Banking regulators have always had concerns about outsourcing. But in recent years they have raised their expectations about bank oversight of outside service providers.
If your bank outsources key functions to third parties, it’s a good idea to review your existing relationships — as well as your policies, procedures and controls for managing those relationships — to ensure that they meet regulators’ expectations. Failure to do so exposes your bank to a variety of risks, not to mention significant liabilities for penalties and restitution.
Over the last few years, just about every federal banking agency has issued guidance on managing third-party risks. For example, in April 2012, the Consumer Financial Protection Bureau (CFPB) issued a bulletin on oversight of service providers. And in October 2012 the Federal Financial Institutions Examination Council (FFIEC) published guidance on supervision of technology providers.
Then, in late 2013, three regulatory actions were initiated: The FDIC issued a Financial Institution Letter about payment-processing relationships with high-risk merchants, the OCC published risk-management guidance for third-party relationships, and the Federal Reserve Board released its Guidance on Managing Outsourcing Risk.
What are the risks?
Contracting with a third party doesn’t relieve a bank from responsibility and legal liability for outsourced activities. At the same time, it reduces bank management’s direct control over those activities, which can increase the bank’s risks in several ways. If you outsource loan processing, customer service, telemarketing or debt collection, there’s a risk that the provider will violate consumer protection laws by making misleading statements to your customers or prospective customers or by engaging in deceptive practices.
If you outsource data processing or IT services, there’s a danger that the provider will fail to follow the latest cybersecurity guidelines. This could bare sensitive customer data to hackers or identity thieves.
These and other risks, if not properly managed, endanger your bank’s operations and reputation, and expose it to potential liability for compliance failures.
What should you do?
To meet regulatory expectations, all banks should review the guidance mentioned above. The OCC guidance, which is the most detailed, directs banks to adopt risk-management processes that are in line with the level of risk and complexity of their third-party relationships.
Generally, the OCC wants to see more rigorous oversight of critical activities, such as payments, clearing, settlements, custody, IT or other activities that could have significant customer impacts or could cause significant harm to the bank if the provider fails to perform. To effectively manage third-party risks, take these specific actions:
- Develop a formal plan for managing third-party relationships.
- Conduct thorough due diligence on prospective providers, focusing on such factors as legal and regulatory compliance, reputation, qualifications of company principals, risk management, information security and reliance on subcontractors.
- Negotiate contracts that clearly spell out each party’s rights and responsibilities — the guidance provides a detailed list of contract provisions, including performance benchmarks, information sharing, audit rights, compliance, confidentiality and indemnification.
- Monitor the relationship, including due diligence areas, on an ongoing basis.
- Conduct periodic independent reviews of your third-party risk-management process.
The guidance also discusses termination of third-party relationships, oversight and accountability, documentation and reporting, and the respective roles of the bank’s board, management and employees.
If your bank uses third-party service providers, be prepared to have regulators scrutinize those relationships. The level of oversight required depends on the level of risk involved in your outsourced activities, so start by conducting a risk assessment of your outsourcing arrangements.