these issues verbally or through informal communications, leaving no paper trail for regulatory review. When investigations begin, this lack of documentation suggests insufficient vendor management controls.
Banks also underestimate the importance of maintaining independent compliance verification capabilities. Relying entirely on provider assertions about regulatory compliance creates vulnerability when those assessments prove incorrect or incomplete.
Finally, many institutions fail to develop realistic contingency plans for core provider compliance failures. Without documented alternatives or escalation procedures, banks cannot demonstrate to regulators that they’ve considered the systemic risks of vendor concentration in the core provider market.
Key Takeaways
- Document everything now: Regulatory investigations require comprehensive evidence of vendor oversight activities, not just basic contract compliance
- Map your custom code dependencies: Understanding which compliance functions rely on provider updates versus in-house modifications becomes crucial during regulatory reviews
- Develop independent verification procedures: Don’t rely solely on provider assurances about compliance functionality – create your own testing protocols
The OCC’s investigation into core provider relationships represents a significant shift in regulatory focus that will likely expand beyond the initial inquiry. Community banks that proactively document their vendor management processes and develop independent compliance verification capabilities will be better positioned to navigate this increased scrutiny. How prepared is your institution to demonstrate active oversight of your core provider’s compliance performance?
Source: Banking Dive
Pingback: Plaid's $8B Valuation Jump Creates Hidden API Pricing Risk for Community Banks - AI Fintech Insider
Pingback: CFPB Budget Crisis Implementation Requirements Banks Must Navigate Before Agency Closure - AI Fintech Insider