MSPs who service banks have always enjoyed a certain competitive advantage. Vertical industry experience, deeply embedded relationships, and a decent amount of protection against competitive threats from other MSPs, all explain why the banking (and financial services) vertical is difficult to access, but difficult to disrupt once you’re inside.
This week, the United States government increased the stakes for MSPs currently serving (and those wanting to enter) the US banking community. The Federal Financial Institutions Examination Council (FFIEC) and the Office of Foreign Assets Control (OFAC, which is part of the United States Treasury), issued a joint statement on sanctions for US banking institutions who violate OFAC rules.
What does this all mean? I’ll explain.
What does OFAC do?
According to the U.S. Department of the Treasury, OFAC “administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.”
Wait a minute, you may be saying. I just came here to learn about being a better managed service provider. Keep reading; this is important stuff.
What OFAC is concerned about is U.S. banks doing business with entities or individuals who are on the sanctions list, i.e., people and organizations with whom you should not be doing business.
For years now, the FFIEC (the regulating body for U.S. banks) has been increasing the amount of scrutiny and oversight for banks as it pertains to their use of MSPs. The FFIEC recognizes the importance of MSPs to assist banks with staying compliant with relevant banking regulations and practices. The FFIEC also recognizes that MSPs working with banks must be transparent and have a best practices approach to their managed services offerings.
What the joint statement from OFAC and the FFIEC does is increase the stakes for these banking institutions to include possible financial penalties. The specific wording from the joint statement is as follows:
“Continued use of products or services from a sanctioned entity, directly or indirectly through a service provider, may increase operational and OFAC compliance risk for a financial institution and could result in violations of law, civil money penalties, enforcement actions, and damage to the financial institution’s reputation.”
The Takeaway for MSPs?
MSPs currently servicing (or wanting to service) U.S. banks, had better be prepared for increased scrutiny from government regulators. The scrutiny will not just be on the MSP; it will also include any third parties involved in the delivery of managed services to the banking client.
Practically speaking, this makes servicing banks even more of a specialty area for MSPs. It also means MSPs may want to look at increasing fees for banking clients to absorb the increases in certification, audits, and vendor management compliance costs necessary to keep the managed services supply chain transparent and compliant with FFIEC and OFAC rules.