Wednesday, March 6, 2019

Outsourcing and Collaboration - The Time Has Come

A Three-Part Series.  Part Three -Choose Your Partner




Many banks today rely on outsourced functions ranging from core operating systems to monthly billing programs.  The reliance on third parties to provide core functions at banks is no longer viewed as a less than desirable situation, it is normal.  However, over time the types of relationships that banks began to form with outside vendors became more complicated and in some cases exotic.  Some banks used third parties to offer loan products and services that would otherwise not be offered.  In many cases, the administration of the contractual relationship was minimal; especially when the relationship was profitable.
The level and type of risk that these agreements created came under great scrutiny during the financial crisis of 2009.  Among the relationships that are most often scrutinized for areas of risk are:  

·         Third-party product providers such as mortgage brokers, auto dealers, and credit card providers;
·         Loan servicing providers such as providers of flood insurance monitoring, debt collection, and loss mitigation/foreclosure activities;
·         Disclosure preparers, such as disclosure preparation software and third-party documentation preparers;
·         Technology providers such as software vendors and website developers; and
·         Providers of outsourced bank compliance functions such as companies that provide compliance audits, fair lending reviews, and compliance monitoring activities.[1]

 According to the FDIC, a third-party relationship could be considered “significant” if:

• The institution’s relationship with the third party is a new relationship or involves implementing new institution activities;
• The relationship has a material effect on the institution’s revenues or expenses;
• The third party performs critical functions;
• The third party stores, accesses, transmits, or performs transactions on sensitive customer information;
• The third-party relationship significantly increases the institution’s geographic market;
• The third party provides a product or performs a service involving lending or card payment transactions
  The third party poses risks that could materially affect the institution’s earnings, capital, or reputation;
• The third party provides a product or performs a service that covers or could cover a large number of consumers;
• The third party provides a product or performs a service that implicates several or higher risk consumer protection regulations;
• The third party is involved in deposit taking arrangements such as affinity arrangements; or
• The third-party markets products or services directly to institution customers that could pose a risk of financial loss to the individual  

The FDIC, the OCC and the FRB have all issued guidance on the proper way to administer vendor management.   While the published guidance from each of these regulators its own idiosyncrasies, there are clear basic themes that appear in each. 
All of the guidance has similar statements that address the types of risk involved with third party relationships and all discuss steps for mitigating risks.  We will discuss the methods for reducing risk further in part two of this series. 
 Level of Due Diligence
One of the questions that we noted above was about what level of due diligence is required for a third-party contract.  The OCC guidance defines a critical activity as

Critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that
·         could cause a bank to face significant risk if the third party fails to meet expectations;
·         could have significant customer impacts require significant investment in resources to implement the third-party relationship and manage the risk; 
·         Could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.[1]
 For those arrangements that involve critical activities, the expectation is that the  that bank will perform comprehensive due diligence at the start of the contracting process as well as monitoring throughout the execution of the contract.    
The steps that are necessary for the proper engagement of a third party for a critical activity are discussed in each of the regulatory guidance documents that have been released.  The OCC bulletin provides the most comprehensive list that includes: 

  • Relationship Plan:  Management should develop a full plan for the type of relationship it seeks to engage.  The plan should consider the overall potential risks, the manner in which the results will be monitored and a backup plan in case the vendor fails in its duties. 
  • Due Diligence:   The bank should conduct a comprehensive search on the background  of the vendor, obtain references, information on its principals, financial condition and technical capabilities.   It is during this process that a financial institution can ask a vendor for copies of the results of independent audits of the vendor.    There has recently been a great deal of attention given to the due diligence process for vendors.  Several commenters and several banks have interpreted the guidance to require that a bank research a vendor and all of its subcontractors in all cases.  We do not believe that this is the intention of the guidance.  It is not at all unusual for a third-party provider to use subcontractors.   We believe that a financial institution should get a full understanding of how the subcontracting process works and consider that as part of the due diligence, however, it impractical to expect a bank to research the backgrounds of all potential subcontractors before engaging a provider.  
  • Risk Assessment:  Management should prepare a risk assessment based upon the specific information gathered for each potential vendor.  The risk assessment should compare the characteristics of the firms in a uniform manner that allows the Board to fully understand the risk associated with each vendor. [2]
  • Contract Negotiation:  The contract should include all of the details of the work to be performed and the expectations of management.  The contract should also include a system of reports that will allow the bank to monitor performance with the specifics of the contract.   Expectations such as compliance with applicable regulations must be spelled out.   The OCC bulletin includes the following phrase:
Ensure that the contract establishes the bank’s right to audit, monitor performance, and require remediation when issues are identified. Generally, a third-party contract should include provisions for periodic independent internal or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the bank’s in-house functions to monitor performance with the contract
This language has also been the subject of a great deal of media and financial institution attention.  Some have interpreted this phrase to mean that a community bank that uses one of the large core providers has the right to perform an independent audit of the provider.  We believe that this interpretation is inaccurate as it would be impractical to carry out.  We believe that the phrase means that the financial institution is entitled to a copy of the report of the independent auditor.  



  • Ongoing Monitoring:   Banks must develop a program for ongoing monitoring of the performance of the vendor.   We recommend that the monitoring program should include not only information provided by the vendor, but also internal monitoring including

    • Customer complaints;

o    Significant changes in sources of expenses and revenues

o    Changes in loan declines, withdrawals or approvals

o    Changes in the nature of customer relations ships (e.g. large growth in CD customers). 

  • Oversight and Evaluation:  There should be a fixed period for evaluating the overall success and efficacy of the vendor relationship.  The Board should, on a regular basis evaluate whether or not the relationship with the vendor is on balance a relationship with keeping.  

 While all of the above steps represent best practices for developing relationships with vendors, it is important to remember that a balance must be maintained.  The vendor management program cannot be so time consuming or stringent that a bank is left without the ability to engage consultants.  However, there must be sufficient diligence and monitoring of vendor relationship to ensure that the bank is managing risks effectively.  


James DeFrantz is the Principal of Virtual Compliance Management Services LLC.  He can be reached directly at JDeFrantz@VCM4you.com

[1] OCC BULLETIN 2013-29
[2] Ibid.
Posted by at No comments:

Monday, February 18, 2019


Outsourcing and Collaboration - The Time Has Come




A Three-Part Series.  Part Two -Outsourcing Requires Vigilance

In Part One of this series we talked about some of the reasons why a financial institution may want to outsource and/or collaborate.  In summary, we detailed:   
  • Leveraging the experience and resources of outside firms - this allows an institution to augment the resources that is has onsite.  
  • Allowing the additional resources to be used to offer new and different products.  New products and services have a learning curve associated with them and by using outsourced resources, the learning curve can be shortened. 
  • Increasing the overall effectiveness of the BSA program.  Outsourcing helps get a different perspective to the internal operations of the Bank.  In this manner, outsourcing can make the BSA program more effective.      
While the reasons for looking to collaborate are generally positive, it is also important to remember that there are certain steps that must be taken to make collaboration successful.  




Know Your Product or Service  

Engaging an outside resource shouldn’t be done at the expense of the knowledge base of the financial institution.  While you may not have specific expertise, there should be at least a clear understanding of the basics of product or service being offered.  Knowing the inherent risks and rewards of the product should be the basis for the decision to offer it to the public. Having a general understanding of how the products works,  issues and concerns that have resulted from offering the product in the past, the experiences of other financial institutions are important considerations.   At the end of the day, there must be enough knowledge to understand whether or not the product or service is performing well.   

Risk Assessments Are a Key

Think of the risk assessment as a matrix – not the type where you get to choose a red pill or a blue pill, just a square with several blocks.   There is a formula that you can use to complete an effective risk assessment.  The basic formula is INHERENT RISK (minus) INTERNAL CONTROLS (equals) MITIGATED RISK.  

Inherent Risk

Inherent risk is the risk associated with the products, customers and overall compliance structure at your Bank.  

An inherent risk is a risk category that really relates broadly to the activities and operations of a company without considering necessarily the company. For example, unsecured lending is inherently riskier than secured lending. If I were auditing an institution that was primarily involved in unsecured lending, then I would have a higher assessment of inherent risk in that organization than, let’s say, secured lending. And that’s a fairly simple example, but that type of a risk assessment is done for each critical business component[1].

When considering the level of inherent risk of a new product or service, consider all the worst-case scenarios lurking in the background. For example, supposed you are considering the inherent risk associated with consumer lending.  The inherent risk might look something like this: 


Consumer Loans- Inherent Risk


Compliance Risk - The risk associated with the regulatory requirements for making consumer loans, e.g. disclosures, accurate calculations, etc.
Reputation Risk- The risk that the products will result in consumer complaints, UDAAP violations or potential fair lending concerns.
Transactional Risk- The risks associated with the systems in place that are being used to support offering the product.  Can your core support the loan types being offered?
Strategic Risk- Are your products really meeting the credit needs of the community you serve? 

The point of this part of the exercise should be to determine the level of risks that are part of offering the products at all.  This level of risk doesn’t consider anything of your compliance program.  

Internal Controls
Once you have identified the risks inherent in the products you offer, the customers you serve and the overall current compliance program, the next step is to review the steps your institution has taken to address them.  This is where your policies, procedures, training and independent audits come in.  There is really an opportunity to self-reflect and simultaneously project your aspirations during this part of the risk assessment.   It is one thing to note you have policies and procedures in place.  It is a far different consideration to determine how effective they are.  Are the policies and procedures written and updated on an annual basis?  How much of the policies and procedures are internally developed and how much have been “borrowed” from other institutions?  (Note:  This is not to imply that borrowing is a bad thing, if the information truly reflects the situation at your institution).   The risk assessment should contain an analysis of the current state of the internal controls.    What would excellent controls look like and what would it take for the compliance department to get there?  These considerations should be included.  

Mitigated Risk
Your overall assessment of how well the internal controls at your institution address the possibility of problems is the mitigated risk.  For the risk assessment to be a most effective tool, it is necessary for this process to truly consider potential problems with internal controls.  Written policies and procedures, for example, can be comprehensive and up to the minute accurate, but totally ineffective if staff don’t use them.   Training is an area often taken for granted.  The online training that most institutions offer is a great start for training.  However, for a full in-depth understanding, additional training that includes case-studies is a best practice.  
A word about Strategic Risk

For the banking industry in general regulators have put strategic risk at the forefront.  For example, its semiannual risk perspective for spring 2016, the OCC noted that strategic risk is a concern: 

“Banks are several years into the risk accumulation phase of the economic cycle. The banking environment continues to evolve, with growing competition among banks, nonbanks, and financial technology firms. Banks are increasingly offering innovative products and services, enabling them to better meet the needs of their customers. While doing so may heighten strategic risk if banks do not use sound risk management practices that align with their overall business strategies, failure to innovate to meet evolving needs or financial services may place a bank at a competitive disadvantage.”[2]

As part of the risk process it is important to consider whether your institution is keeping up with trends in technology and innovation.  The financial industry is being disrupted in a way that will significantly impact the relationship between customers and institutions. Without the right technology and business plan, it will be easy to be left behind.   


In Part Three will we will discuss the process for picking outsourcing partners.




James DeFrantz is the Principal of Virtual Compliance Management Services LLC.  He can be reached directly at JDeFrantz@VCM4you.com







[1]William Lewis, Price Waterhouse Coopers  Comptroller of Currency Administrator of National Banks Audit Roundtable, Part 1 Risk Assessment and Internal Controls .   
[2] OCC Semiannual Risk Perspective from the National Risk Committee  Spring 2016

Posted by at No comments:

Sunday, February 3, 2019


Collaboration and Outsourcing – The time has Come


A Three-Part Series.  Part One- Why Outsource? 
For many financial institutions, resources are the main limitation for the offering or products and services.   While traditional products such as business loans, commercial real estate, mortgages and consumer loans remain the mainstay of the offerings by financial institutions, the competition for customers in these areas remains fierce.   According to the FDIC, community banks and smaller  institutions have found that the  traditional model for income has experience some positive growth in the past two years, but this growth continues to be strained by  the number fintech companies that have begun to “disrupt” the financial services industry.   Fintech, regtech and other software companies continue to make inroads in the traditional community bank and credit union customer base.
“Researchers have projected that fintech could be responsible for a reduction of between 10% and 40% of bank revenue by 2025. It’s estimated that between 15% and 25% percent of U.S. banks could be gone by 2020 as a result of consolidation brought about largely by the rise of fintech and increased regulations on banks.[1]
Opportunities Abound in Other Areas
As competition for customers  in the traditional banking products continues  to increase, the need for innovation that will increase overall non-interest income becomes more important.   While there are other opportunities available, financial institutions often find themselves unable to attempt new things based upon limited  resources such as training, software and experience.   Despite the fact that there may be some difficulties, the returns on the investment in these products is worth the effort.    For example,
“McKinsey, a consultancy, analyzed the impact of fintech on retail banks from an opportunity standpoint. It determined that progressive banks can increase revenues from innovative new offers and business models by 5%; increase revenues from new products and distinctive digital sales by 10%; and lower operational costs through automation, digitization and transaction migration by 30%. This would result in a total potential net profit opportunity of +45 percent. [2]
In addition to the innovations in fintech and in the software’s overall effectiveness in general, often overlooked markets such as the remittance market remain a  strong source of potential income.
o   Global remittances have grown to a record level of $613-billion in 2017, a 7% increase from $573-billion in 2016, according to the World Bank.
o   Payments to low- and middle-income countries rose at a high percentage: up 8.5% to $466-billion last year, from $429-billion the year before, according to the World Bank’s Migration and Development Brief.[3]
“Operation chokepoint”- the rather infamous program brought heavy scrutiny on money services business in general and remittances specifically has now ended.  However, the fear of regulatory concerns still remains with many financial institutions.  As a result, this huge market with its potential for large amounts of noninterest income fees remains largely untapped. 
Outsourcing   
With the proper understanding of how a money remitter (’MSB’) works and combined with outsource resources to properly monitor transactions, MSBs present an outstanding opportunity for noninterest income.  
There are ways for institutions to address this concern and that is what the interagency guidance on third party resources is intended to address.  According to the recent guidance published by the FFIEC
Collaborative arrangements involve two or more banks with the objective of participating in a common activity or pooling resources to achieve a common goal. Banks use collaborative arrangements to pool human, technology, or other resources to reduce costs, increase operational efficiencies and leverage specialized experience [4]
This is not to say that you should offer products that you don’t understand.  On the other hand, under the right circumstances,  financial institutions can offer  full range of products using the services of a third party
By using the collaborations not only with other financial institutions, but with fintech firms, regulatory tech firms and specialized consulting firms the possibilities for growth and additional products increases dramatically.  
In part two we will discuss the risk assessments process  
James DeFrantz is the Principal of Virtual Compliance Management Services LLC.  He can be reached directly at JDeFrantz@VCM4you.com

[1] How the Rise of Fintech Could Affect Your Bank  Josh Beard  The Whitlock Company
[2] Ibid
[3]Global Remittances Reach $613 Billion Says World Bank  Toby Shapshak  Forbes Magazine May 2018


[4] Interagency Statement on Sharing Bank Secrecy Act Resources  October 3, 2018

Posted by at No comments:
Subscribe to: Posts (Atom)