Risk Management Throughout the Vendor Relationship Lifecycle

  • Email
  • Print
  • Printing Articles

    1. Click here to print!
    2. ...or print directly from your browser by choosing File > Print... from the menu or by pressing [Ctrl + P]. Our printer-friendly stylesheet will make sure extraneous website stuff isn't printed.
    3. You're done!

    Close this message.

  • Comments
  • RSS

P-R stark

P-R Stark assists Promontory clients with regulatory and compliance issues, focusing on consumer financial products and services. Prior to joining Promontory, she was one of the first employees at the Consumer Financial Protection Bureau. Join Ms. Stark at ARM-U (October 14-15 in Washington, DC) as she dives into the challenging – and growing – task of service provider compliance for debt collectors. It’s a presentation you won’t want to miss!

New guidance from the Office of the Comptroller of the Currency and the Federal Reserve makes it clear that supervised institutions must be vigilant throughout every stage of the relationship with a third party. For third parties, many of which are not subject to direct supervision by the prudential regulators or are transitioning to supervision from the Consumer Financial Protection Bureau, the change is substantial: They must meet the regulatory standards applicable to their bank partners, rather than let their stand-alone activities define their compliance obligations.

Strategic Planning

The first step in determining whether to outsource an activity begins with a risk assessment, determining not only the nature and scale of the risks but also how those risks fit the firm’s business model, strategy, and risk management capacity. The aim is to develop a clear view of necessary controls, expertise and resources, and to create a framework for identifying activities best kept in-house.

The risk assessment should identify specific costs and benefits related to outsourcing and consider how to verify that it can meet the expectations of customers, management, and regulators. Data security is a key element of this analysis, especially where third parties would have access to the firm’s systems and customer records. Collection agencies must also consider contingency plans for transferring activity (to another third party or in-house).

Diligence and Selection of Third Parties

The next step after an affirmative decision to outsource an activity is to identify the right partner. The new guidance directs firms to investigate each prospective third party rather than rely on informal reputational or market views – or even past practice – as was once considered sufficient. That investigation has traditionally included the prospective third party’s operating structure, financial performance, reputation, regulatory record, key personnel and risk management. Expectations have been expanded to include:

  • Legal  and  regulatory  compliance,  including  a  review  of  necessary  controls  and  required operating licenses
  • Information and physical security, and the proposed business partner’s ability to detect and respond to physical and data security threats
  • Compensation and incentives, whether the proposed compensation structure could lead to noncompliance or inappropriate risks
  • Issue management and reporting, from identification to remedy
  • Contractual arrangements, and whether a prospective third party’s own outsourcing  relationships will shape its ability to meet the firm’s requirements
  • Human resource management, including how the third party trains its employees on compliance obligations and its diversity policies

The operational structure of the third party, including its own reliance on outsourcing, and its response to disruptions are important. This is especially true for data security, because this is an area where supplementing firm resources with specialized expertise provides a strong incentive for outsourcing. The risks are substantial, however, and firms are grappling with exposing sensitive data in conducting business, while depending on entities with which they do not have a direct contractual relationship. Part of the answer is a significant expansion in due diligence.

P-R Stark blog 2 gfx

Contracting for Effective Oversight

Contracts are a critical vehicle for defining expectations and protecting interests, and regulators’ attention to them has clearly ramped up. The detail in both the OCC and Federal Reserve guidance suggests  that  industry  contracting   practices  are  struggling  to  keep  pace  with  evolving  risk management  standards and expectations, especially in establishing performance standards and reporting requirements. The guidance provides a list of more than 15 topics to address in contracts with third parties, including: compensation, performance benchmarks, confidentiality of customer complaints, dispute resolution, and termination. New topics include:

  • Legal and regulatory mandates that apply to the third party’s activities
  • Frequency of compliance-performance reporting
  • The right to conduct periodic reviews
  • Subcontracting and notification when subcontracting relationships change

Each contract should be tailored to the risks identified in the strategic planning and diligence phases, and simple, generic provisions on access to information on demand are unlikely to offer sufficient protection.  Contracts that specify the level of effort required – e.g., quarterly on-site audits or exhaustive reviews of all customer complaints and inquiries – can be helpful in making sure the relationship is economically sustainable. Explicit contractual limitations – e.g., geographic limitations on sharing data with or subcontracting to foreign firms – may be needed to address differences in prevailing legal and regulatory standards.

Supervised firms will also have to consider new communications standards. The OCC specifically stated that contracts should specify the circumstances in which the supervised firm must notify third parties of strategic or operational issues, including incidents such as data security breaches that may affect the third party’s ability to perform under the contract.

However, the agencies did not provide guidance on what to do when third parties resist providing information or participating in oversight activities – scenarios that supervised firms are facing in the transition to new, more rigorous oversight expectations. Transitioning to new oversight practices mid-contract is particularly challenging.  Supervised firms confronting a third party that resists providing appropriate information or access should document good-faith efforts to comply under the existing contract and negotiate relevant issues at renewal. However, prompt termination of a relationship may be necessary in rare cases.


Monitoring Adherence of Third Parties

Collection agencies  are  expected  to  devote  sufficient resources  to  monitoring  each  third  party’s adherence to laws and regulations, as well as to contractual  requirements. In effect, the agency’s staff should periodically assess all areas that were the focal point of its strategic assessment and diligence processes so that changing risks are appropriately detected and addressed. Ongoing monitoring should include periodic contract reviews to assess whether they address pertinent risks. Gaps may require adjustments to existing contracts, and in any case should be addressed in future contracts.

Regulators are also focused on the expertise of staff charged with monitoring responsibilities and how information collected in oversight activities is aggregated, analyzed, and shared internally.

Termination and Contingency Planning

In a break from past guidance, the regulators now explicitly require that a firm’s risk management controls extend through the termination of third-party relationships, whether at the natural end of a contract or due to default or other disruption that terminates the relationship. Firms must make sure that terminations have minimal impact on customers and firm operations; transition plans should address data retention and destruction, joint intellectual property, mitigation of reputational risks and seamless adherence to applicable requirements.

Documentation and Reporting

New processes – such as the designation of critical activities and additional diligence requirements – require documentation standards.  It will be an ongoing challenge for firms to keep policies, procedures, and program documentation current as expectations and processes change. Nowhere is this challenge greater than in the development and maintenance of an accurate inventory of a firm’s third-party relationships.

Regulators will also look to see who receives reports on third-party performance and how often they receive them, in addition to evaluating the quality of reported information. But the critical inquiry is less about the reporting process than it is the impact on the firm’s risk management behavior.

Periodic Independent Reviews

Supervised firms are expected to use independent reviews of third-party performance as a risk management tool. The reviews, which are to be conducted by the supervised firm’s internal audit group or an independent party, measure how well the third party is adhering to regulatory and contractual requirements. They may cause friction with third parties unaccustomed to being audited in this way, or when contracts do not specifically authorize this form of oversight.  Further, conducting certain kinds of audits – such as security assessments- can require specialized resources that supervised firms may not currently have.

Board Oversight

In their separate guidance, both the OCC and Federal Reserve raise the stakes for the boards and executive management of regulated entities, though their methodologies differ significantly.

The Federal Reserve charges the board to adopt policies governing the use of third-party service providers.  Those policies  should  establish  a third-party  risk management  program  that  governs risk assessments and due diligence, contracting,  ongoing monitoring,  and business continuity and contingency  planning.  Senior management is then responsible for assuring proper execution of board-approved policies.

The OCC’s guidance differs, directing that the board be more involved in arrangements involving any “critical activity” performed for an OCC-supervised institution by a third party. For those, the board of directors of the institution is expected to:

  • Approve management’s strategic plan for the use of a third party
  • Review due-diligence summaries on prospective third parties
  • Approve contracts
  • Review the results of management’s ongoing monitoring and periodic independent reviews
  • Ensure appropriate action is taken to address deterioration in performance, changing risks, and material issues identified through oversight activities

Although weighing in on strategic decisions about operational structure conforms to prior board norms, requiring approval of the selection of third parties, and reviewing related contracts, represents the most dramatic application of the concept of criticality in the new guidance.

Julie Williams, Chris Lewis and Justin Guo contributed to this article.

Registration powered by RegOnline

 

 

Continuing the Discussion

We welcome and encourage readers to comment and engage in substantive exchanges over topics on insideARM.com. Users must always follow our Terms of Use. Also know that your comment will be deleted if you: use profanity, engage in any kind of hate speech, post an incoherent or irrelevant thought, make a point of targeting anyone, or do anything else we find unsavory. Your comment will be posted under your current Display Name, shown below. If you'd like to change your Display Name, you must update it on the My Profile page.

Leave a Reply