Regulators Hit at Jack Henry Post-Sandy
Jack Henry & Associates is four months into an enforcement order from federal regulators regarding its disaster recovery and business continuity planning processes.
The Monett, Mo.-based company entered into a formal agreement with the OCC, FDIC and the Federal Reserve to resolve issues around the recovery of operations at a bank item processing facility in Lyndhurst, N.J., that was damaged by Hurricane Sandy in October 2012.
The storm caused $13.7 million in expenses at the New Jersey site, JHA said in a financial performance report last February. The company's top executive said last week that all issues are being addressed and resolved.
JHA, a provider of core processing and other technology services to thousands of credit unions and banks, signed a formal agreement on Nov. 13, 2013, that outlined a series of reporting requirements involving its own board and three regulators: the OCC, FDIC and the Federal Reserve. The OCC is listed as the agency in charge of the agreement.
“The regulators have identified unsafe and unsound practices relating to the technology service provider's disaster recovery and business continuity planning and processes,” the agreement said. The company must resolve those and meet FFIEC requirements for business continuity planning.
Jack Henry is best known in the credit union industry for its Symitar core processing platforms and ProfitStars solutions that include financial performance, image processing, information security and risk management and other software.
Its CEO, Jack Prim, said credit unions were not involved. “The precipitating event had to do with a bank image item processing facility and an improperly executed recovery process. The review and changes that we have made since the event (and prior to the issuance of the formal agreement) will assure that all JHA processing plans have been thoroughly reviewed and tested,” Prim told CU Times on March 11.
Prim said, “We installed new senior management to oversee all of our item and data processing operations, for banks and credit unions. We have revisited all processing plans throughout the company and implemented more extensive testing processes for all plans, not just those impacted by Hurricane Sandy.
“We brought in an independent third party with expertise in DR/BCP planning to review these plans and processes. We have added to our DR/BCP planning staff and to our compliance staff to assure that plans are tested and documented properly. The compliance and DR/BCP staffs now report to me as CEO and chairman of the board.” The reports were to be submitted to the director of bank information technology at the OCC.
A spokeswoman for the OCC said she could not comment on the agreement. An FDIC spokesman said his agency also could not comment on compliance with orders.