Are your third-party service providers putting your community bank at risk?
By Mary Thorson Wright
Community bank compliance managers oversee innumerable activities to ensure sound compliance practices and technical adherence to laws, regulations and other guidance. If they are not also effectively managing the bank’s use of third-party service providers (vendors) and compliance for their activities, there may be a critical gap in the compliance management system (CMS).
Rising reliance on vendors to provide a variety of products and services, reduce banks’ operating costs and access core competencies not present in organic staffing increases community banks’ risk exposure.
Why are community banks responsible for their vendors’ compliance? Federal regulators direct banks to ensure comprehensive risk management and oversight of third-party relationships involving critical activities. The OCC defines critical activities as “significant bank functions (such as payments, clearing, settlements, custody) or significant shared services (such as information technology), or other activities that:
- could cause a bank to face significant risk if the third party fails to meet expectations
- could have significant customer impacts
- require significant investment in resources to implement the third-party relationship and manage the risk
- could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in house.”
Each of the federal bank regulatory agencies has issued guidance on its expectations for selection and use of vendors (OCC Bulletin 2013-29, FRB SR 13-19, FDIC FIL-44-2008 and CFPB Bulletin 2012-03), and the Federal Financial Institutions Examination Council (FFIEC) has published guidance for vendor management specific to information technology.
The guidance documents offer very similar risk-management principles and directions, covering assessing risk of third-party relationships, due diligence in vendor selection, defining expectations and responsibilities, and managing the relationship.
Each community bank should ensure it has complied fully with its own federal regulatory agency’s guidance.
According to Britt Faircloth, senior regulatory consultant with Wolters Kluwer, effective vendor compliance management requires a two-pronged approach: the management of the vendor program itself, and the management of compliance activities for those products and services that third parties conduct on behalf of the bank. She urges community bankers to first take a holistic look at the bank, its use of third-party service providers and how its vendor management program works. With that perspective, they can implement compliance management for vendor activities.
“Many times, we have seen vendor management handled as a ‘one-time’ event, rather than as a process,” Faircloth observes. “After the vendor is set up, there needs to be a solid commitment to consistent, ongoing monitoring throughout the lifecycle of the relationship. Vendor management is a marathon, not a sprint.”
According to Faircloth, effective vendor management requires significant due diligence on the front end. This includes assessing the inherent risk of a potential vendor, conducting due diligence to understand the controls and risks that the relationship would pose, and negotiating a contract that defines the third party’s expectations and responsibilities. Comprehensive due diligence ensures the contract’s enforceability, limits the bank’s liability and mitigates disputes about performance, including termination, if necessary, says
“There needs to be a solid commitment to consistent, ongoing monitoring. … Vendor management is a marathon, not a sprint.” —Britt Faircloth, Wolters Kluwer
Faircloth. The bank’s agreement with the third party is critical to its ability to continually manage compliance risk. Agreements can provide for compliance oversight, like the right of the bank or its representatives to audit the service provider, receive periodic reports, monitor performance standards and make critical compliance activities, like consumer complaint management, transparent.
One size doesn’t fit all
The structure of vendor compliance management will be determined by the size and structure of the bank and of the third party.
The bank should integrate compliance activities for third parties into its broader CMS. For instance, a third party may engage in advertising or marketing practices that are deceptive or may not maintain the privacy of customer records.
The bank must determine—for each third party, its capacity to administer compliance and its activities—the most effective method to manage compliance risk. That may require on-site visits, shared systems monitoring, integrated training or other oversight.
“Vendor compliance management can be a challenge, particularly for smaller institutions,” says Faircloth. “A community bank must first identify the third-party universe for the bank and the associated risks. While that seems simple on its face, depending on the size and structure of the bank, the operational side of third-party contracting and vendor management may be centralized to one office or even one person, or it may be dispersed across many departments.
“Getting the inventory of third-party relationships is a critical first step. Evaluate the outsourced activities for compliance requirements, risk and potential impact to employ appropriate procedures.”
Mary Thorson Wright, a former Federal Reserve examiner, is a financial writer in Virginia.