Third-Party Risk Management


Managing product and service providers lands under the regulatory spotlight

By Mary Thorson

Pressure to offer particular products or services, reduce operating costs and increase access to core competencies has influenced many community banks to expand their use of third-party service providers. Outside vendors offer a range of valuable assistance. But what is the risk of such relationships, how is the risk different from a bank’s in-house operations, and what oversight of third parties do the regulatory agencies expect?

The increase in the use of third–party product and service providers has heightened regulatory interest in the services provided, the particular vendors used and the oversight employed to manage their associated risk. Regulators have issued guidance for selection and use of third–party service providers; however, administering an effective risk management program requires customization to fit your community bank and how it uses particular outside vendors.

The most recent and detailed compliance sources come from the Federal Reserve Board (FRB SR Letter 13-19), the Office of the Comptroller of the Currency (OCC Bulletin 2013-29) and the Consumer Financial Protection Bureau (CFPB Bulletin 2012-03). The FDIC’s guidance (FDIC FIL-44-2008) reflects that of the other federal agencies. The Federal Financial Institutions Examination Council has issued specific third-party management guidance for information technology services (FFIEC Service Provider Oversight). Community banks should review all of these published guides, regardless of their charter, to gain perspective on the regulatory big picture.

Banks at or below $10 billion in assets are not directly subject to the supervision of the CFPB; however, a third–party service provider may be subject to the bureau’s direct oversight, and, if so, a community bank using such a company should confirm the vendor’s compliance with the bureau’s requirements for third–party risk management.

Five Risks of Third-Party Management

Regulators have identified five particular risks that a bank’s third–party risk management program should address in managing third-party companies it relies on for delivering products or services. Here’s an outline of those five risks as generally defined by the banking agencies.

1. Compliance risk. This means products, services or systems associated with third-party relationships must conform to laws, regulations and ethical standards required of the bank. They should also be consistent with the bank’s policies or procedures.

2. Operational risk. Products, services, functions, delivery channels and processes facilitated or performed by third-parties inherently generate some degree of less direct control over the activity performed on its behalf. More control may be lost due to a third party’s use of subcontractors.

3. Credit risk. Loans marketed or originated by third parties should be monitored for imposing possible low-quality credits and receivables. For such services, bank oversight should ensure good account management, customer service and effective collection activities.

4. Strategic risk. Third–party products or services may be provided outside a bank’s strategic plan, may not be effectively managed or may not be financially sound.

5. Reputation risk. This is a catch-all risk category used by regulators in recent years. Here activities performed by a third-party company reflect on the bank, and problems caused by a third party give the appearance of poor bank oversight.

—Mary Thorson

Four pillars of risk

What is a third–party risk management program, and where does it fit in your community bank? Begin with the basic premise that, when a third-party vendor provides a product or service for or on behalf of a bank, it is tantamount to the bank providing that product or service directly to customers or the public. The activity may be outsourced, but regulators believe the responsibility for risk management remains with the bank.

A third–party risk management program should demonstrate the four “pillars” of risk management:

Governance. The board of directors and management should lead its bank’s risk management program by making a commitment to the program, determining the risk appetite of the bank and establishing the framework and resources for the program.

Policies and procedures. The commitment to third–party risk management should be implemented in a bank’s policies and procedures that translate into compliance management activities.

Internal controls. Checks and balances should be in place to prevent and detect risk exposure outside the approved level. Those checks and balances should also ensure third-party companies conform to the directives of the bank’s board of directors and management.

Measures, monitoring and reporting. The bank must implement activities to identify, measure, monitor and report third-party risk. Evidence of risk exposure must be properly investigated and addressed.

Audits and controls

Regulatory examination results and program management experiences have drawn attention to certain compliance, control function and internal audit attributes for third-party risk management programs, including, but not limited to these:

  • Providing the bank contractual authority to monitor the activities of the vendor, including those of subcontractors the vendor uses to serve the bank.
  • Integrating outsourced services or products in risk assessments and the internal audit plan.
  • Reporting from and communication with the vendor, including changes to processes, subcontractors or key employees; training conducted in support of the bank’s products or services; and any audits conducted by the vendor appropriate for the bank’s interests.
  • Reviewing all vendor recordkeeping for covered activities.
  • Reviewing complaints received by the vendor relevant to the bank’s interests and complaints received by the bank relevant to the vendor’s services.
  • Reviewing pending litigation of the same sorts and any resulting judgments.
  • Reviewing the vendor’s complaint management system, including oversight of complaints about or received by the vendor’s subcontractors.
  • Reviewing the vendor’s compliance with the Servicemembers Civil Relief Act, fair lending laws and regulations, the Fair Debt Collection Practices Act and any other technical compliance requirements for which the vendor must conform to the same standards as the bank.
  • Reviewing all activities under the vendor contract for compliance with the Unfair, Deceptive, or Abusive Acts or Practices Act.

Community banks reap benefits from using third parties to remain competitive, leverage expertise and control operating costs. An effective third-party risk management program can ensure the benefits are not negated by risks emanating from either a vendor’s activities or a regulator’s compliance expectations.

Mary Thorson, a former Federal Reserve officer and compliance consultant, is a financial writer in Virginia.