FRB Issues Guidance on Managing Risks from the Use of Third Party Service Providers


The FRB issued guidance on managing outsourcing risks (the “Guidance”), intended to highlight the potential risks arising from the use of third-party service providers, describe the components of an appropriate service provider risk management program, and supplement previous guidance on technology service provider risk. The Guidance provides that prior to entering into and managing outsourcing arrangements, financial institutions should consider the following risks: (1) compliance risks, (2) concentration risks (i.e., when outsourced services or products are provided by a limited number of service providers or are concentrated in a limited geographic location); (3) reputational risks; (4) country risks (i.e., use of a foreign-based service provider); (5) operational risks; and (6) legal risks. The Guidance also stresses the use of a service provider does not relieve a financial institution’s board of directors and senior management from ensuring that the use of service providers are conducted in a safe-and-sound manner and in compliance with applicable law; rather, there is an affirmative responsibility “for ensuring that board-approved policies for the use of service providers are appropriately executed.”

The Guidance also outlines the components of an appropriate service provider risk management program. In particular, the Guidance identifies “core elements” of an effective program, which include, risk assessments, due diligence and selection of service providers, incentive compensation review, and oversight and monitoring of service providers, among other elements. For example, the Guidance provides that a financial institution should conduct an evaluation of and perform due diligence on a prospective service provider.  The extent of due diligence will vary depending on the scope, complexity, and importance of the planned outsourcing, but should include, among other things, consideration of the proposed vendor’s: (1) business background, reputation and strategy; (2) financial performance and condition; and (3) operations and internal controls.  Another key component of an appropriate service provider risk management program is understanding the service contract and any related legal issues. There should also be an effective process in place to review and approve any incentive compensation that may exist in service provider agreements. Finally, the Guidance identifies other risk considerations including, the risk of using third party service providers to comply with the suspicious activity report requirements under the Bank Secrecy Act, risks unique to foreign-based service providers (e.g., foreign service provider’s ability to comply with U.S. law), and the service provider’s own risk management activities.  The OCC’s recent guidance on managing risks of use of third-party service providers was discussed in the November 12, 2013 Financial Services Alert.

IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this informational piece (including any attachments) is not intended or written to be used, and may not be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin | Attorney Advertising

Written by:


Goodwin on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.