FDIC Enforcement Actions Against Community Banks for Cyber Shortcomings

February 5, 2014

The American Banker is reporting that the FDIC took action against eight companies in the final quarter of 2013 — most of which were community banks. Among the concerns raised in those enforcement actions were data privacy and cybersecurity regulatory noncompliance.

For example, Banesco USA, a Florida bank, entered into a consent order pertaining to compliance with the Bank Secrecy Act. Banesco is an $820 million financial services company. FDIC ordered that it review its customer identification and Know Your Customer programs, increase board participation and assess vulnerability to money laundering and financial terrorism. These are controls that many small banks struggle to have in place. The FDIC’s message here is clear. Being a small bank will not excuse noncompliance with anti-money laundering and cyber fraud compliance.

The FDIC also entered a consent order along with the OCC against bank vendor BSERV in Las Vegas and Fundtech in New Jersey. The companies were ordered to assess their information security risk and create a better vendor management program that meets agency guidelines. In this instance the FDIC undertook an action against a vendor directly. Many vendors have assumed that their client-banks would be primarily liable for any regulatory noncompliance. That is not the case if a vendor is itself a financial services company.

These cases illustrate the increased regulatory scrutiny of community banks’ privacy and data security measures that we have been seeing over the past year. The FFIEC’s guidance on data security, the 2013 Cybersecurity Executive Order and the NIST standards all create a common language for data security protocols in the financial services sector. With these technical frameworks in place, financial regulators are looking at banks with an increased focus on technical data controls. And, as was the case in the final quarter of 2013, the FDIC is willing to undertake an enforcement action if a bank, or a bank’s vendor, is not information security savvy.