FDIC Enters into Consent Order with IT Provider for Depository Institutions

The FDIC recently entered into a consent order with an IT service provider.  As part of the consent order, the service provider must undergo comprehensive and wide-ranging compliance reforms.

The service provider provides information technology and other related services to certain depository institutions and their affiliates.  Following an investigation by the FDIC, the FDIC alleged deficiencies and weakness in the service provider’s system development, project management, business continuity management, cloud operations, and business arrangements that constituted unsafe or unsound practices.

Under the consent order, the service provider must establish an Executive Oversight Committee that is responsible for overseeing and ensuring compliance with the consent order.  Amongst other things, the committee must provide detailed reports regarding identified risks and corresponding corrective actions to its board of managers.  Under the consent order, the board of managers is responsible for approving, implementing, and adhering to policies and procedures designed to ensure that the service provider’s business activities, including those performed by third-parties, are safe and sound.  Additionally, the board must approve any large and complex system conversion by first attesting that the service provider is ready and able to undertake such a conversion.  In addition to the report due 120 days from the effective date of the consent order, the service provider must also provide quarterly progress reports to the FDIC and quarterly status letters to depository institutions to whom it provides IT services.

The service provider neither admitted nor denied the allegations.