Concerns mount over core provider issues

Banks and their trade groups have encouraged the Office of the Comptroller of the Currency to increase oversight of core service providers, citing the growing risk of those companies failing to make timely system updates to satisfy changing regulatory requirements.

That’s something Badri Sridhar, a managing director in FTI Consulting’s financial services practice, has repeatedly observed in his work with banks and nonbanks to implement regulatory compliance requirements.

The three largest core providers are Fiserv, Fidelity National Information Services and Jack Henry & Associates, although nearly 20 other companies provide such services in the U.S.. Small banks and credit unions in particular rely on these companies not only for essential back-end functions like account management and deposit and loan processing, but also for payment processing and other services.

After issuing a request for information last November on community banks’ engagement with core service providers, the OCC received an earful from bankers and examiners, Comptroller Jonathan Gould said in March.

“One of the things I’ve heard loud and clear are concerns about the relationship,” including the “very uneven,” “commercial negotiating relationship” between smaller banks and certain service providers, Gould said last month during the American Bankers Association’s Washington summit.

Gould said the agency seeks to understand challenges banks encounter, which include issues with core conversions, system updates and associated costs. The OCC is actively engaged with some of the major service providers, he said, and all are subject to oversight by the OCC and other federal banking agencies.

In a recent interview, Sridhar said he hasn’t heard any client say, “‘I'm really happy with the service I'm getting,’ especially when they have defects, because of the lead time it takes for them to fix those issues.”

Editor’s note: This interview has been edited for clarity and brevity.

BANKING DIVE: In your work with banks, what issues do you encounter with the core providers?

BADRI SRIDHAR: A lot of it’s data. When core providers have compliance issues, it can be a large number of customers who are impacted, and therefore requires coding changes or system updates.

A lot of these bank and nonbank lenders use the same core system providers, because there's only three or four major players. If you have a provider who does not implement updates timely, you'll have regulatory issues. It's a difficult situation for the bank or nonbank financial institution. The industry needs core service providers to be held more accountable for some of these issues, based on what I've seen.

I've been working with institutions on strategies for remediation, when you have archaic, mainframe-based systems that require specialized knowledge of the system as well as the coding language, like COBOL.

The financial institution has generally two choices. You can work with the core system provider to make the updates, or they can push out the updates to you and you can implement them in-house. Given the cost of getting the provider to make the updates, a lot of institutions choose to make updates in-house, if they have a programming team. So that involves adding custom code on top of the core system. Then you have custom code, maybe on top of other custom code, on top of more custom code. Years pass by, and that compounds. It becomes very hard to untangle all of that custom code.

Badri Sridhar, a managing director with FTI Consulting, poses for a photo wearing a suit and tie — Badri Sridhar

Permission granted by FTI Consulting

If we flag something that appears to be noncompliant with a certain regulation and it’s a compliance issue, the core service provider is obligated to fix that issue. So the bank takes that to their service provider, and the service provider’s compliance team looks at it – and I've seen this happen on at least three occasions – the core service provider’s compliance team disagreed with our assessment. We eventually get to a resolution. I am 3-0 at this point. It is difficult. And for banks who haven't hired a consultant, who don't have that expertise in-house, they could just be taking the service provider’s word for it.

What do you make of Gould invoking federal banking agencies’ authority over service providers?

I’ve seen the OCC and other regulators come down on the banks, but I have not necessarily seen that with the core service providers in practice. It'll be interesting to see if any supervisory or enforcement actions come out of it.

Is there a way to assess how commonly banks are being held accountable but the issue may actually lie with the core service provider?

There’s no public way to do that. It’s hard to say. Sometimes institutions write some custom code on top of the regular core code, and that's causing the issue. So it might not be the service providers’ fault.

It’s complicated. If your vendor is pushing back after you flag a compliance issue, it’s sometimes difficult to manage that situation. Or they may not be resolving it timely: “OK, we'll get to this next year.” Well, what do you do between now and then and you have an exam coming up?

What are some other challenging aspects to the bank-core provider dynamic?

It’s a difficult effort to change systems. When you've been using them for so long, migrating this whole code base to a new system – it takes months, if not years, to put together, depending on the size of the institution. And when you're a complex institution, you have multiple products. You don't necessarily service all of your products on one system.

I've had a situation where a large bank switched from an old system to a new system, and they had more compliance issues with the new system than they did with the older one.

It’s expensive to hire system vendors, consultants, and in your own teams, take up time out of their day – they have to build time in to account for this big system migration with a huge cost to it. It makes sense why a lot of institutions may want to kick the can on this initiative, versus some easier wins or priorities.

What might spur change in the market?

More core provider competition, newer entrants. But the barrier to entry is very high; if it wasn't so high, I think we would see more disruptors there. If there are more nimble players in the market who could respond quickly to institutions’ requests for updates, as well as adjust their defects, and also make it simple to migrate to the new system – this is theoretical and easier said than done, but – that could be a key driver.

Another key driver: We're going to reach a point where a number of individuals who know how to code in these languages will have retired and are out of the workforce. At that point, I think you have to make a change.

Core service providers are grappling with some of the same issues. That's not an excuse, but maybe the OCC should understand and unpack that and come to an appropriate resolution.