Like most businesses, community banks are leveraging more and more vendors and other third parties. But these companies come with risk attached. Managing third-party risk means being diligent before, during and after a contract or relationship has run its course.
By Mary Thorson-Wright
There are only three times community banks need to pay close attention to third-party relationship risk management: before, during and after.
Expanding technology, demand for specific skill sets, product availability and cost containment have changed the way community banks work. To help meet those needs, outsourcing to third parties has become integral to bank management. A third-party relationship could be a seller of a specific product the bank wants to offer, an individual or company that sells services either on a one-time or continuing basis, or anyone providing goods or services to the bank.
Relationships with both foreign and domestic third parties continue to increase in number and complexity, exposing users to increased risks. Community banks aren’t alone. As of August 2019, more than half of all companies used third parties to support their products, services and operations.
Where does third-party risk management start? The life cycle of third-party risk management starts when the bank determines what its needs are and establishes the parameters under which it will engage vendors and other third parties through a formal outsourcing policy. Once candidates are selected, banks must thoroughly vet them.
“When considering entering a relationship with a third-party service provider, it is advisable to conduct appropriate due diligence based on guidance published by the bank regulatory agencies,” says Thomas Grundy, a senior director of U.S. Advisory Services for Wolters Kluwer who is based in Campbellsville, Ky. “Identifying risks going into the relationship is critical to establishing a risk profile for the service provider that ultimately wins the contract.”
“A community bank must have a clear understanding of what the third party is and is not going to do on its behalf.”
—Fran V. Sponsler, Fortner, Bayens, Levkulich & Garrison, P.C.
Ensure you’re covered
Contracts with third parties should be specific to reflect the entire relationship and risk potential. “The coverage of the agreement is critical and should be commensurate with the established level of risk that the bank anticipates,” says Fran V. Sponsler, shareholder and director of compliance services at Fortner, Bayens, Levkulich & Garrison, P.C., in Denver. “A community bank must have a clear understanding of what the third party is and is not going to do on its behalf.”
Community banks need to ensure the agreements:
- define all deliverables, service levels and metrics
- define responsibilities and obligations of both parties
- define terms and conditions
- specify how risk will be allocated between the parties
- define legal counsel and jurisdiction stipulations.
Throughout the contract period, the community bank must have means to effectively monitor the activities and performance of the third-party partner, including its subcontractors. To ensure that adequate monitoring is established, the bank should dedicate relationship management resources with the necessary expertise, authority and accountability to effectively monitor the third party. While the activities may be occurring outside the bank’s walls, the third party’s performance on its behalf belongs to the bank.
“The bank must communicate with and exercise follow-up continuously with the vendor to provide the reports, records and data required to perform its own monitoring procedures and to respond effectively to requests from regulators or audit requests,” Sponsler says.
Just like the procedures the bank employs to perform testing of its organic policies, procedures and records, periodic testing of the third-party performance confirms contract compliance and the adequacy of compliance with laws, regulations and bank policy.
“Monitoring can vary in accordance to the complexity of the services provided or supported by the third party,” Grundy says. “Methods and activities, such as periodic on-site visits; scheduled reporting on key risk indicators; daily, weekly, monthly management telephone and web conferences; and analysis of the volume, nature and trends in consumer complaints are essential to ongoing, effective third-party risk management.”
Grundy adds that relationship managers should be held accountable for escalating significant issues or material weaknesses noted through ongoing monitoring as well as those indicated by audit findings, deterioration in financial condition, security breaches, data loss, service or system interruptions, or examination findings of noncompliance with laws and regulations.
Common failures can result from a lack of oversight provisions not allowing a bank to have access to records of the third party during the contract and after it is extinguished, reporting shortfalls and the bank’s inability to conduct on-site or off-site reviews of the vendor’s procedures. Third-party vendor performance reviews should be conducted by experienced personnel.
While some contract relationships with third parties may continue through a series of renewals, others will either expire with no further need to renew or will be discontinued because of the bank’s desire to work with a different vendor. If it’s likely the contract will be renewed, the bank should take advantage of that opportunity to carefully review how the ending agreement served its needs and develop enhanced revisions for a new life cycle.
Community banks must commit to robust procedures throughout the life cycle of their third-party relationships to effectively manage risk—before, during and after.
Mary Thorson-Wright, a former Federal Reserve examiner, is a writer in Virginia.