Third-party risk management continues to receive a heightened degree of attention from the regulatory community, especially the enforcement apparatus. It seems that almost every third-party relationship is subject to increased examiner scrutiny and liability concerns, which is unlikely to abate in 2017. Because financial institutions will continue to be liable for the actions of their vendors, they cannot risk a bare-bones third-party risk management program.
That said, a financial institution can reap clear benefits from outsourcing certain functions and engaging with third-party service providers, including FinTech companies. Third-party arrangements can help management (and in some instances be necessary) to achieve its strategic objectives, including lower costs, increased revenues, and expansion of a customer base or product capabilities. It is critical for financial institutions to use third-party service providers in a number of areas, including information technology, where the benefits outweigh the costs. But, as the FDIC is quick to point out, “you can outsource a task, but you cannot outsource the responsibility.”
Since the 2008 financial crisis banking regulators and the Consumer Financial Protection Bureau and have issued new or updated guidance with respect to third-party risk management. For example, the Federal Reserve released SR 13-19,Guidance on Managing Outsourcing Risk; the Office of the Comptroller of the Currency released Bulletin 2013-29, Risk Management Guidance on Third-Party Relationships; the Consumer Financial Protection Bureau issued Bulletin 2012-03, Service Providers; and the Federal Deposit Insurance Corporation issued Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk.
The guidance from these agencies contains similar themes. The most significant theme is straightforward: the board of directors and senior management are ultimately responsible for managing the activities conducted through third-party relationships as if the activity were handled directly by the financial institution. Agency guidance also outlines expectations for robust risk management processes, due diligence for onboarding vendors, specific contract considerations, internal controls, and prompt action (including ending a relationship) when institutions identify compliance deficiencies or other problems.
For example, the OCC’s robust guidance walks through institutions’ expected risk management process in helpful detail. While the process should be commensurate with the financial institution’s complexity, the OCC indicates that “[a]n effective third-party risk management process follows a continuous life cycle for all relationships and incorporates” the following:
- Due diligence and third-party selection
- Contract negotiation
- Ongoing monitoring
Additionally, the OCC expects that the banks it regulates will oversee, document, report on, and perform independent reviews of the third-party relationship throughout the life cycle of the relationship.
The CFPB expects the bank and non-bank financial institutions it supervises to take certain steps to ensure that third-party relationships “do not present unwarranted risks to consumers.” Like the prudential regulators, the CFPB suggests institutions minimize risk through the following:
- Internal controls
- Comprehensive due diligence on service providers
- Specific contract terms that set clear expectations and consequences of noncompliance for the relationship
- Ongoing monitoring throughout the relationship
- Termination of the relationship, where necessary
So what are the key takeaways here? Strategy and accountability. Financial institutions of all shapes and sizes use third-party service providers. Financial institution leaders should craft a strategy for engaging in these relationships, including due diligence, contract drafting and negotiation, and ongoing monitoring. This strategy is also extremely helpful for financial institution leaders facing numerous other issues. Moreover, regulators expect that their regulated institutions will maintain constant oversight of their service providers’ activities conducted on the institution’s behalf, and will hold the financial institution accountable for compliance deficiencies of its third-party service providers.
Financial institutions must develop a process and strategy that includes expectations outlined in contractual arrangements. Engaging with third parties can reduce costs and generate revenue, but a financial institution should view these relationships as if it were providing the services.
About Schiff Hardin’s Financial Institutions Team
Schiff Hardin has a dedicated team of financial institution transactional, regulatory, and litigation attorneys with significant experience handling various aspects of bank and non-bank financial institution matters. Our attorneys regularly advise financial institutions on corporate matters, mergers and acquisitions, regulatory compliance, enforcement matters, and litigation throughout the U.S.
For more information, contact the authors or visit Schiff Hardin’s Financial Institutions practice page.