Vendor Management-
The Next Compliance Frontier
A two Part series-
Part One Forming a Relationship
Technology and innovation have always been the hallmarks of
the US economy. Technological innovations have dramatically changed the lives
of people around the world. The
development of the internet begat devices for accessing the internet and soon a
technological boon unlike anything the world has seen began. Innovations in technology continue to impact
our lives. Today social media has
impacted presidential elections and has even been instrumental in the overthrow
of governments.
The banking industry has not been left out of the
technological revolution. Today the
products and services that banks offer are directly impacted by the software
and operating systems being employed.
Moreover, the development of technology has increased overall efficiency
and has helped to developed economies of scale in various areas. As technology has advanced at software
companies, financial institutions have found that outsourcing various tasks has
had the positive effects of lowering costs while leveraging technology and
resources.
Many banks today rely on outsourced functions ranging from
core operating systems to monthly billing programs. The reliance on third parties to provide core
functions at banks is no longer viewed as a less than desirable situation, it is normal. However, over time the types of relationships
that banks began to form with outside vendors became more complicated and in
some cases exotic. Some banks used third
parties to offer loan products and services that would otherwise not be
offered. In many cases, the administration
of the contractual relationship was minimal; especially when the relationship
was profitable.
The level and type of risk that these agreements created came
under great scrutiny during the financial crisis of 2009. Among the relationships that are most often
scrutinized for areas of risk are:
- Third-party product
providers such as mortgage brokers, auto dealers, and credit card
providers;
- Loan servicing providers
such as providers of flood insurance monitoring, debt collection, and loss
mitigation/foreclosure activities;
- Disclosure preparers,
such as disclosure preparation software and third-party documentation
preparers;
- Technology providers
such as software vendors and website developers; and
- Providers of outsourced bank compliance
functions such as companies that provide compliance audits, fair lending
reviews, and compliance monitoring activities.[1]
• The institution’s
relationship with the third party is a new relationship or involves
implementing new institution activities;
• The relationship has
a material effect on the institution’s revenues or expenses;
• The third party
performs critical functions;
• The third party
stores, accesses, transmits, or performs transactions on sensitive customer
information;
• The third-party
relationship significantly increases the institution’s geographic market;
• The third party
provides a product or performs a service involving lending or card payment
transactions
the third party poses risks that could
materially affect the institution’s earnings, capital, or reputation;
• The third party
provides a product or performs a service that covers or could cover a large
number of consumers;
• The third party
provides a product or performs a service that implicates several or higher risk
consumer protection regulations;
• The third party is
involved in deposit taking arrangements such as affinity arrangements; or
• The third party
markets products or services directly to institution customers that could pose
a risk of financial loss to the individual[2]
The FDIC, the OCC and the FRB have all issued guidance on the proper way to administer
vendor management. While the published guidance from each of
these regulators its own idiosyncrasies, there are clear basic themes that
appear in each.
All of the guidance has similar statements that address the
types of risk involved with third party relationships and all discuss steps for
mitigating risks. We will discuss the
methods for reducing risk further in part two of this series.
Types of Risk
Associated with Third Party Relationships.
Regardless of the size of your bank, or the overall
complexity of the operation, the risks
that follow will exists at some level with any third party relationship.
Operational Risk
Operational risk is present in all products, services,
functions, delivery channels, and processes. Third-party relationships may increase a
bank’s exposure to operational risk because the bank may not have direct
control of the activity performed by the third party.
Operational risk can increase significantly when third-party
relationships result in concentrations. Concentrations may arise when a bank
relies on a single third party for multiple activities, particularly when
several of the activities are critical to bank operations. Additionally,
geographic concentrations can arise when a bank’s own operations and that of
its third parties and subcontractors are located in the same region or are
dependent on the same critical power and telecommunications infrastructures.
Compliance Risk
Compliance risk exists when products, services, or systems
associated with third-party relationships are not properly reviewed for
compliance or when the third party’s operations are not consistent with laws,
regulations, ethical standards, or the bank’s policies and procedures. Such
risks also arise when a third party implements or manages a product or service
in a manner that is unfair, deceptive, or abusive to the recipient of the
product or service. Compliance risk may arise when a bank licenses or uses
technology from a third party that violates a third party’s intellectual
property rights. Compliance risk may also arise when the third party does not
adequately monitor and report transactions for suspicious activities to the
bank under the BSA or OFAC. The potential for serious or frequent violations or
noncompliance exists when a bank’s oversight program does not include
appropriate audit and control features, particularly when the third party is
implementing new bank activities or expanding existing ones, when activities
are further subcontracted, when activities are conducted in foreign countries,
or when customer and employee data is transmitted to foreign countries.
Compliance risk increases when conflicts of interest between
a bank and a third party are not appropriately managed, when transactions are
not adequately monitored for compliance with all necessary laws and
regulations, and when a bank or its third parties have not implemented
appropriate controls to protect consumer privacy and customer and bank records.
Compliance failures by the third party could result in litigation or loss of
business to the bank and damage to the bank’s reputation.
Reputation Risk
Third-party relationships that do not meet the expectations
of the bank’s customers expose the bank to reputation risk. Poor service,
frequent or prolonged service disruptions, significant or repetitive security
lapses, inappropriate sales recommendations, and violations of consumer law and
other law can result in litigation, loss of business to the bank, or negative
perceptions in the marketplace. Publicity about adverse events surrounding the third
parties also may increase the bank’s reputation risk. In addition, many of the
products and services involved in franchising arrangements expose banks to
higher reputation risks. Franchising the bank’s attributes often includes
direct or subtle reference to the bank’s name. Thus, the bank is permitting its attributes to
be used in connection with the products and services of a third party. In some cases, however, it is not until
something goes wrong with the third party’s products, services, or client
relationships, that it becomes apparent to the third party’s clients that the
bank is involved or plays a role in the transactions. When a bank is offering
products and services actually originated by third parties as its own, the bank
can be exposed to substantial financial loss and damage to its reputation if it
fails to maintain adequate quality control over those products, services, and
adequate oversight over the third party’s activities.
Strategic Risk
A bank is exposed to strategic risk if it uses third parties
to conduct banking functions or offer products and services that are not
compatible with the bank’s strategic goals, cannot be effectively monitored and
managed by the bank, or do not provide an adequate return on investment.
Strategic risk exists in a bank that uses third parties in an effort to remain
competitive, increase earnings, or control expense without fully performing due
diligence reviews or implementing the appropriate risk management
infrastructure to oversee the activity. Strategic risk also arises if
management does not possess adequate expertise and experience to oversee
properly the third-party relationship.
Conversely, strategic risk can arise if a bank does not use
third parties when it is prudent to do so. For example, a bank may introduce
strategic risk when it does not leverage third parties that possess greater
expertise than the bank does internally, when the third party can more cost
effectively supplement internal expertise, or when the third party is more
efficient at providing a service with better risk management than the bank can
provide internally.
Credit Risk
Credit risk may arise when management has exercised
ineffective due diligence and oversight of third parties that market or
originate certain types of loans on the bank’s behalf, resulting in low-quality
receivables and loans. Ineffective oversight of third parties can also result
in poor account management, customer service, or collection activities.
Likewise, where third parties solicit and refer customers, conduct underwriting
analysis, or set up product programs on behalf of the bank, substantial credit
risk may be transferred to the bank if the third party is unwilling or unable
to fulfill its obligations
Managing Risk
One of the most important points that all of the regulators
are driving home is that they intend to hold financial institutions responsible
for the action for the third party service providers. For example, if an automobile dealer with
whom a bank has a relationship engages in lending activities that have fair
lending concerns, the bank under whose name they are providing the service will
also be found to have fair lending concerns.
This is not to say that there is a general distaste for
outsourcing of third party arrangements.
It is to say that when the arrangement is made, there should be a risk
management system in place ahead of the formation of the relationship. The program should include at a minimum the
following:
·
A Risk
Assessment;
·
Due Diligence in Selecting a Third Party;
·
Contract Structuring and Review;
·
Oversight;
We will discuss the proper risk management system for your
third party vendors in part two of this blog. For now, remember that the
standard for development of a risk management program is “A bank should adopt
risk management processes commensurate with the level of risk and complexity of
its third-party relationships” [3]
No comments:
Post a Comment