Increased Regulations Don’t Just Burden Banks; Vendors Must Also Manage Risk

On October 30, 2013, the Office of the Comptroller of the Currency issued a bulletin titled “Third-Party Relationships: Risk Management Guidance.” This bulletin rescinded OCC Bulletin 2001-47 and largely tracked December 2012 FDIC guidance on this issue 211 BBD, 10/31/13. Even before that, in April 2012, the Consumer Financial Protection Bureau had weighed in on this issue.

Recognizing that such guidance has a direct effect not only on banks, but also their vendors, a recent American Banker article, “Tighter Focus on Contracts Could Kill Some Vendor Relationships,”http://www.americanbanker.com/issues/179_93/tighter-focus-on-contracts-could-kill-some-vendor-relationships-1067498-1.html) examined how this recent regulatory guidance spreads the pain from banks to their vendors; opining that such rules could shrink the pool of qualified service providers, dampen innovation and drive up costs.

That assessment may actually “undersell” the effect this guidance will have on bank vendors. Because of the stringent expectations that regulators have for banks and their third-party risk management programs: banks are required to examine, supervise, and – if necessary – punish their vendors. To stay viable within the industry, bank vendors must analyze the guidance provided to banks and proactively anticipate, identify and address their bank clients’ needs – especially when crafting proposed service agreements — to ensure that the bank and vendor have clear expectations with respect to managing operational, regulatory, and reputational risk. In this new world, everyone needs to be a risk manager.

This article outlines key aspects of the third-party risk management edicts to banks and offers strategies that vendors should consider so they can properly protect their interests while still accommodating the heightened expectations imposed upon their clients. As a preliminary matter, regulators have directed financial institutions selecting third-party vendors to include the following components in their vendor risk management plans:

• Pre-outsourcing planning

• Due diligence

• Contract negotiation

• Board and director oversight and accountability

• Ongoing Monitoring

• Potential Termination of Vendors

• Documentation and Reporting

• Independent Reviews

Knowing that banks are focusing on these areas, their vendors should consider how such focus will affect their client relationships. To take each in turn:

Pre-outsourcing Planning

Before entering into vendor relationships, senior management assess the following factors with respect to categories of outsourced services and potential vendors:

• The strategic purposes, legal and compliance aspects, and inherent risks associated with using third parties, and how the arrangement aligns with the bank’s overall strategic goals, objectives, and risk appetite.

• The complexity of the arrangement, such as the volume of activity, potential for subcontractors, the technology needed, and the likely degree of foreign-based third-party support.

• The nature of customer interaction with the third party and potential impact the relationship will have on the bank’s customers—including access to or use of those customers’ confidential information, joint marketing or franchising arrangements, and handling of customer complaints.

• Potential information security implications including access to the bank’s systems and to its confidential information.

• The extent to which the activities are subject to specific laws and regulations (e.g., privacy, information security, Bank Secrecy Act/Anti-Money Laundering (BSA/AML), fiduciary requirements).

Accordingly, to anticipate and identify potential issues in potential service agreement negotiations, bank vendors should:

• Understand how their services fit into a bank’s overall strategy and operations

• Assess their own operations and understand how their work may affect the bank’s risk profile through the use of subcontractors, outsourcing, etc.

• Determine how much direct consumer contact they will have and set up protocols and quality assessment procedures – including systematic reporting – with respect to handling customer information and addressing customer complaints. In this area, vendors must understand that such reports will be reviewed regularly by their client and – in many cases – by their client’s regulator.

• Have established data security and data privacy procedures – include strategic plans to address data breaches.

• Understand the overall legal landscape that affects not only their work, but the work of their bank client.

• Determine whether it would be wise to “invest” in independent service control reports (SSAE 16, SOC 2 or their equivalents) to provide institutions a third-party assessment of the risks associated with their outsourced services and the steps that the vendor has taken to address the same. Such third-party validation can be an invaluable tool to demonstrate a vendor’s qualifications and quell any risk concerns.

Due Diligence

After banks have done a vendor risk assessment, and have determined whether any outsourcing program and/or potential vendor will adversely impact its risk profile, per the most recent regulatory guidelines, banks should proceed to due diligence. Vendors should understand that bank management is trying to determine if a vendor relationship will further the financial institution’s strategic and financial goals and mitigate identified risks.

The scope and depth of due diligence is directly related to the importance and magnitude of the institution’s relationship with the third party. For example, large-scale, highly visible programs – especially those that deal directly with consumers — or programs dealing with sensitive data integral to the institution’s success, warrant an in-depth due diligence of the potential third party, while the due diligence process for isolated low-risk third-party activities would be much less comprehensive. At a minimum, banks will want to investigate and evaluate potential vendors to ensure they can adequately provide contracted services, have appropriate policies, controls, and training materials, and will not increase an institution’s risk profile.

Vendors should also understand that due diligence is a process, not an event. Due diligence assessments will not only be done prior to selection, but they will also be performed continuously during the course of the relationship, particularly when considering a renewal of a contract.

Contract Negotiation

After a bank selects a vendor, the real work begins: formally, and meticulously, setting forth the expectations and duties of both sides in a contract. Regulators have provided very specific guidance with respect to their expectations of what should be in a vendor contract. Again, the level of detail in contract provisions will vary within the scope and risks associated with the third-party relationship. “Critical activities” often include:

• Significant bank functions (e.g., payments, clearing, settlements, custody)

• Important shared services (e.g., information technology

• Activities that could cause a bank to face significant risk if the third-party fails to meet expectations (i.e. outsourced transaction monitoring and enhanced due diligence review)

• Services involving direct consumer contact and interaction

• Programs that will require significant investment of resources to implement the third-party relationship and manage the risk

• Relationships that will have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house

In most cases, especially for “critical” services, vendors should expect that the following topics will be thoroughly negotiated; with specific benchmarks and performance criteria established:

• Scope

• Cost/compensation

• Performance standards

• Progress Reporting (performance, financial, security, business resumption testing)

• Audits (including requirements to obtain and provide SSAE 16, SOC 2 or equivalent reports)

• Assignment/transfer/subcontracting rights

• Confidentiality and security

• Customer complaints

• Business resumption and contingency plans

• Default and termination

• Dispute resolution

• IP ownership and license

• Indemnification

• Limits on liability

Proactively considering and developing strategies to address these topics will not only protect the vendor’s business interests, but will certainly demonstrate a clear understanding of the regulatory environment that their bank clients must now operate within. And it is axiomatic that vendors who are able to ease their client’s burden – and make them look good in front of their regulators – get selected.

Board and Director Oversight & Accountability

Vendors should also realize that for “critical” relationships, full board review and approval may be required, along with a full review by bank’s legal counsel. In fact, the OCC and FDIC counsel that bank directors and officers should:

• Ensure an effective process is in place to manage risks related to third-party relationships in a manner consistent with the bank’s strategic goals, organizational objectives, and risk appetite

• Approve the bank’s risk-based policies that govern the third-party risk management process and identify critical activities

• Review and approve management plans for using third parties that involve critical activities

• Review summaries of due diligence results and management’s recommendations to use third parties that involve critical activities

• Approve contracts with third parties that involve critical activities

• Review the results of management’s ongoing monitoring of third-party relationships involving critical activities; ensure management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring

• Review results of periodic independent reviews of the bank’s third-party risk management process

As a result, contracts and renewals that once were negotiated and executed as a matter of course within a few weeks may now take much longer since bank directors and officers are expected to conduct a much more comprehensive review before relationships are established and again when renewed. Vendors should take this into consideration when putting together their own strategic plans.

Ongoing Monitoring

Because of increased expectations by regulators, vendors should not be surprised when their bank clients have more dedicated staff monitoring the vendor relationships. Regular on-site visits will be more commonplace with particular attention paid to the quality and sustainability of the vendor’s controls and its ability to meet service-level agreements, performance metrics and other contractual terms, and to comply with legal and regulatory requirements.

Termination

In the usual scenario, parties to a contract don’t begin their relationship by considering how it will end. The usual scenarios no longer exist: vendors should not be surprised when their bank clients demand provisions allowing for the vendor contract to be terminated upon demand; with specific criteria explaining how activities will be transitioned to another third party, in-house, or discontinued. Bank regulators have been clear: if a vendor is not doing its job and/or is increasing bank risk, the relationship should be ended immediately. In fact, banks are counseled that, in the event of contract default or termination, management should have a plan to bring the service in-house if there are no alternate third parties. Vendors can no longer expect “grace” or “cure” periods; the failure to achieve agreed benchmarks may be met with draconian action.

Documentation and Reporting

Regulators are expecting banks to document and report on its third-party risk management process and specific arrangements throughout their life cycle. In their view, proper documentation and reporting facilitates the accountability, monitoring, and risk management associated with third parties. These expectations will obviously be transferred to bank vendors. Accordingly, vendors may be expected to provide an “inventory” of the third party services being provided; especially when critical activities are being performed. Moreover, banks will require vendors to identify potential risks and provide regular risk management and performance reports.

Independent Reviews

As banks have been directed to conduct periodic, independent reviews of their third-party risk management process, particularly for critical activities, vendors should expect increased scrutiny of their policy, reporting, resources, expertise, and controls. Because banks will use their internal reviews to make decisions about commencing new or continuing existing third-party relationships, bringing activities in-house, or discontinuing activities; proper – and systematic – documentation and reporting will be critical for vendors. The less friction a vendor creates when a bank’s overall risk management program is being assessed, the more successful (and longer) the relationship will be.

Conclusion

As the article correctly notes, “Regulatory guidance spells out many new details that banks and their vendors will have to put in writing, including who is responsible when something goes wrong. While banks generally support having more ironclad provisions in contracts, they suspect that the requirements could wind up shrinking the pool of qualified vendor partners.” As a result, vendors that want to remain viable must properly understand their clients’ needs, regulatory environment, and expectations in order to properly anticipate and address potential pitfalls when negotiating their vendor agreements. The regulatory pain will certainly be spread, but proactive planning may be the best analgesic.