The Uniform Beneficial Ownership Rule- Big Changes

A Three-part Series- Part One-The UBO Comes of Age

 

 

Introduction

There are many things that the United States has done to respond to the war in Ukraine.  Among the responses has been to impose sanctions on many parts of the Russian economy, government offices and high-profile individuals.  Once the sanctions had been imposed, the results have brought to attention many of the “holes” that exist in the AML framework. 

One of the main tools that are being used to avoid sanctions is shell corporations.  A shell corporation is a corporation without active business operations or significant assets. These types of corporations are not all necessarily illegal, but they are sometimes used illegitimately, such as to disguise business ownership from law enforcement or the public.

Shell corporations have been the main vehicle that has been used to launder money in contravention of the US sanctions against Russia and its supporters. ^[1]  There is a reason that shell corporations became a favorite tool for money launderers and terrorism financiers that what to avoid sanctions. These corporations make it very difficult to determine the true ownership of the company and are equally opaque when it comes to the sources of funding. 

Although the war in Ukraine has highlighted certain weaknesses in our AML regime, the use of shell corporations to hide the  sources and uses of funds has been a concern of regulators for many years.  The original uniform Beneficial Ownership Rule was passed to start to address the concerns with these companies.

This rule currently requires covered institutions to obtain information about any owner of a corporation that owns more than 25% of the company.  In addition, any person who is considered a controlling person should also give background information.   

The Rule Itself 

The final rule creates a “fifth pillar” in the standard group of expectations for a comprehensive BSA/AML compliance program.  Ongoing and risk based due diligence for customers will now be considered an essential part of the compliance program.   The rule makes due-diligence a dynamic process rather than the traditional process that essentially ended at the time the account was opened.  Financial institutions are expected to stay abreast of who the beneficial owners of a legal entity are and how their ownership might impact ongoing monitoring of the account.   As the beneficial owners change, then the manner in which the account is viewed should change accordingly. 

Beneficial Ownership is a broad definition that includes both ownership and control.  

Ownership – is denied as any person who directly or indirectly owns more than 25 percent of the equity of a legal entity

 

Control 

 Beneficial ownership is determined under both a control prong and an ownership prong. Under the control prong, the beneficial owner is a single individual with significant responsibility to control, manage or direct a legal entity customer.  This includes an executive officer or senior manager (Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, President), or any other individual who regularly performs similar functions. One beneficial owner must be identified under the control prong for each legal entity customer.

These two prongs are critical because there are many times when a person or persons could actually have a minimal ownership stake in a firm or even no actual legal ownership, but still have the ability to control the firm.   The rule requires all covered institutions to obtain information on all people who own or control a legal entity.  

Financial institutions are expected to design policies and procedures that detail how staff will use their best efforts to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of a legal entity customer. The procedures must allow the financial institution to identify all beneficial owners of each legal entity customer at the time of account opening unless an exclusion or exemption applies to the customer or account. 

In part Two- we will discuss the changes to the regulation that have been implemented.  

***James DeFrantz is Principal at Virtual Compliance Management.  For More information please visit our website at www.vcm4you.com ***

---

[1] https://www.independent.co.uk/news/world/europe/russia-oligarch-sanctions-suleiman-kerimov-pandora-papers-b2056144.html

 https://jamesdefrantzblog.wordpress.com/2024/04/01/the-uniform-beneficial-ownership-rule-big-changes-a-three-part-series-part-one-the-ubo-comes-of-age/

BSA/AML - Not Even the Same Name!

2020 was an unforgettable year for many reasons; the Covid outbreak, the US national election, civil unrest and just general mayhem.  It was also a significant year in the area of BSA/AML compliance.  In 2020 the US Congress passed the Anti-Money Laundering Act of 2020 (“AMLA”).  Among the significant provisions of this Act were:

·         A statement form FinCEN on the priorities for AML/CFT

·         Expansion of AML rules to dealers in arts and antiquities

·         AML threat patterns will be shared more freely amongst law enforcement

·         SAR sharing

·         Corporate Transparency Act

The last of these provisions, the Corporate Transparency Act, is the basis for new rules that will require almost all businesses to supply Uniform Beneficial Ownership information on a national registry. 

Since 2020, there have been only slight changes in the rules and laws that apply to AML administration, however, that doesn’t mean that changes are not occurring in the administration of an AML compliance program. 

Changes Are Coming-What’s in a Name?

Among the changes that have been and are being implemented is a change in nomenclature.  The FDIC and other prudential regulators have announced that going forward:

For purposes of consistency with the AML Act, the FDIC now uses the term “AML/CFT rather than “BSA/AML[1]

The change in name is designed to emphasize an emphasis on countering the financing of terrorism.   There is also a clear indication that the emphasis will be on detecting potential suspicious activity  and managing it through strong internal controls.  

Consistent with previous regulatory efforts, much of the focus of the AMLA 2020 is on facilitating information sharing between the public and private sectors in order to strengthen the AML system and better protect the financial system from abuse.[2]

It is clear that there will be an emphasis on the ability of your AML/CFT program to identify the areas of risk in your product portfolio and to tie the risks that are identified to the monitoring program that is implemented.   There will be an emphasis on not just know who your customers are; but also, the characteristics of a typical transaction for your customer base.   

Priorities

Another impact of the passage of the AMLA is that FinCEN was required to publish its priorities each year.  FinCEN announced its priorities for the first time in June of 2021 and these priorities have been re-iterated since then.  Fincen’s pronouncement is that the priorities are not listed in order of importance:

1.  Corruption.

2.  Cybercrime, including relevant cybersecurity and virtual currency considerations

3. Foreign and domestic terrorist financing.

4. Fraud.

5. Transnational criminal organization activity.

6. Drug trafficking organization activity.

7. Human trafficking and human smuggling;

8. Proliferation financing.

 

Despite the fact that the agency says that there isn’t a priority the following areas have received the most attention from regulators:

 

1.       Beneficial ownership reporting:  a final rule has been issued that will require all business that have registered with a Secretary of State in any state in the United States to be registered.   There is a proposed final rule about who will have access to the registry that is being considered and will be finalized in 2023.

2.       Anti-Corruption/Real estate: FinCEN has issued orders that target high value real estate markets and has expanded the requirements for a full AML compliance program to dealers in antiquities and luxury items.

3.       Priorities:  FinCEN is working on a rule that will make the above priorities part of the regulatory framework

4.       Virtual Currency: - There is no questions that regulations that deal specifically with Virtual currency are coming

5.       Fraud:  Although fraud has been pervasive for many years, this area has grown and become an area of focus for regulatory attention.

 

Change in Focus is the Same as Change in Regulation

 

Even for institutions that are not directly impacted by these rules, remember that a change in focus can have the same effect as a change in regulation.  Areas of examination that in the past may have received little attention will now be a focal point of an examination.  Pay particular attention to the following areas: 

 

1.       Transaction Monitoring:  Make sure that your compliance team has the ability to identify typical and unusual patterns of activity based upon your customer portfolio.

2.        Risk rating and Risk Assessments:  Identifying the overall risks o the business as well as the risks associated with individual customers and the tying the results of risk assessments to the overall monitoring program.

3.       Fraud Detection:  Ensuring that systems are  in place to detect fraud.

4.       IT Security:  Be aware of the systems are in place to protect private non-public information

5.       SAR documentation:   Make sure that when suspicious activity is suspected, that your compliance teams documents the research that was performed, even if it does not result in a SAR.  Make sure that the reasons for not filing as SAR are documented in the same manner as the decision to file.

 

Expanding the reach of AML regulations

 

On February 16, 2024, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking, which would require certain real estate professionals to report certain transaction information to FinCEN in connection with non-financed transfers of residential real estate to legal entities or trusts 

 

On February 13, 2024 FinCen also issued a notice of proposed rulemaking.  The proposed rule would subject advisers to suspicious activity reporting obligations similar to those required of broker-dealers. An adviser must report suspicious transactions that are conducted or attempted by, at, or through an adviser and involve or aggregate at least $5,000 in funds or other assets

 

We will discuss several of the changes caused by the new priorities in our blogs this month.

 

 

 

***James DeFrantz is the Principal at Virtual Compliance Management services.  He can be reached at JDeFrantz@VCM4YOU.com***

---

[1] https://www.fdic.gov/resources/bankers/aml-cft/

[2] https://legal.thomsonreuters.com

UBO – You have Gathered all of the Ownership Information- Now What?

Part Three in a Series

We have discussed the UBO rule and the changes that will be required when the both parts of the rule are passed- but one thing that we have yet to get into is the how to us ethe information that is collected in a manner that is effective for the overall AML monitoring program.  Put another way- so now that you have the UBO information on your customers- So what?  

The gathering  of the information that is required is the first basic step- it is what you DO with that information that can make the rule game-changing.  Incorporating UBO information in to both risk-rating and monitoring plans  for customers is a key best practice.  It is also the overall goal of the UBO rule.   

The Reason for the Rule

Before the UBO rule was enacted, the ownership of established companies as well as shell corporations was an area that we missed in our overall information gathering used for risk assessment purposes.  While we often did a background check on the company itself,  we did not focus on the ownership of the company.  The ownership of a business can and should make a huge difference in your risk profile of a customer.

Owners can present additional risks in many ways such as:

·        Cash intensive related businesses

·        Ownership that is potentially OFAC sanctioned or otherwise compromised.

·        Ownership that is engaged in illicit activities such as trade-based money laundering that could be blended into the operations of the established business

 

Risk and Ownership

How can the ownership of a company impact risk?  A small example may help illustrate.  Suppose we have a local owned and operated flower shop that specializes in the Sky-blue Orchid that grows almost exclusively in Tasmania Australia- 

Our customer specializes in selling this rare plant to the many admirers in the local area and throughout the country.  Our risk profile of this customer would include business flow expectations  that would include:

·        A combination of cash checks and credit/debit card payments as deposits.

·        Wires to the suppliers primarily in Australia

·        Payments to other suppliers, utility bills, rent or lease payments, insurance, etc.  by debit card and /or ACH

·        Minimal wires coming in

·        Incremental growth  

 

Now suppose our customer is joined by a 51% owner who is also a casino owner;  does the risk profile of the company change?  What else would you look for as a result of this change in ownership or control?

The risk profile of the company has not necessary changed, but it would be a best practice to consider that any change in the cash flow or other activities of the flower shop might indicate that the new owner is changing the operation of the  company.  This is not to infer that a change in ownership itself is a problem; but the risk profile of the company must be re-considered. 

Risk Profiles and UBO 

When risk rating customers and administrating  the list of customers considered ‘high risk”  it is important that the UBO information including who the controller people/persons are is part of the overall risk assessment and monitoring program that results. 

The whole point of risk assessing customers should be to determine how your monitoring program will be used to mitigate risks.  In the above example, the monitoring program would be altered to look for potential changes in the nature of the cash flow of the company including:

·        Higher cash deposits

·        Wire activity in countries s different from the past

·        Incoming wires

·        Bulk sales of flowers

·        Customers from regions outside the established base

 

UBO information collection should be dynamic -at least annually and must be built into the overall risk assessment and subsequent monitoring program.  Once the information is collected, it should be incorporated in to the overall risk assessment of customers and the monitoring program designed to mitigate risk.

***James DeFrantz is Principal at Virtual Compliance Management.  For More information please visit our website at www.vcm4you.com ***

The Uniform Beneficial Ownership Rule- Big Changes Coming

A Three-part Series- Part Two-The Changes to the Rule  

 

Introduction

In our first blog in this series, we noted that there are several reasons that the Uniform Beneficial  Ownership rule was expanded.  The attempt to put sanctions on Russian persons and organizations has proven to be difficult based on some weaknesses in our overall regulatory scheme.  We noted  that one of the biggest holes in the system is that shell corporations have the ability to be able to traffic in money laundering.  The changes to the rule are designed to address the current “holes” in our AML/CFT system  

While the Uniform Beneficial Ownership (“UBO”) rule changes can help with the effort to reduce illicit transfers of money and wealth, the overall effectiveness of any regulation is limited by the overall participation of the stakeholders.  For the changes to work, there are many players that must be engaged in the overall process. Making sure that you understand the requirements of the regulation and what it is intended to do is a critical component of the overall process

Changes to the UBO Rule

The CTA, which is part of the Anti-Money Laundering Act of 2020 and enacted into law as a part of the National Defense Authorization Act for Fiscal Year 2021, establishes ultimate beneficial ownership (UBO) information reporting requirements for the vast majority of privately held corporations, limited liability companies and other similar entities created in, or registered to do business in, any of the states of the United States.   Under this rule, the number of companies that must report their beneficial ownership has been greatly expanded.  The rule requires:

The Final UBO Rule applies to Reporting Companies. Reporting Companies are U.S. domestic companies and certain non-U.S. foreign companies:

• Domestic Reporting Companies: Any corporation, limited liability company or other similar entity created by the filing of a document with a secretary of state or any similar office under the law of a State (including U.S. territories and possessions) or Indian tribe (unless exempt).
• Foreign Reporting Companies: Any entity that is formed under the laws of a non-U.S. jurisdiction but is registered with a secretary of state or similar office to do business in that State or tribal jurisdiction in the United States (unless exempt).

Despite the broad definition of Reporting Companies under the CTA, the Final UBO Rule exempts 23 types of entities from the reporting requirements, including:

• Entities already required to disclose beneficial ownership information publicly or to federal regulators (g., U.S. banks and credit unions, U.S. branches and agencies of non-U.S. banks, securities broker-dealers, investment advisers registered with the U.S. Securities and Exchange Commission, and money services businesses registered with FinCEN);
• Large operating companies that (1) have 21 or more full-time employees, (2) filed federal income tax returns with the United States in the previous year that demonstrated more than $5,000,000 in gross receipts or sales in the aggregate, and (3) have an operating presence at a physical office within the United States.
• Inactive entities that existed on or before January 1, 2020, but, among other requirements, are not engaged in active business and have not received or sent funds in an amount greater than $1,000; and
• Subject to exceptions, subsidiaries whose ownership interests are controlled or wholly owned, directly or indirectly, by one or more exempt entities.

By looking at who is required to report and who is exempted, we can note that the exempt companies tend to be publicly held, and as a result, they have significant public reporting requirements.  These companies are also large and have strong internal control requirements that make them much less likely to be used by potential terrorists and money launderers. 

If the rule applies to a company, there are specific reporting requirements: 

Reporting Company Information

• Full legal name and fictitious names (e., “doing business as” names).
• Address of the reporting company’s principal place of business.
• Jurisdiction of incorporation or formation (for both domestic and foreign reporting companies) and initial registration in the United States (for foreign reporting companies); and
• Taxpayer Identification Number (TIN).

Beneficial Owners & Company Applicant Information

• Full legal name.
• Date of birth.
• Current residential address; and
• Unique identifying number from an acceptable identification document (or, if information has already been provided to FinCEN, by a FinCEN identifier).

 

This list of information is fairly well known and has been established since the passage of the original UBO rule.  There are some changes in the definitions that change the overall approach that an institution should use: 

 

Beneficial Owner: Under the CTA, a “beneficial owner” of a reporting company is “any individual, who, directly or indirectly, either exercises substantial control over such reporting company or owns or controls at least 25 percent of the ownership interests of such reporting company.[1]

It is really the “control” prong of the regulation that has changed.  In the past, the rule called for inclusion of a single person with control, but the final rule calls for any and all persons who have control to be listed.

Substantial Control:  The Final UBO Rule’s broad definition of “substantial control” states that an individual exercises substantial control over a reporting company if the individual:

(A) Serves as a senior officer of the reporting company.

(B) Has authority over the appointment or removal of any senior officer or a majority of the board of directors (or similar body);

(C) Directs, determines, or has substantial influence over important decisions made by the reporting company, including decisions regarding:

1.       The nature, scope, and attributes of the business of the reporting company, including the sale, lease, mortgage, or other transfer of any principal assets of the reporting company.

2.       The reorganization, dissolution, or merger of the reporting company.

3.       Major expenditures or investments, issuances of any equity, incurrence of any significant debt, or approval of the operating budget of the reporting company.

4.       The selection or termination of business lines or ventures, or geographic focus, of the reporting company.

5.       Compensation schemes and incentive programs for senior officers.

6.       The entry into or termination, or the fulfillment or non-fulfillment, of significant contracts; or

7.       Amendments of any substantial governance documents of the reporting company, including the articles of incorporation or similar formation documents, bylaws, and significant policies or procedures.

 

These rules will take effect in January 2024, but reporting will first be due January 1, 2025.    There is a second part of the rule that is current out for public comment[2]   

 

There are several practical considerations for compliance when it comes to covered institutions.   For example:

 

·         Onboarding procedures should still require UBO information.  Covered institutions must ensure customers are in compliance with their own reporting requirements, perhaps adding a questions to onboarding that ask the customer to verify that they have been registered.

·         Consider enhancing written policies and procedures – remember the reason for the regulation is to help consider what the ownership of a company means when making a risk assessment

·         When ownership changes, the risk profile of the company may be impacted

 

 

 We will discuss these more in detail in our third installment of this series.

 

***James DeFrantz is Principal at Virtual Compliance Management.  For More information please visit our website at www.vcm4you.com ***

---

[1] 31 U.S.C.A. § 5336 (3)(A)(i)-(ii).

[2] Public service announcement- all rules that impact banking are published for comment. The regulators actually read these and consider them.  Taking part in the development of a regulation is a great idea!

 

 

Banking as a Service-Implications for Community Banks -Vendor Management is Critical

Posted onJust now by James DeFrantz

We discussed the ways that Fintech companies are on a mission to “disrupt” financial services.   In this case, the disruption doesn’t necessarily have to be a negative connotation.  In fact, in many cases, the disruption that fintech are causing are geared towards improving product delivery.  At the end of the day, FinTechs are working to create efficiencies and deliver products with greater speed and flexibility, and this is ultimately a good thing for financial institutions. 

In addition to the disruptive nature of FinTechs, we also noted that these companies are aiming right at the large pool of unbanked and underbanked families. These are the households that not only represent potential customers for the current banking model, but they also represent financial institutions customer of the future.   There is a growing reliance on smart phones to conduct banking transactions.  In addition, customer expectation credit products continue to evolve.  Several platforms allow customers to apply for loans entirely online and with minimal human contact.   Even the idea of who is and is not a credit-worthy customer have changed.  Concepts such as collateral have changed; intellectual property can be a replacement for real estate in some cases.  As the needs and expectations of financial institution customers change, the manner which financial products are delivered must also change.  FinTechs are leading the change in these areas.

Despite their numerous advantages that FinTechs may have, there are inefficiencies in the regulatory scheme that have severely limited the growth and influence of these companies.   FinTechs are defined by the regulations as Money Service Business (“MSB’s”) and as such, they are required to get licenses in each of the states in which they transact business.  The process for obtaining these licenses can be tedious, time consuming and expensive.   A company may have to re-packing its information repeatedly to satisfy the application information requests for each state.  Of course, depending on the structure of the state agency and the resources available for processing applications, the process can take a long time to complete. 

Many banks today rely on outsourced functions ranging from core operating systems to monthly billing programs.  The reliance on third parties to provide core functions at banks is no longer viewed as a less  than desirable situation, it is normal.  However, over time the types of relationships that banks began to form with outside vendors became more complicated and in some cases exotic.  Some banks used third parties to offer loan products and services that would otherwise not be offered.  In many cases, the administration of the contractual relationship was minimal; especially when the relationship was profitable.

The level and type of risk that these agreements created came under great scrutiny during the financial crisis of 2009.  Among the relationships that are most often scrutinized for areas of risk are:  

• Third-party product providers such as mortgage brokers, auto dealers, and credit card providers;
• Loan servicing providers such as providers of flood insurance monitoring, debt collection, and loss mitigation/foreclosure activities;
• Disclosure preparers, such as disclosure preparation software and third-party documentation preparers;
• Technology providers such as software vendors and website developers; and
• Providers of outsourced bank compliance functions such as companies that provide compliance audits, fair lending reviews, and compliance monitoring activities.[1]

 The FDIC, the OCC and the FRB have all issued guidance on the proper way to administer vendor management.   While the published guidance from each of these regulators its own idiosyncrasies, there are clear basic themes that appear in each. 

All of the guidance has similar statements that address the types of risk involved with third party relationships and all discuss steps for mitigating risks.  We will discuss the methods for reducing risk further in part two of this series. 

Types of Risk Associated with Third-Party Relationships.

Regardless of the size of your bank, or the overall complexity of the operation, the risks that follow will exist at some level with any third-party relationship.  

Operational Risk

Operational risk is present in all products, services, functions, delivery channels, and processes.  Third-party relationships may increase a bank’s exposure to operational risk because the bank may not have direct control of the activity performed by the third party.

Operational risk can increase significantly when third-party relationships result in concentrations. Concentrations may arise when a bank relies on a single third party for multiple activities, particularly when several of the activities are critical to bank operations. Additionally, geographic concentrations can arise when a bank’s own operations and that of its third parties and subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.

Compliance Risk

Compliance risk exists when products, services, or systems associated with third-party relationships are not properly reviewed for compliance or when the third party’s operations are not consistent with laws, regulations, ethical standards, or the bank’s policies and procedures. Such risks also arise when a third party implements or manages a product or service in a manner that is unfair, deceptive, or abusive to the recipient of the product or service. Compliance risk may arise when a bank licenses or uses technology from a third party that violates a third party’s intellectual property rights. Compliance risk may also arise when the third party does not adequately monitor and report transactions for suspicious activities to the bank under the BSA or OFAC. The potential for serious or frequent violations or noncompliance exists when a bank’s oversight program does not include appropriate audit and control features, particularly when the third party is implementing new bank activities or expanding existing ones, when activities are further subcontracted, when activities are conducted in foreign countries, or when customer and employee data is transmitted to foreign countries.

Compliance risk increases when conflicts of interest between a bank and a third party are not appropriately managed, when transactions are not adequately monitored for compliance with all necessary laws and regulations, and when a bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records. Compliance failures by the third party could result in litigation or loss of business to the bank and damage to the bank’s reputation.

Reputation Risk

Third-party relationships that do not meet the expectations of the bank’s customers expose the bank to reputation risk. Poor service, frequent or prolonged service disruptions, significant or repetitive security lapses, inappropriate sales recommendations, and violations of consumer law and other law can result in litigation, loss of business to the bank, or negative perceptions in the marketplace. Publicity about adverse events surrounding the third parties also may increase the bank’s reputation risk. In addition, many of the products and services involved in franchising arrangements expose banks to higher reputation risks. Franchising the bank’s attributes often includes direct or subtle reference to the bank’s name.  Thus, the bank is permitting its attributes to be used in connection with the products and services of a third party.  In some cases, however, it is not until something goes wrong with the third party’s products, services, or client relationships, that it becomes apparent to the third party’s clients that the bank is involved or plays a role in the transactions. When a bank is offering products and services actually originated by third parties as its own, the bank can be exposed to substantial financial loss and damage to its reputation if it fails to maintain adequate quality control over those products, services, and adequate oversight over the third party’s activities.

Strategic Risk

A bank is exposed to strategic risk if it uses third parties to conduct banking functions or offer products and services that are not compatible with the bank’s strategic goals, cannot be effectively monitored and managed by the bank, or do not provide an adequate return on investment. Strategic risk exists in a bank that uses third parties in an effort to remain competitive, increase earnings, or control expense without fully performing due diligence reviews or implementing the appropriate risk management infrastructure to oversee the activity. Strategic risk also arises if management does not possess adequate expertise and experience to oversee properly the third-party relationship.

Conversely, strategic risk can arise if a bank does not use third parties when it is prudent to do so. For example, a bank may introduce strategic risk when it does not leverage third parties that possess greater expertise than the bank does internally, when the third party can more cost effectively supplement internal expertise, or when the third party is more efficient at providing a service with better risk management than the bank can provide internally.

Credit Risk

Credit risk may arise when management has exercised ineffective due diligence and oversight of third parties that market or originate certain types of loans on the bank’s behalf, resulting in low-quality receivables and loans. Ineffective oversight of third parties can also result in poor account management, customer service, or collection activities. Likewise, where third parties solicit and refer customers, conduct underwriting analysis, or set up product programs on behalf of the bank, substantial credit risk may be transferred to the bank if the third party is unwilling or unable to fulfill its obligations

Managing Risk

One of the most important points that all of the regulators are driving home is that they intend to hold financial institutions responsible for the action for the third party service providers.   For example, if an automobile dealer with whom a bank has a relationship engages in lending activities that have fair lending concerns, the bank under whose name they are providing the service will also be found to have fair lending concerns. 

This is not to say that there is a general distaste for outsourcing of third party arrangements.  It is to say that when the arrangement is made, there should be a risk management system in place ahead of the formation of the relationship.  The program should include at a minimum the following: 

• A Risk Assessment;
• Due Diligence in Selecting a Third Party;
• Contract Structuring and Review;
•  Oversight;  

---

[1] See Vendor Risk Management — Compliance Considerations

By Cathryn Judd, Examiner, and Mark Jennings, Former Examiner, Federal Reserve Bank of San Francisco 

[2] FDIC Compliance Manual

[3] OCC BULLETIN 2013-29 Managing Third Party Relationships