More than ever before, banks are relying on third-party vendors for important services such as marketing, underwriting assistance, technology, collections, settlement services and even outsourcing of product lines. These third-party services can offer significant benefits in terms of efficiency and customer service, but they also present a range of risks that must be managed carefully. Regulators expect boards of directors and senior management to identify and control risks arising from third-party relationships as if the bank were performing the activities itself, and they have made these relationships a focus of supervision.
Third-party risks are not always easy to identify. For example, the Real Estate Settlement Procedures Act (RESPA) prohibits giving or accepting “any fee, kickback, or thing of value” as part of a referral agreement. Because some settlement services are paid for by the lender while others are paid for by the borrower, settlement service vendor relationships can create RESPA risk when the vendor “bundles” both types of services. If a settlement service provider discounts its lender-paid services but not its borrower-paid services, this could be found to violate Section 8(a) of RESPA by providing a thing of value (reduced-price lender-paid services) in exchange for the lender sending its borrower-paid services to the same settlement service provider without the same discount. Although a consumer may not be harmed financially, there is still a thing of value (the reduced costs of the lender-paid services) being provided in exchange for what looks like a referral arrangement.
In order to manage these risks, banks should maintain robust vendor management programs that include assessing the risks of using a third-party vendor, conducting adequate due diligence on vendors before using them, documenting vendor responsibilities in well-drafted contracts, overseeing and monitoring vendor relationships with ongoing documentation, and adopting contingency plans such as the use of backup vendors to mitigate operational failures. All of these efforts should follow guidance from the OCC, the FDIC, the Federal Reserve or state regulators, as applicable.
Outside counsel can help banks assess third-party risk, conduct due diligence, document vendor relationships, and design oversight and monitoring programs consistent with best practices and regulator expectations.