The Federal Reserve Board Thursday released guidance reminding financial institutions it supervises to exercise appropriate risk management and oversight when using external service providers. The Fed becomes the latest agency to point out that banks can be held responsible for actions taken by vendors, including ARM firms.
The guidance describes factors financial institutions should consider when choosing a service provider and how service providers should be overseen. The Fed defines a service provider as any organization or entity that enters into a contractual relationship with a financial institution to provide business functions or activities, such as accounting, auditing, loan review, compliance, and risk management.
The guidance does not discourage financial institutions from outsourcing activities to service providers, but says firms should be aware of the potential risks. If service provider relationships are not managed effectively, they may expose financial institutions to risks that can result in reputational problems, financial loss, or regulatory actions, according to the guidance.
The Fed also stated that the use of service providers does not relieve a bank’s board of directors or senior managers of responsibility for the activities performed by service providers. Financial institutions are responsible for ensuring that all activities conducted by service providers comply with applicable laws and regulations and are consistent with safe and sound banking practices.
The guidance is applicable to state-chartered banks that are members of the Federal Reserve System, bank and savings and loan holding companies and their nonbank subsidiaries, and U.S. operations of foreign banking organizations.
The CFPB recently was more blunt in warnings to banks about debt collection vendors. After noting in 2012 that banks have a responsibility to monitor their collection partners, the agency in July said that banks themselves have to adhere to many of the rules in the FDCPA.
The Office of the Comptroller of the Currency also recently said that it expects a bank to practice effective risk management regardless of whether the bank performs a business activity internally or through a third party. In that bulletin, The OCC specifically referenced its July 2013 statement on debt sales and collection relationships for banks seeking ARM guidance.