In light of increased outsourcing and third-party involvement in bank activities, the Office of the Comptroller of the Currency and the Federal Reserve recently issued separate guidance on managing third-party relationships and outsource risk. The guidance highlights the potential risks arising from the use of service providers and describes the elements of an appropriate third-party risk management program.
With their recent guidance, regulators have warned that failure to have an effective risk management process in place that is commensurate with the risk and complexity of a bank’s third-party relationships might be an unsafe and unsound banking practice. Banks need to promptly evaluate their current third-party risk management programs in accordance with the new guidance in order to avoid regulatory criticism and potential additional consequences in their next examination.
What the agencies want to see
On Dec. 5, 2013, the Fed issued “Guidance on Managing Outsourcing Risk,” setting forth the risks arising from using service providers and the regulatory expectations relating to risk management programs.
The guidance is substantially similar to the OCC guidance on third-party risk management (OCC Bulletin 2013-29) issued on Oct. 30, 2013. While there are some minor differences between the Fed and OCC guidance, they collectively provide comprehensive direction to banks on the oversight of third parties, including joint ventures, affiliates or subsidiaries, and payment processors. Both incorporate third-party relationship management principles underlying some of the recent regulatory enforcement actions.
The guidance supplements previous regulatory guidance on technology service provider risk and reminds banks that they must manage risk associated with third parties at a level commensurate with their use of those relationships.
The new issuances point out that an effective third-party risk management program incorporates risk assessments, due diligence, contract provisions, compensation reviews, regular oversight, and contingency planning. These programs are intended to cover service providers that perform a wide range of business functions, including appraisal management, human resources, sales and marketing, asset and wealth management, procurement, loan servicing, and other professional services.
Highlighting risk management
The recent regulatory guidance broadly signals that failure to effectively manage the use of third-party service providers could “expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation.” The agencies also emphasize the responsibility of the bank’s board of directors and senior management to provide for the effective management of third-party relationships and activities. The issuances specify risk categories associated with third-party or outsourcing arrangements, including compliance, concentration, reputational, operational, country, and legal risks.
The guidance emphasizes that third-party risk management programs should focus on outsourced activities that are most relevant to the institution’s financial condition, are critical to ongoing operations, involve sensitive customer information and new products or services, or pose material compliance risk. Institutions need to consider the governance aspects imbedded in strategy and planning that drive the organization to make smart decisions, as well as specific strategies used by vendors.
While the elements that constitute a third-party risk management program will vary with the nature of the financial institution’s outsourced activities, the regulatory view is that effective programs usually will include the following:
• Outsource strategy and risk assessment. Risk assessment of a business activity and the implications of performing the activity in-house versus having the activity performed by a service provider are fundamental to the decision of whether or not to outsource.
Financial institutions should weigh the benefits and drawbacks of each and should consider whether outsourcing an activity is consistent with the organization’s strategic direction and overall business strategy.
• Due diligence and selection of service providers. Financial institutions should evaluate and perform the necessary due diligence for a prospective service provider prior to engaging the service provider.
The depth and formality of the due diligence performed will vary depending on the scope, complexity, and importance of the planned outsourcing arrangement, the institution's familiarity with prospective service providers, and the reputation and industry standing of the service provider.
The regulatory guidance emphasizes processes designed to evaluate a potential service provider’s business background, reputation, and strategy, as well as its financial performance and condition, operations, and internal controls.
• Contract provisions and considerations. The Fed and OCC guidance provide comprehensive information on the elements of what they consider well-defined contracts. Institutions should make sure service provider contracts cover certain topics, including:
• Scope of services covered
• Cost and compensation
• Right to audit
• Performance standards
• Confidentiality and security of information
• Default and termination
• Limits on liability
• Customer complaints
• Business resumption and contingency plan of the service provider
• Subcontractor use
• Incentive compensation review. Institutions should establish an effective process to review and approve incentive compensation arrangements that may be embedded in service provider contracts to avoid encouraging “imprudent” risk-taking. OCC guidance specifically identifies the need for banks to review whether fee structure and incentives would create burdensome upfront fees or result in inappropriate risk-taking by the third party or the bank.
• Oversight and monitoring of service providers. Institutions should set forth the processes for measuring performance against contractually required service levels and correlate the frequency of performance reviews to the risk profile of the service provider.
This includes making sure that risk management processes include triggers to escalate oversight and monitoring when service providers fail to meet performance, compliance, control, or viability expectations. These procedures should include more frequent and stringent monitoring and follow-up on identified issues and on-site control reviews. It should also be clear when an institution should exercise its right to audit a service provider’s adherence to the terms of the agreement.
• Business continuity and contingency plans. Institutions should develop contingency plans that focus on critical services and consider alternative arrangements in the event a service provider is unable to perform its contractual duties or if an interruption in service occurs.
The guidance specifies that financial institutions should:
• Have disaster recovery and business continuity plans with regard to the contracted services and products.
• Assess the adequacy and effectiveness of a service provider’s disaster recovery and business continuity plans and the alignment of the provider’s plans to its own plans.
• Document which roles will take on which responsibilities for maintaining and testing the service provider’s business continuity and contingency plans.
• Test the service provider’s business continuity and contingency plans on a periodic basis for adequacy and effectiveness.
• Maintain an exit strategy, including a pool of comparable service providers.
Risk management also includes protecting against other risks. Regulators have signaled toward a number of additional risk considerations, including confidentiality of suspicious activity report (SAR) reporting functions; foreign-based service providers’ compliance with U.S. laws, regulations, and regulatory guidance; prohibitions against outsourcing internal audit functions in violation of the Sarbanes-Oxley Act; and alignment of outsourced model risk management with existing Fed and OCC guidance on risk management.
About the authors