Outsourcing and
Collaboration - The Time Has Come
A
Three-Part Series. Part Three -Choose Your Partner
Many banks today rely on outsourced functions ranging from core
operating systems to monthly billing programs. The reliance on third
parties to provide core functions at banks is no longer viewed as a less than
desirable situation, it is normal. However, over time the types of
relationships that banks began to form with outside vendors became more
complicated and in some cases exotic. Some banks used third parties
to offer loan products and services that would otherwise not be
offered. In many cases, the administration of the contractual relationship
was minimal; especially when the relationship was profitable.
The level and type of risk that these agreements created
came under great scrutiny during the financial crisis of 2009. Among
the relationships that are most often scrutinized for areas of risk
are:
·
Third-party product providers such as mortgage
brokers, auto dealers, and credit card providers;
·
Loan servicing providers such as providers of
flood insurance monitoring, debt collection, and loss mitigation/foreclosure
activities;
·
Disclosure preparers, such as disclosure
preparation software and third-party documentation preparers;
·
Technology providers such as software vendors
and website developers; and
·
Providers of outsourced bank compliance
functions such as companies that provide compliance audits, fair lending
reviews, and compliance monitoring activities.[1]
According to the FDIC, a third-party relationship
could be considered “significant” if:
• The institution’s relationship with the third party is a
new relationship or involves implementing new institution activities;
• The relationship has a material effect on the
institution’s revenues or expenses;
• The third party performs critical functions;
• The third party stores, accesses, transmits, or performs
transactions on sensitive customer information;
• The third-party relationship significantly increases the
institution’s geographic market;
• The third party provides a product or performs a service
involving lending or card payment transactions
• The third party
poses risks that could materially affect the institution’s earnings, capital,
or reputation;
• The third party provides a product or performs a service
that covers or could cover a large number of consumers;
• The third party provides a product or performs a service
that implicates several or higher risk consumer protection regulations;
• The third party is involved in deposit taking arrangements
such as affinity arrangements; or
• The third-party markets products or services directly to
institution customers that could pose a risk of financial loss to the individual
The FDIC, the OCC and the FRB have all issued guidance
on the proper way to administer vendor management. While the
published guidance from each of these regulators its own idiosyncrasies, there
are clear basic themes that appear in each.
All of the guidance has similar statements that address the
types of risk involved with third party relationships and all discuss steps for
mitigating risks. We will discuss the methods for reducing risk further
in part two of this series.
Level of Due Diligence
One of the questions that we noted above was about what
level of due diligence is required for a third-party contract. The
OCC guidance defines a critical activity as
Critical activities—significant
bank functions (e.g., payments, clearing, settlements, custody) or significant
shared services (e.g., information technology), or other activities that
·
could cause a bank to face significant
risk if the third party fails to meet expectations;
·
could have significant customer impacts require
significant investment in resources to implement the third-party relationship
and manage the risk;
·
Could have a major impact on bank operations if
the bank has to find an alternate third party or if the outsourced activity has
to be brought in-house.[1]
For those arrangements that involve critical
activities, the expectation is that the that bank will perform comprehensive
due diligence at the start of the contracting process as well as monitoring
throughout the execution of the contract.
The steps that are necessary for the proper engagement of a
third party for a critical activity are discussed in each of the regulatory
guidance documents that have been released. The OCC bulletin
provides the most comprehensive list that includes:
- Relationship Plan: Management
should develop a full plan for the type of relationship it seeks to
engage. The plan should consider the overall potential risks,
the manner in which the results will be monitored and a backup plan in
case the vendor fails in its duties.
- Due Diligence: The
bank should conduct a comprehensive search on the background of
the vendor, obtain references, information on its principals, financial
condition and technical capabilities. It is during this
process that a financial institution can ask a vendor for copies of the
results of independent audits of the vendor. There
has recently been a great deal of attention given to the due diligence
process for vendors. Several commenters and several banks have
interpreted the guidance to require that a bank research a vendor and all
of its subcontractors in all cases. We do not believe that this
is the intention of the guidance. It is not at all unusual for
a third-party provider to use subcontractors. We believe
that a financial institution should get a full understanding of how the
subcontracting process works and consider that as part of the due diligence, however,
it impractical to expect a bank to research the backgrounds of all
potential subcontractors before engaging a provider.
- Risk Assessment: Management
should prepare a risk assessment based upon the specific information
gathered for each potential vendor. The risk assessment should
compare the characteristics of the firms in a uniform manner that allows
the Board to fully understand the risk associated with each vendor. [2]
- Contract Negotiation: The
contract should include all of the details of the work to be performed and
the expectations of management. The contract should also
include a system of reports that will allow the bank to monitor
performance with the specifics of the
contract. Expectations such as compliance with applicable
regulations must be spelled out. The OCC bulletin
includes the following phrase:
Ensure that the contract establishes the bank’s right to
audit, monitor performance, and require remediation when issues are identified.
Generally, a third-party contract should include provisions for periodic independent
internal or external audits of the third party, and relevant
subcontractors, at intervals and scopes consistent with the bank’s
in-house functions to monitor performance with the contract
This language has also been the subject of a great deal of
media and financial institution attention. Some have interpreted
this phrase to mean that a community bank that uses one of the large core
providers has the right to perform an independent audit of the
provider. We believe that this interpretation is inaccurate as it
would be impractical to carry out. We believe that the phrase means
that the financial institution is entitled to a copy of the report of the
independent auditor.
- Ongoing Monitoring: Banks
must develop a program for ongoing monitoring of the performance of the
vendor. We recommend that the monitoring program should
include not only information provided by the vendor, but also internal
monitoring including
- Customer complaints;
o Significant
changes in sources of expenses and revenues
o Changes
in loan declines, withdrawals or approvals
o Changes
in the nature of customer relations ships (e.g. large growth in CD
customers).
- Oversight and
Evaluation: There should be a fixed period for
evaluating the overall success and efficacy of the vendor
relationship. The Board should, on a regular basis evaluate
whether or not the relationship with the vendor is on balance a
relationship with keeping.
While all of the above steps represent best practices
for developing relationships with vendors, it is important to remember that a
balance must be maintained. The vendor management program cannot be
so time consuming or stringent that a bank is left without the ability to
engage consultants. However, there must be sufficient diligence and
monitoring of vendor relationship to ensure that the bank is managing risks
effectively.
James DeFrantz is the
Principal of Virtual Compliance Management Services LLC. He can be
reached directly at JDeFrantz@VCM4you.com
No comments:
Post a Comment