FDIC Inspector General Finds Bank Vendor Exam Program Lacking

The FDIC's Inspector General ("OIG") concluded that the agency's program for examining third-party companies providing services to banks lacked clear performance goals and metrics to measure its effectiveness.

In its audit, the OIG found that the FDIC had not established measurable, program-level performance goals to define success for the Significant Service Provider ("SSP") Examination Program. The SSP Program was designed to examine third-party companies providing services to banks—such as core banking, payment processing and cloud services—to the same extent as if the banks were performing the services themselves.

According to the audit, this absence of clear goals and related metrics meant the OIG was unable to draw conclusions on the program's effectiveness. The OIG noted that without such metrics, the FDIC had no real assurance that it was focusing its limited examination resources on the service providers that posed the greatest risk to the safety and soundness of banks.

The OIG also concluded that the process for selecting which vendors to examine was "highly subjective" and "poorly documented." The OIG acknowledged an ongoing interagency effort to establish a new risk-based methodology called the Inherent Risk Methodology Analysis ("IRMA") to better prioritize service providers. The OIG noted that as of May 2025, this initiative was not yet complete.

The OIG recommended that the Director of the Division of Risk Management Supervision complete the efforts to develop and implement program-level goals and metrics for its service provider examination programs, including finalizing and implementing the IRMA. In responsive comments appended to the report, the FDIC said it planned to complete corrective actions by March 31, 2026.