FRB Issues Guidance on Managing Risks from the Use of Third Party Service Providers

The FRB issued guidance on managing outsourcing risks (the “Guidance”), intended to highlight the potential risks arising from the use of third-party service providers, describe the components of an appropriate service provider risk management program, and supplement previous guidance on technology service provider risk. The Guidance provides that prior to entering into and managing outsourcing arrangements, financial institutions should consider the following risks: (1) compliance risks, (2) concentration risks (i.e., when outsourced services or products are provided by a limited number of service providers or are concentrated in a limited geographic location); (3) reputational risks; (4) country risks (i.e., use of a foreign-based service provider); (5) operational risks; and (6) legal risks. The Guidance also stresses the use of a service provider does not relieve a financial institution’s board of directors and senior management from ensuring that the use of service providers are conducted in a safe-and-sound manner and in compliance with applicable law; rather, there is an affirmative responsibility “for ensuring that board-approved policies for the use of service providers are appropriately executed.”

The Guidance also outlines the components of an appropriate service provider risk management program. In particular, the Guidance identifies “core elements” of an effective program, which include, risk assessments, due diligence and selection of service providers, incentive compensation review, and oversight and monitoring of service providers, among other elements. For example, the Guidance provides that a financial institution should conduct an evaluation of and perform due diligence on a prospective service provider.  The extent of due diligence will vary depending on the scope, complexity, and importance of the planned outsourcing, but should include, among other things, consideration of the proposed vendor’s: (1) business background, reputation and strategy; (2) financial performance and condition; and (3) operations and internal controls.  Another key component of an appropriate service provider risk management program is understanding the service contract and any related legal issues. There should also be an effective process in place to review and approve any incentive compensation that may exist in service provider agreements. Finally, the Guidance identifies other risk considerations including, the risk of using third party service providers to comply with the suspicious activity report requirements under the Bank Secrecy Act, risks unique to foreign-based service providers (e.g., foreign service provider’s ability to comply with U.S. law), and the service provider’s own risk management activities.  The OCC’s recent guidance on managing risks of use of third-party service providers was discussed in the November 12, 2013 Financial Services Alert.

IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this informational piece (including any attachments) is not intended or written to be used, and may not be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin Procter LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.