As collection agencies reassess third-party relationships, they must find ways to calibrate oversight to the delegated activity. Layering new requirements into contracts has proved challenging; and in many instances, the new oversight requirements have eroded the economic case for outsourcing.
Where outsourcing still makes sense – accessing specialized expertise being a prime example – firms must maximize the impact of finite oversight resources by:
- Defining the universe of affected relationships
- Categorizing in-scope relationships based on risk
- Calibrating oversight and compliance systems accordingly
- Evaluating oversight and compliance systems and making midcourse corrections
The following are critical threshold issues for laying the foundation of successful third-party risk management programs.
Requiring approval of the selection of third parties and reviewing related contracts represents the most dramatic application of the concept of criticality in the new guidance.
Sweeping changes in third-party risk management have forced firms to confront a long-standing compliance challenge: how to create a centralized oversight framework that delivers consistent enterprise-wide adoption of common standards, coordinates input on risk management decisions from diverse stakeholders and leverages expertise throughout operating units.
Corporate third-party oversight programs – including those carried out by procurement or IT functions –may have traditionally lacked stature or risk expertise to enforce effective and consistent third-party risk management practices across complex, diversified organizations. Increasingly, supervised firms are looking to operational risk teams to manage third-party oversight. That tends to give greater prominence to the operational and consumer protection risks in third-party relationships and builds on an existing centralized function that is already charged with an enterprise-wide approach to risk management.
A related question is how to divide oversight responsibilities between the business units and compliance. This is particularly challenging for consumer protection risks because corporate compliance functions will need to be defined and integrated into the broader framework for third-party oversight.
Identifying Third-Party Relationships
The initial challenge is to develop a system for tracking the firm’s third-party relationships and holding information about each relationship. This might include tens of thousands of business relationships at complex organizations.
Enterprise-wide inventories are often incomplete, and even the most thorough ones can become stale quickly. Judged against the scope of the new guidance, most supervised entities face substantial challenges in cataloging relationships with affiliates, joint venture or co-branding partners and other counterparties.
Developing Risk-Rating Methodology
Implementation of the new standards requires a sophisticated process for segmenting risks based on how each relationship affects the risk profile of the operating unit and enterprise. A one-size-fits-all analysis of third-party risks may be inefficient and fail to differentiate elevated risks within categories of activities.
Stratifying risks by activity type and regulatory mandate may help firms allocate oversight resources to maximum effect. Rating consumer protection risks may prove the most difficult. Activities that have direct consequences for the firm’s customers, rather than merely those in which a third party interacts directly with customers, should get particular attention.
Defining Critical Activities
Criticality is the defining threshold of regulatory expectations. While all outsourcing relationships will be subject to scrutiny, the Office of the Comptroller of the Currency imposes its most stringent expectations for critical activities. For Federal Reserve-supervised institutions, the conduct of critical activities is one of several rationales for heightened oversight.
However, the agencies have largely deferred to institutions to flesh out criticality. The challenge is to strike the right balance in capturing the most significant risks without capturing an unmanageable number, and to document the rationale in determinations of criticality. Measuring the criticality of any activity that involves the movement of funds or sensitive data requires particular care.
The regulators’ decision to define expectations by critical activities, rather than critical relationships, is crucial. Defining what critical means must reach well beyond materiality. To prevent these activities from overwhelming senior resources, firms defining criticality must carefully weigh and document regulatory risks against the consequences they pose to operations and financial condition.
Criticality is fluid, and changes with the firm’s operating model or strategy. Ongoing monitoring will determine whether changed circumstances warrant re-designation of critical relationships.
Enhancing Oversight Frameworks
The new guidance envisions a rigorous and dynamic oversight framework. Using existing data for risk management and developing new segmentation analyses to monitor third-party risks are critical components of that vision. As with the move to a more finely calibrated risk assessment framework, performance metrics and key-risk indicators should also become more precise. That will likely entail an assessment not just of how to define those measures, but also of how well a firm’s systems support end-to-end visibility of and data collection on third-party relationships.
Where firms rely on many third parties to conduct similar activities, benchmarking risks and performance also makes sense. For example, measuring trends in customer complaints among third parties engaged in like functions may help firms identify areas that warrant immediate inquiry. Firms will gain greater visibility into the risks of individual third parties and risks related to activities conducted on their behalf.
Developing the human capital to conduct informed, dynamic oversight is often neglected. Business level relationship managers may lack sufficient time and expertise to identify regulatory issues that arise in third-party operations, let alone to conduct pre-relationship inquiries that now must be documented. Their role has dearly expanded to include risk management, not just measuring performance against contractual requirements and procurement policies.
P-R Stark assists Promontory clients with regulatory and compliance issues, focusing on consumer financial products and services. Prior to joining Promontory, she was one of the first employees at the Consumer Financial Protection Bureau. Join Ms. Stark at ARM-U (October 14-15 in Washington, DC) as she dives into the challenging – and growing – task of service provider compliance for debt collectors. It’s an event you won’t want to miss!