For years, banks have relied on third party vendors to provide specialized products or services, or have used outsourcing as a way to reduce internal operating costs. In the wake of the financial crisis, however, regulators have become increasingly concerned about the risks associated with such vendor outsourcing. In part, these concerns are due to the fact that vendors are often not directly subject to bank examination or reporting requirements. In the view of the federal bank regulatory agencies, the use of a vendor for a particular activity does not lessen the responsibility of a bank’s board of directors and senior management to ensure that such activity conforms to sound banking practices and applicable law.
Since 2012, the Federal Reserve Board (Fed), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Federal Financial Institutions Examination Council (FFIEC) and the Consumer Financial Protection Bureau (CFPB) have all issued guidance to address regulatory expectations for managing third party service providers. In addition to their supervisory powers over banks, these agencies have regulatory authority over vendors stemming from the Bank Service Company Act (BSCA) and, in the case of the CFPB, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). Under these statutes, the agencies have the power to examine and regulate the activities of vendors to the same extent as if these activities were performed by the bank itself.
The guidance recommends that banks establish a vendor management program composed of five elements: 1) Risk Assessment; 2) Due Diligence; 3) Well-Drafted Contracts; 4) Continuous Oversight; and 5) Contingency Planning.
Risk Assessment
Banks should take a risk-based approach to their vendor relationships, differentiating between critical and non-critical activities. “Critical activities” are those that include significant bank functions, involve access to sensitive customer data or involve significant annual dollar volumes. Examples of such activities may include a vendor involved in daily deposit operations, or an IT vendor that stores or has access to customer non-public personal information. Because critical activities could expose both banks and consumers to significant risks, the regulators expect banks to conduct a higher level of due diligence before entering into such relationships, and to employ stricter oversight over the course of such relationships
Due Diligence
Banks should conduct thorough due diligence to verify that the service provider is capable of providing the product or service without exposing the bank to financial, legal or reputational risk. This should include a review of the vendor’s financial strength, history and reputation, and any past or current legal or regulatory issues. Banks should evaluate the third party’s compliance program to confirm that they are properly licensed, have detailed and up-to-date compliance policies and procedures, and that the vendor adequately trains its personnel to operate in compliance with applicable laws and regulations.
Contracts
When negotiating contracts, banks should review contract provisions in detail, and ensure that specific expectations and obligations of both parties are well documented. This includes not only payment terms, but automatic renewals and notifications, compliance requirements, service levels and related periodic reporting, early termination rights, complaint management and resolution, and disaster recovery. Contracts should also include provisions that govern the vendor’s use of subcontractors, including assurance that the vendor is liable for acts or failures of any subcontractors.
Oversight
Banks should actively monitor vendor performance, investigate any consumer or regulatory complaints, and, depending on the risk profile, consider periodic audits of the vendor’s performance and regulatory compliance. Bank boards of directors and senior management are responsible for ensuring that vendors are supervised and monitored at a level commensurate with the bank’s risk assessment of that vendor relationship. This includes approving written, risk-based policies governing vendor management, reviewing and approving plans for outsourcing critical activities, reviewing due diligence summaries and ensuring that any management issues revealed by ongoing monitoring are remedied.
Contingency Planning
Banks should also develop a contingency plan to ensure that the bank can transition the activities to another vendor, perform the activities internally, or discontinue the activities when a contract expires, the terms of the contract are complete, in response to failure or default by the vendor, or in response to changes to the bank’s business strategy.
Not only have the federal regulators been active in issuing guidance, but there also have been multiple enforcement actions in the last few years against banks and their service providers, imposing civil money penalties and ordering significant restitution payments to impacted consumers. These enforcement actions provide a clear warning to banks that outsourcing requires intensive oversight and management, and reinforces the view of the regulators that the use of vendors does not absolve banks from liability for actions taken by those vendors.
