Agencies offer new guidance on—and take a second look at—how banks oversee third-party providers
By Mary Thorson
Spiraling technical requirements, exponential growth of regulatory complexity and the necessity for automation to meet monitoring and processing needs have brought community banks to the doors of third-party vendors that once were thought only to be suitable for behemoth companies. There are two basic camps of third-party service providers employed by community banks—those companies providing services on behalf of the bank and those providing services directly to the bank. Using third-party vendors brings resources and risks to the table.
However, due diligence is required for managing outsourced functions, and regulators expect banks to be actively engaged with their service providers to ensure the scope, procedures and deliverables of their service are defined and fulfilled.
The federal bank regulators have issued guidance on vendor management for a number of years, but they have taken note of the growing use of vendor services. The regulatory landscape changes rapidly, and regulatory risk management has historically changed in a reactive posture to the industry’s evolution. In the whiplash of initiatives to measure and guide the use of industry service providers, vendor risk management has gained notoriety as a topic du jour.
The general mantra, regardless of the technical nature of the vendor services, is that day-to-day management of a product or service can be transferred to a third party, but the ultimate responsibility for all compliance requirements cannot be delegated. The very service that is intended to alleviate compliance challenges is also a source of potential risk that must be managed.
In a presentation in May 2012, the Federal Reserve Bank of Philadelphia perhaps said it best: “Good rule of thumb—oversee vendors as you would any other division of the bank!”
Each of the federal bank regulatory agencies has published guidance regarding vendor risk management, and some have provided specialized training. A community bank should first review the guidance published by its prudential regulator on vendor risk management; however, don’t pass up the “best practices” value from regulators that don’t examine your community bank. You’ll find common themes and guidance that could benefit your bank regardless of its charter. It’s important to remember that the guidance sometimes takes the form of a precedent set by a formal action or as an element of a regulatory requirement.
In April 2012, the Consumer Financial Protection Bureau issued guidance directly to the financial institutions and service providers that it oversees. Although community banks are not under the direct supervision of the CFPB, its guidance is a valuable source for best practices. In CFPB Bulletin 2012-03, the bureau outlines vendor management expectations this way for banks within its jurisdiction:
– Conduct thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
– Request and review the service provider’s policies, procedures, internal controls and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
– Include in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
– Establish internal controls and ongoing monitoring to determine whether the service provider is complying with federal consumer financial law; and
– Take prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
Recently, third-party vendor management requirements have appeared in a number of other rules and orders issued by the CFPB and the other federal bank regulatory agencies. A good example is the July 2012 CFPB Bulletin 2012-06 Marketing of Credit Card Add-on Products. The guidance emphasizes the need for financial institutions to actively manage the compliance and consumer protection requirements of the content of materials and procedures employed by internal or third-party resources to offer and extend services such as debt protection, identity-theft protection, credit score tracking and other products that are supplementary to the credit provided by the card itself. The CFPB emphasizes that, although its bulletin focuses on credit card add-on products, institutions should consider the guidance when they offer similar products in connection with other forms of credit or deposit services.
Recent formal actions have also focused on third-party vendor management. In August 2012, the FDIC announced settlements with Higher One Inc., and The Bancorp Bank for alleged unfair and deceptive practices in violation of Section 5 of the Federal Trade Commission Act. The FDIC determined that Higher One operated its student debit card account program (called OneAccount) with The Bancorp Bank in violation of Section 5. Among other things, the FDIC found that Higher One and The Bancorp Bank were:
– charging student account holders multiple nonsufficient fund (NSF) fees from a single merchant transaction;
– allowing these accounts to remain in overdrawn status over long periods of time, thus allowing NSF fees to continue accruing; and
– collecting the fees from subsequent deposits to the students’ accounts, typically funds for tuition and other college expenses.
According to the order, The Bancorp Bank, as issuer of the OneAccount debit card, was responsible to ensure that Higher One operated the OneAccount program in compliance with all applicable laws.
America’s community banks can no longer organically grow every program needed in the day-to-day business of banking and, for the most part, can no longer afford to rely exclusively on local talent—regardless of the quality and dedication found there—to address technical, operational and compliance challenges. Third-party vendor discipline allows community banks to use valuable resources while maintaining good compliance and operational risk management.