July 26, 2021
Regulatory requirements of banks and credit unions with respect to their vendors vary based on the entities’ regulator—for example, the FDIC, OCC, Federal Reserve, FFIEC, NCUA, or CFPB—and other applicable federal and state laws.
Generally, regulators expect that financial institutions will ensure that each vendor does not present a risk to the entity or its consumers and that it complies will all applicable laws when acting on behalf of the entity. Outsourcing to third parties enables institutions to expand services and products, but it is inherently risk-based, and regulators require financial institutions to take appropriate steps in managing these risks.
Although managing and monitoring risk has always been an important business practice, the need has amplified as financial institutions increasingly rely on outsourcing to third parties to meet strategic objectives and enhance customer service. Financial institutions of all sizes can have up to hundreds of third-party relationships, all of which have complexities that must be evaluated and managed. And, in turn, this has led to an even more complex regulatory environment concerning third-party vendor relationships.
Overview of Regulatory Requirements
The Board of Directors and management are responsible for providing and should have the required knowledge and expertise to provide, adequate oversight during the risk management process. Financial institutions are responsible for safeguarding customer assets and ensuring sound operations, whether or not a third party is involved. Therefore, it is important that outsourced relationships are subject to the same risk management, security, privacy, and other policies that are expected when conducting the services or activities in-house.
The required degree of oversight and review of the third-party vendor may depend on the complexity and criticality of the service or activity to the entity’s operation. Accordingly, regulators require the implementation of robust third-party risk management programs to ensure consistency in the identification, assessment, control, and monitoring of about the twenty different categories of third-party risk. While specific regulations may vary slightly by type of financial institution, regulators agree that financial institutions should utilize risk management steps to assess, monitor, and control vendor risks.
Generally, effective risk management includes four main steps:
- Risk Assessment;
- Due Diligence;
- Contract Structuring and Review; and
- Oversight and Contingency Plan.
But there is NO one-size-fits-all solution; appropriate risk management must be tailored to the individual institution, the third-party vendor, and the service or activity provided.
Regulators have broadly defined what third party means. For example, the FDIC includes within the definition of “third-party”: “All entities that have entered into a business relationship with the financial institution, whether the third party is a bank or nonbank, affiliated or not affiliated, regulated or non-regulated, or domestic or foreign.” And third-party risk is considered to arise whenever a financial institution relies on an outside party to perform services or activities on its behalf. Under these definitions, the potential for risk is large, including nearly any third-party business relationship, as are the corresponding regulators’ expectations for assessing and monitoring these risks.
Some potential risk categories may include:
- Strategic risks;
- reputation risks;
- compliance and legal risks;
- interest rate, liquidity, and market risks;
- and country risks.
Strategic risk arises from adverse business decisions, such as the failure to implement appropriate business decisions consistent with the institution’s strategic goals or those that do not provide an adequate return; this often results from inadequate management experience and expertise.
Reputation risk arises when the actions or poor performance of a vendor causes the public to form a negative opinion about a financial institution.
Compliance and legal risk arise if the outsourced activities fail to comply with applicable U.S. legal and/or regulatory requirements, thereby subjecting the financial institution to sanctions, legal expenses, and possible lawsuits. For example, inaccurate or untimely compliance disclosures or unauthorized disclosure of confidential customer information could expose the institution to civil fines or litigation.
Interest rate, liquidity, and market risk arise when processing errors related to investment income assumptions leave institutions vulnerable to unwise investments or liquidity decisions, thereby increasing market (or price) risks.
Country risk may arise when a financial institution engages a foreign-based service provider, thereby exposing the institution to possible economic, social, and political conditions of the country in which the service provider is located.
During the risk assessment phase, financial institutions are expected to conduct a cost and benefit analysis to ensure the proposed third-party business relationship is consistent with the entity’s overall business strategy and estimate its long-term financial effect. This entails conducting a risk analysis of all the categories listed above and any additional items relevant to the specific product or service involved. Consideration should also be given to the availability of qualified and experienced service providers to perform the service and the financial institution’s ability to provide oversight and management on an ongoing basis.
During the due diligence phase, financial institutions should conduct a thorough evaluation of the proposed third-party service and vendor. The scope and depth of due diligence may vary in relation to the complexity of the service and its criticality to the entity’s functions.
At a minimum, a financial institution should review and inspect the vendors’:
- business background, reputation, and strategy,
- financial condition and performance, and
- general operations and internal controls.
CFPB guidance has asserted this requires, at least, requesting and reviewing policies, procedures, internal controls, and training materials to ensure appropriate training and oversight of the third-party employees, and verifying the third-party vendor understands and is capable of complying with applicable financial laws and regulations.
Contract Structuring and Review
It is critical for financial institutions to understand the service contract and legal issues associated with a proposed third-party service. The third-party relationship must be fully defined in a written contract and thoroughly reviewed and approved by the Board. The contract should set clear expectations about compliance and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair or deceptive acts and practices. And, as a standard, any material or significant contract with a third party should prohibit assignment, transfer, or subcontracting of its obligations to another entity unless the financial institution determines that such action would be consistent with the due diligence standards for selection of third parties.
Examples of key contract provisions include:
- scope of rights and responsibilities;
- contract timeframes;
- cost and compensation;
- right to audit;
- performance standards, monitoring, and reports;
- confidentiality and security of information (such as adhering to FFEIC guidance and Gramm-Leach-Bliley Act financial regulations);
- ownership and license rights;
- default and termination;
- dispute resolution;
- limits on liability;
- customer complaints;
- business resumption and contingency plan;
- choice of law and jurisdiction;
- and subcontracting rights.
The level of detail in the contract and contract provisions may vary with the scope and risks associated with the third-party relationship and regulatory body. Regulatory bodies have highlighted the importance of exercising the right to negotiate a mutually beneficial contract and to “ensure that any contract terms agreed to would not adversely affect the credit union’s safety and soundness, regardless of contract performance.” Finally, regulators stress the prudence of ensuring all contracted third-party services require the third party to comply with all applicable laws, as the financial institution would have to if it performed the service itself.
Oversight and Contingency Plan
Finally, regulators require financial institutions to establish oversight and management processes for third-party vendors. These internal controls should define acceptable performance metrics and provide for ongoing monitoring to ensure compliance with contractual obligations and all applicable state and federal laws. And it is essential that all personnel responsible for the oversight and management of vendors possess an appropriate level of expertise.
This oversight process should be risk-focused, specific to each vendor and the criticality of the service to the institution. Financial institutions should tailor risk mitigation plans to the risk presented—for example, higher-risk service providers may require more rigorous monitoring, assessments, and reporting. Further, to fully address any problems identified through this monitoring process, financial institutions should take prompt actions, including, where necessary, updating risk management programs or the termination of the third-party relationship.
The last critical component of oversight and management is contingency and continuity planning. Various events could arise that will affect a third-party service provider’s ability to provide the contracted services or activities; therefore, financial institutions should develop and implement contingency plans for alternative arrangements in the event a vendor fails to perform; vendors are also required to maintain an independent contingency plan. These contingency plans should be documented and tested periodically, and the financial institution should always maintain an exit strategy in the event of vendor performance failure.
Depending on the financial institution’s specific regulator(s), there may also be additional requirements. As an example, the CFPB requires the Board to approve and review significant third-party arrangements and oversight processes at least annually. The Board must also keep an updated list of all third-party vendors and review all relationships periodically, be directly involved in any significant or complex third-party relations, and take appropriate actions with any relationship that may present an elevated risk.
As the financial environment continues to transform in the digital age, regulatory demands and the legal landscape are growing more complex.
Regulators expect that financial institutions will ensure that each vendor does not present a risk to the entity or its consumers and comply with all applicable laws and regulations. These regulations vary based on the jurisdiction and regulator of the financial institution, and the risk presented by the specific third-party vendor.
In consequence of the financial sector’s growing reliance on third-party vendors, it is more critical than ever to ensure your financial institution implements adequate risk management processes, including but not limited to: risk assessment programs; due diligence programs and policies; adequate contract structuring, review and negotiation, compliance oversight programs; and policies and contingency plans.
Contact us for more information.
Baldini Lang LLC has extensive experience drafting and negotiating vendor contracts for financial institutions and assisting clients to build risk assessment programs and policies to comply with their legal requirements and establish best practice standards.
© 2022 Baldini Lang LLC. This material is a general update from Baldini Lang LLC and is not intended as, nor should be considered, legal advice. To obtain legal advice from Baldini Lang LLC, you must first establish an attorney-client relationship with the firm in writing. This material may not be used by any party in any manner without the express written permission of Baldini Lang LLC, PO Box 270746, West Hartford, Connecticut 06127.