Jack Henry Hit with OCC Enforcement Order
Jack Henry & Associates is four months into an enforcement order from federal regulators regarding its disaster recovery and business continuity planning processes.
The Monett, Mo.-based company entered into a formal agreement with the OCC, FDIC and the Federal Reserve to resolve issues around the recovery of operations at a bank item processing facility in Lyndhurst, N.J., that was damaged by Hurricane Sandy in October 2012.
The storm caused $13.7 million in expenses at the New Jersey site, JHA said in a financial performance report last February. The company’s top executive said Tuesday that all issues are being addressed and resolved.
Also of Interest:
The provider of core processing and other technology services to thousands of credit unions and banks signed a formal agreement on Nov. 13, 2013, that outlined a series of reporting requirements involving its own board and three regulators: the OCC, FDIC and the Federal Reserve. The OCC is listed as the agency in charge of the agreement.
“The regulators have identified unsafe and unsound practices relating to the technology service provider’s disaster recovery and business continuity planning and processes,” the agreement said. It said deficiencies were noted in a December 2012 supervisory letter and a February 2013 examination report. The company must resolve those and meet FFIEC requirements for business continuity planning.
Jack Henry is best known in the credit union industry for its Symitar core processing platforms and ProfitStars solutions that include financial performance, retail delivery, image processing, information security and risk management and other software.
Its CEO, Jack Prim, said credit unions were not involved.
“The precipitating event had to do with a bank image item processing facility and an improperly executed recovery process. That event did not impact any credit unions. The review and changes that we have made since the event (and prior to the issuance of the formal agreement) will assure that all JHA processing plans have been thoroughly reviewed and tested,” Prim told CU Times on Tuesday.
Specifics were not provided in the order and the agencies said that earlier letter and report were not public information.
The published agreement did outline what should be included in the required DR/BCP process, including an assessment and prioritization of all business functions, systems and resource requirements and detailed risk assessments.
Prim said a number of changes have been made to reporting processes and to the technologies in place at its image item processing facilities, as well as to many of its data backup and replication processes.
“We installed new senior management to oversee all of our item and data processing operations, for banks and credit unions. We have revisited all processing plans throughout the company and implemented more extensive testing processes for all plans, not just those impacted by Hurricane Sandy,” Prim said.
“We brought in an independent third party with expertise in DR/BCP planning to review these plans and processes. We have added to our DR/BCP planning staff and to our compliance staff to assure that plans are tested and documented properly. The compliance and DR/BCP staffs now report to me as CEO and chairman of the board,” he said. The reports were to be submitted to the director of bank information technology at the OCC.
A spokeswoman for the OCC said she could not comment on the agreement. An FDIC spokesman said his agency also could not comment on compliance with orders.
“The FDIC has issued enforcement actions against third-party service providers in the past,” added David Barr, assistant director of the FDIC’s Office of Public Affairs. “We do not track them separately, however.”
This is at least the second time in the past couple years that bank regulators have focused on a major technology provider in the credit union space. A security breach first reported at payments processor FIS in 2011 drew regulator and industry attention when the NCUA advised credit unions to evaluate their relationship with that vendor after the FDIC issued the big processor a supervisory letter about its security practices.