Bank regulators have greatly increased their focus on third-party oversight through multiple, high-profile enforcement actions and through the issuance of guidance.
This has come up on several fronts. Let’s explore what the regulators have had to say, and then a plan for addressing this increased scrutiny.
Guidance from the agencies
Here’s a summary of what’s been going on:
Federal Reserve Board
On Dec. 5, 2013, the Federal Reserve Board released "Guidance on Managing Outsourcing Risk.” By issuing this guidance the Fed addresses the characteristics, governance, and operational effectiveness of a financial institution's service provider risk management program for outsourced activities, going beyond traditional core bank processing and information technology services.
The Fed’s guidance applies to all service provider relationships regardless of the type of bank activity that is outsourced. At a high level, this guidance:
• Discusses potential risks arising from service provider relationships.
• Outlines supervisory expectations for a financial institution's board and senior management in managing risks associated with service provider relationships.
• Describes the broad framework and processes to effectively manage risks associated with service provider relationships.
The Fed’s guidance was directly preceded by the Oct. 30, 2013, release of OCC Bulletin 2013-29 from Office of the Comptroller of the Currency, providing risk management guidance for third-party relationships. The bulletin directs national banks and federal savings associations to:
• Adopt risk management processes commensurate with the level of risk and complexity of third-party relationships.
• Ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
• Maintain effective risk management processes throughout the life cycle of third-party relationships, including:
* Plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third-party.
* Proper due diligence in selecting a third-party.
* Written contracts that outline the rights and responsibilities of all parties.
* Ongoing monitoring of the third-party’s activities and performance.
* Contingency plans for terminating the relationship in an effective manner.
* Clear roles and responsibilities for overseeing and managing the relationship and risk management process.
* Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
* Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
Consumer Financial Protection Bureau
However, it was the April 13, 2012, publication by the Consumer Financial Protection Bureau of CFPB Bulletin 2012-03 that initially caught the attention of the financial services community. CFPB’s bulletin stated expectations for supervised banks and nonbanks to have an “effective process for managing the risks of service provider relationships.”
In no uncertain terms, CFPB came out strong, stating that financial institutions under bureau supervision “may be held responsible for the actions of the companies with which they contract. The bureau will take a close look at service providers’ interactions with consumers. It will hold all appropriate companies accountable when legal violations occur.”
It was made clear to the industry that ongoing oversight and close and meaningful monitoring of third-party service provider activities would be essential going forward.
The CFPB Bulletin outlines steps financial institutions should take to ensure that business arrangements with service providers do not present unwarranted risks to consumers. These steps include:
• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with the law.
• Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.
• Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities.
• Establishing internal controls and on-going monitoring to determine whether the service provider is complying with the law.
• Taking prompt action to address fully any problems identified through the monitoring process.
Unlike the other federal financial regulatory agencies, the Federal Deposit Insurance Corporation (“FDIC”) has not released updated guidance and continues to maintain its oversight of third-party risk under Financial Institution Letter 44-2008.
Significance of regulatory moves
Third-party relationships, outsourcing, and the like aren’t new to banking. So what’s all the fuss about?
The recent release of third-party service provider guidance by the CFPB, the Comptroller’s Office, and the Fed is spurring considerable focus on an area that has head been on the back burner for some time.
For many financial institutions, this has been forcing revisions to program controls that have long been applied primarily to the information technology department. As an additional kick, Title X of Dodd-Frank grants CFPB supervisory and enforcement authority over supervised service providers, including the authority to examine the operations of service providers on site.
This has served as a very loud wake-up call. Taken as a whole, the regulators’ actions have forced the financial services industry to reconsider how it goes about the process of outsourcing and the level of effort to require to manage ongoing third-party relationships.
Regulators have taken note that banks and nonbank providers of financial services are increasingly relying on domestic and foreign third parties to perform many critical activities. Examples of this include:
• Outsourcing entire functional units to third parties, such as tax, legal, audit, or information technology.
• Outsourcing lines of business or products.
• Increasing reliance on a particular third-party to perform multiple activities.
• Utilizing third parties to directly interact with customers.
• Use of third parties that in turn subcontract activities to other foreign and domestic providers.
The agencies are setting a clear expectation that bank and nonbank providers of financial services must practice effective risk management, regardless of whether the entity performs a particular activity internally or outsources it to a third-party. The use of third parties does not diminish the responsibility of the board and senior management to ensure that the activity is performed in a safe and sound manner and that it complies with applicable laws.
Managing third-party service provider relationships
If you have not taken a close look at your vendor management program lately, now is a very good time to review it. Institutions supervised by the Fed, OCC, or FDIC have been subject to both the Federal Financial Institutions Examination Council’s Outsourcing Technology Services guidelines, as well as the guidelines issued by each of the regulatory agencies individually.
As such, banks should have the basic bones of a vendor management program in place. For nonbank financial services providers, there is likely work to be done to lay the foundational groundwork for a conforming program.
Below are some core framework considerations that all financial services providers should build into their third-party outsourcing and vendor management oversight processes.
An overall point: Risk management practices should be commensurate with the level of risk and complexity of third-party relationships.
Boards and managers should identify those third-party relationships that involve critical activities and ensure that appropriate risk management practices are in place to assess, monitor, and manage the risks.
Effective third-party risk management entails the following elements:
Developing a plan to manage the relationship is often the first step in the third-party risk management process. Establish roles and responsibilities for hands-on oversight and management of third-party relationships at both the enterprise and business unit level.
Due diligence and third-party selection
Conducting due diligence on third parties before selecting and entering into contracts or relationships should be commensurate with the level of risk and complexity of the third-party relationship. Where a third-party is under consideration for performing a critical activity, more extensive due diligence is warranted. It is recommended to schedule an on-site visit to become fully familiar with management and to understand the third-party’s operations and capacity. Keep in mind that it may be necessary to broaden the scope of the due diligence, as risk issues are surfaced that require additional analysis.
In performing your due diligence on a third-party service provider, consider the following:
• Strategies and goals: Does the third-party’s overall philosophies, business strategy, goals, and employment practices align with those of your organization?
• Legal and regulatory compliance: How effective is the third-party’s legal and regulatory compliance program? Does it have the necessary licenses to operate? Does it have the expertise, processes, and controls to operate in a compliant manner under both domestic and international laws and regulations?
• Financial condition: Evaluate the third-party’s financial condition and overall stability, scaling the analytics and underwriting relative to the significance of the activity that the third-party will perform.
• Business experience and reputation: Assess the third-party’s reputation, including history of customer complaints or litigation. Determine how long the third-party has been in business, its market share for the activities, and whether there have been significant changes in the activities offered or in its business model.
• Fee structure and incentives: Determine if the fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking.
• Qualifications, backgrounds, and reputations of company principals: Are thorough background checks conducted on the third-party’s senior management, employees, and subcontractors who may have access to critical systems or confidential information?
• Risk management: Evaluate the effectiveness policies, processes, internal controls, and review the SSAE 16 report, as appropriate.
• Information security: Does the third-party have sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities.
• Management of information systems: Gain a clear understanding of the third-party’s business processes and technology that will be used to support the activity.
• Resilience: Determine whether the third-party maintains disaster recovery and business continuity plans that specify the time frame to resume activities and recover data.
• Incident-reporting and management programs: Are clearly documented processes and accountability for identifying, reporting, investigating, and escalating incidents in place?
• Physical security: Evaluate whether the third-party has sufficient physical and environmental controls to ensure the safety and security of its facilities, technology systems, and employees.
• Human resource management: Review training programs to ensure that the third-party’s staff is knowledgeable of laws, regulations, technology, risk, and other factors that may affect the quality of the activities provided.
• Reliance on subcontractors: Evaluate the third-party’s ability to assess, monitor, and mitigate risks from its use of subcontractors and to ensure that the same level of quality and controls exists no matter where the subcontractors’ operations reside.
• Insurance coverage: Verify that the third-party has fidelity bond coverage to insure against losses attributable to dishonest acts, liability coverage for losses attributable to negligent acts, and hazard insurance covering fire, loss of data, and protection of documents.
• Conflicting contractual arrangements with other parties: Evaluate the potential legal and financial implications of contracts between the third-party and its subcontractors or other parties.
Senior management should review the results of the due diligence to determine whether the third-party is able to meet the bank’s expectations and whether the bank should proceed with the third-party relationship.
If the results do not meet expectations, management should recommend that the third-party make appropriate changes; find an alternate third-party; conduct the activity in-house; or discontinue the activity.
As part of any recommended changes, the bank may need to supplement the third-party’s resources or increase or implement new controls to manage the risks. Management should present results of due diligence to the board when making recommendations for third-party relationships that involve critical activities.
Documenting your relationship with a third-party service provider ranks as one of the most critical elements to managing foreseeable risks that might arise during the course of the relationship.
It is essential to always involve your legal counsel in the due diligence and relationship formation stage to ensure that every possible legal element is incorporated into the contract document. Developing a contract that clearly defines expectations and responsibilities of the third-party helps to ensure the contract’s enforceability, limit your company’s liability, and mitigate disputes regarding performance.
The following is by no means intended as an all-inclusive list of considerations, but only to provide some ideas and key considerations to include in the early, contract development stage:
• Who does what: The contract should be clear in defining the scope of the third-party’s responsibilities and address the third-party's use of subcontractors or other entities.
* It is good practice to require that the third-party provide notice of its use of subcontractors, and seek approval prior to using the services of subcontractors.
* Agreements should define the services that may be subcontracted, the service provider's due diligence process for engaging and monitoring subcontractors, and the notification and approval requirements regarding changes to the service provider's subcontractors.
* Clearly specify the activities that cannot be subcontracted or any prohibitions on subcontracting activities to certain locations or specific subcontractors.
* Detail expectations for reporting on the subcontractor’s conformance with performance measures, periodic audit results, compliance with laws and regulations, and other contractual obligations.
• Complaint handling: The contract should require processes to ensure that the third-party appropriately addresses customer complaints either through a process that meets your corporate standard.
* The contract should allow for ongoing access to monitor complaint activity, analyses of the substance of all complaints, responses provided, and course of action proposed to resolve underlying issues.
• Business continuity provisions: Contracts with third-parties should provide for continuation of the business function in the event of problems affecting a third-party’s operations, including degradations or interruptions resulting from natural disasters, human error, or intentional attacks.
* Stipulate the third-party’s responsibility for backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans.
* Include provisions—in the event of the third-party’s bankruptcy, business failure, or business interruption—for transferring the bank’s accounts or activities to another third-party without penalty.
• Specify checkups from the start: Include the types and frequency of the audit reports that you expect to receive.
* Internal audit reports or other independent third-party reviews and work papers regarding the third-party provider's internal audit function must be available to examiners upon request.
* Ensure that the contract establishes your company’s right to audit, monitor performance, and require remediation when issues are identified.
• Establish your right to cover yourself: It should be clearly stated that the third-party service provider is subject to examination and regulatory oversight.
* The contract should detail the specific laws, regulations, guidance, and self-regulatory standards applicable to the third-party service provider’s activities. This should include provisions that outline compliance with certain sections of the Gramm-Leach-Bliley Act for privacy and safeguarding of customer information; Bank Secrecy Act and Anti-Money Laundering; Office of Foreign Assets Control; and fair lending, Unfair, Deceptive or Abusive Acts or Practices and other consumer protection laws and regulations, as appropriate.
• Spell out responsibility for errors: Specify liability for delayed or erroneous transactions, and other potential risks.
• Set up an exit path: Include a termination provision for change in control, merger or acquisition, convenience, substantial increase in cost, repeated failure to meet service standards, failure to provide critical services and required notices, failure to prevent violations of law or unfair and deceptive practices, bankruptcy, company closure, and insolvency.
• Keep reins on the pay setup: The contract should establish an effective process for review and approval of incentive compensation arrangements with third-party service providers.
* Fee structures and incentives may result in inappropriate risk-taking by the third-party and you need to remain vigilant at all times to ensure that compensation arrangements are appropriate and present no potential for heightened risk.
Again, it is vital that you involve legal counsel in the due diligence and relationship-building phase to ensure that adequate legal protections are incorporate in the contracts you establish with each third-party service provider.
Throughout the life cycle of the third-party relationship it is essential to monitor the service provider’s performance.
If the third-party is contracted to perform critical activities, the level of monitoring should be commensurate with the level of risk inherent to the relationship. To ensure that adequate monitoring is established, management should dedicate staffing resources with the necessary expertise, authority, and accountability to monitor the third-party.
Monitoring can take the form of regular onsite visits to provision of regularly scheduled management dashboard reporting. Whatever approaches are used, it is essential to monitor the effectiveness of controls, performance in relation to service level agreements, and compliance with legal and regulatory requirements.
As a general matter, the criteria assessed during initial due diligence should continue to be periodically reviewed as part of the ongoing monitoring of a third-party relationship. Particular attention, however, should be directed to monitoring the volume, nature, and trends of consumer complaints, in particular those that indicate compliance or risk management problems and the service provider’s ability to appropriately remediate customer complaints.
Keep in mind that the level and types of risks may shift during the life cycle of a third-party relationship. Monitoring activities must adjust. This may result in changes to the frequency and types of required reporting, including service-level agreement performance reports, audit reports, and control testing results.
Relationship managers should escalate significant issues or material weaknesses noted through ongoing monitoring as indicated by repeat audit findings, deterioration in financial condition, security breaches, data loss, service or system interruptions, or findings of non-compliance with laws and regulations.
Termination, contingency planning, or exit strategy
Third-party relationships eventually terminate.
This may be due to expiration or satisfaction of the contract; desire to seek the services of a different service provider; decision on the part of the board and management to bring the activity in-house; discontinuance of the activity; or a breach of contract.
Having a well-thought-out exit strategy to ensure that relationships terminate in an efficient manner is a prudent risk containment measure that will serve to protect your company and your customers.
About the author
Thomas Grundy is a senior regulatory consultant at Wolters Kluwer Financial Services. Grundy, a CRCM (Certified Regulatory Compliance Manager), has more than 28 years of experience as a federal regulator, compliance professional, and consultant.