Skip to main content
close search
site logo

FDIC oversight of large third parties needs clearer goals, OIG says

While the FDIC has “taken steps to establish goals and metrics” in its oversight of large third-parties, they were not “measurable or directly linked to program success factors.”

Published Aug. 15, 2025
Gabrielle Saulsbery's headshot
Reporter
The Federal Deposit Insurance Corp. headquarters in Washington, D.C.
Anna Hrushka/Banking Dive

The Federal Deposit Insurance Corp. has not established goals or metrics that properly measure how effectively it oversees large third-party providers of banking technology, the inspector general found.

The watchdog found that although the FDIC has “taken steps to establish goals and metrics, they were not measurable or directly linked to [Significant Service Provider Examination Program] success factors,” according to a report published Tuesday.

The OIG was therefore unable to determine the effectiveness of the SSP Examination Program, which evaluates risk at service providers agreed upon by federal banking agencies as in need of special monitoring, based on factors such as how many banks the providers service and the volume of payments the providers process.

“In the absence of clear programmatic goals and metrics, the FDIC has limited assurance that the SSP Examination Program is achieving its intended purpose,” the OIG wrote. “Developing program-level goals and metrics will allow the FDIC to define programmatic success, measure the effectiveness of the SSP Examination Program, and support the FDIC’s efforts to achieve its strategic objectives related to risk management for third-party service providers.”

Since 2020, the SSP Examination Program has looked at 16 different service providers, nine of which were examined yearly between 2020 and 2023.

The agencies also examined 118 smaller and less complex Regional Service Providers. When the RSP Examination Program was audited in 2023, the OIG similarly found that the program did not have goals and metrics established to properly evaluate service providers.

In the report, the OIG found the FDIC’s approach to picking which providers to examine is poorly documented and “highly subjective,” and would benefit from additional quantitative analysis.

The FDIC is developing a tool that risk-ranks service providers, called the Inherent Risk Methodology Analysis.

“Qualitative factors such as service provider’s business line, the mission criticality and substitutability of the services provided, and the potential impact that a disruption in the service would have on the client bank should guide the FDIC’s prioritization effort once IRMA is implemented,” the OIG wrote.

Ryan Billingsley, acting director of the FDIC’s division of risk management, wrote in response to the OIG that the FDIC agrees that it should develop program-level goals for both the SSP and RSP examination programs, including that the FDIC should finalize and implement IRMA.

He wrote that the FDIC “appreciates the diligence and professionalism of the OIG” in its evaluations.

Editors' picks

Company Announcements

View all | Post a press release
Support EXP Launches “Beyond the Score” to Help Financial Institutions Spot Risks Hidden Behin…
From Support EXP
August 15, 2025
Support EXP logo
PrintMail Joins the Finovifi Marketplace to Expand Access to Best-in-Class Statement Processin…
From PrintMail
August 01, 2025
PrintMail logo
Inc. Reveals 2025 Inc. 5000 List of America’s Fastest-Growing Private Companies
From Inc.
August 12, 2025
Inc. logo
RayCor Consulting Releases White Paper on AI Governance in Compliance
From RayCor Consulting
July 28, 2025
RayCor Consulting logo
Editors' picks
Latest in Regulations & Policy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.