Vendor Management: The Next Compliance Frontier – Part 2
A two part series – Part One Forming a Relationship
Technology and innovation have always been the hallmarks of the US economy. Technological innovations have dramatically changed the lives of people around the world. The development of the internet begat devices for accessing the internet and soon a technological boon unlike anything the world has seen began. Innovations in technology continue to impact our lives. Today social media has impacted presidential elections and has even been instrumental in the overthrow of governments.
The banking industry has not been left out of the technological revolution. Today the products and services that banks offer are directly impacted by the software and operating systems being employed. Moreover, the development of technology has increased overall efficiency and has helped to developed economies of scale in various areas. As technology has advanced at software companies, financial institutions have found that outsourcing various tasks has had the positive effects of lowering costs while leveraging technology and resources.
Many banks today rely on outsourced functions ranging from core operating systems to monthly billing programs. The reliance on third parties to provide core functions at banks is no longer viewed as a less than desirable situation, it is normal. However, over time the types of relationships that banks began to form with outside vendors became more complicated and in some cases exotic. Some banks used third parties to offer loan products and services that would otherwise not be offered. In many cases, the administration of the contractual relationship was minimal; especially when the relationship was profitable.
The level and type of risk that these agreements created came under great scrutiny during the financial crisis of 2009. Among the relationships that are most often scrutinized for areas of risk are:
- Third-party product providers such as mortgage brokers, auto dealers, and credit card providers
- Loan servicing providers such as providers of flood insurance monitoring, debt collection, and loss mitigation/foreclosure activitiesDisclosure preparers, such as disclosure preparation software and third-party documentation preparers
- Technology providers such as software vendors and website developers
- Providers of outsourced bank compliance functions such as companies that provide compliance audits, fair lending reviews, and compliance monitoring activities. 
According to the FDIC, a third-party relationship could be considered “significant” if:
- The institution’s relationship with the third party is a new relationship or involves implementing new institution activities
- The relationship has a material effect on the institution’s revenues or expenses
- The third party performs critical functions
- The third party stores, accesses, transmits, or performs transactions on sensitive customer information
- The third-party relationship significantly increases the institution’s geographic market
- The third party provides a product or performs a service involving lending or card payment transactions
- The third party poses risks that could materially affect the institution’s earnings, capital, or reputation
- The third party provides a product or performs a service that covers or could cover a large number of consumers
- The third party provides a product or performs a service that implicates several or higher risk consumer protection regulations
- The third party is involved in deposit taking arrangements such as affinity arrangements
- The third party markets products or services directly to institution customers that could pose a risk of financial loss to the individual 
The FDIC, the OCC and the FRB have all issued guidance on the proper way to administer vendor management. While the published guidance from each of these regulators its own idiosyncrasies, there are clear basic themes that appear in each.
All of the guidance has similar statements that address the types of risk involved with third party relationships and all discuss steps for mitigating risks. We will discuss the methods for reducing risk further in part two of this series.
Types of Risk Associated with Third Party Relationships
Regardless of the size of your bank, or the overall complexity of the operation, the risks that follow will exists at some level with any third party relationship.
Operational risk is present in all products, services, functions, delivery channels, and processes. Third-party relationships may increase a bank’s exposure to operational risk because the bank may not have direct control of the activity performed by the third party.
Operational risk can increase significantly when third-party relationships result in concentrations. Concentrations may arise when a bank relies on a single third party for multiple activities, particularly when several of the activities are critical to bank operations. Additionally, geographic concentrations can arise when a bank’s own operations and that of its third parties and subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.
Compliance risk exists when products, services, or systems associated with third-party relationships are not properly reviewed for compliance or when the third party’s operations are not consistent with laws, regulations, ethical standards, or the bank’s policies and procedures. Such risks also arise when a third party implements or manages a product or service in a manner that is unfair, deceptive, or abusive to the recipient of the product or service. Compliance risk may arise when a bank licenses or uses technology from a third party that violates a third party’s intellectual property rights. Compliance risk may also arise when the third party does not adequately monitor and report transactions for suspicious activities to the bank under the BSA or OFAC. The potential for serious or frequent violations or noncompliance exists when a bank’s oversight program does not include appropriate audit and control features, particularly when the third party is implementing new bank activities or expanding existing ones, when activities are further subcontracted, when activities are conducted in foreign countries, or when customer and employee data is transmitted to foreign countries.
Compliance risk increases when conflicts of interest between a bank and a third party are not appropriately managed, when transactions are not adequately monitored for compliance with all necessary laws and regulations, and when a bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records. Compliance failures by the third party could result in litigation or loss of business to the bank and damage to the bank’s reputation.
Third-party relationships that do not meet the expectations of the bank’s customers expose the bank to reputation risk. Poor service, frequent or prolonged service disruptions, significant or repetitive security lapses, inappropriate sales recommendations, and violations of consumer law and other law can result in litigation, loss of business to the bank, or negative perceptions in the marketplace. Publicity about adverse events surrounding the third parties also may increase the bank’s reputation risk. In addition, many of the products and services involved in franchising arrangements expose banks to higher reputation risks. Franchising the bank’s attributes often includes direct or subtle reference to the bank’s name. Thus, the bank is permitting its attributes to be used in connection with the products and services of a third party. In some cases, however, it is not until something goes wrong with the third party’s products, services, or client relationships, that it becomes apparent to the third party’s clients that the bank is involved or plays a role in the transactions. When a bank is offering products and services actually originated by third parties as its own, the bank can be exposed to substantial financial loss and damage to its reputation if it fails to maintain adequate quality control over those products, services, and adequate oversight over the third party’s activities.
A bank is exposed to strategic risk if it uses third parties to conduct banking functions or offer products and services that are not compatible with the bank’s strategic goals, cannot be effectively monitored and managed by the bank, or do not provide an adequate return on investment. Strategic risk exists in a bank that uses third parties in an effort to remain competitive, increase earnings, or control expense without fully performing due diligence reviews or implementing the appropriate risk management infrastructure to oversee the activity. Strategic risk also arises if management does not possess adequate expertise and experience to oversee properly the third-party relationship.
Conversely, strategic risk can arise if a bank does not use third parties when it is prudent to do so. For example, a bank may introduce strategic risk when it does not leverage third parties that possess greater expertise than the bank does internally, when the third party can more cost effectively supplement internal expertise, or when the third party is more efficient at providing a service with better risk management than the bank can provide internally.
Credit risk may arise when management has exercised ineffective due diligence and oversight of third parties that market or originate certain types of loans on the bank’s behalf, resulting in low-quality receivables and loans. Ineffective oversight of third parties can also result in poor account management, customer service, or collection activities. Likewise, where third parties solicit and refer customers, conduct underwriting analysis, or set up product programs on behalf of the bank, substantial credit risk may be transferred to the bank if the third party is unwilling or unable to fulfill its obligations.
One of the most important points that all of the regulators are driving home is that they intend to hold financial institutions responsible for the action for the third party service providers. For example, if an automobile dealer with whom a bank has a relationship engages in lending activities that have fair lending concerns, the bank under whose name they are providing the service will also be found to have fair lending concerns.
This is not to say that there is a general distaste for outsourcing of third party arrangements. It is to say that when the arrangement is made, there should be a risk management system in place ahead of the formation of the relationship. The program should include at a minimum the following:
- A Risk Assessment
- Due Diligence in Selecting a Third Party
- Contract Structuring and Review
We will discuss the proper risk management system for your third party vendors in part two of this blog. For now, remember that the standard for development of a risk management program is “A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships” 
 See Vendor Risk Management Compliance Considerations, by Cathryn Judd, Examiner, and Mark Jennings, Former Examiner, Federal Reserve Bank of San Francisco
 FDIC Compliance Manual
 OCC BULLETIN 2013-29 Managing Third Party Relationships
James DeFrantz is a Partner in Atlanta-based financial services industry consulting firm Bank Solutions Group. [email protected]