When Vendors Make Mistakes, Financial Services Companies Suffer the Consequences
THE CONSUMER FINANCIAL PROTECTION BUREAU (CFPB) AND OFFICE OF THE COMPTROLLER OF THE CURRENCY (OCC) HAVE VOICED RENEWED CONCERNS OVER THIRD-PARTY RISK IN FINANCIAL SERVICES. ALTHOUGH THE AGENCIES’ FOCUS ON THIRD-PARTY SERVICE PROVIDERS IS NOT NEW, THEIR INCREASED SCRUTINY COMPELS FINANCIAL INSTITUTIONS TO DESIGN AND IMPLEMENT GAME-CHANGING BEST PRACTICES TO BETTER MONITOR AND MANAGE THIRD PARTY RISK.
Proactive risk management has always been one of the cornerstones of the financial services industry. Yet while risk management has historically been inward-focused, regulators are calling for chief executive officers, chief risk officers, department and division heads and other interested parties to train their eyes on their third-party business relationships and arrangements as well. The reasons for doing so are quite persuasive: to avoid large financial, enforcement and reputational costs.
In an effort to assist financial institutions to better navigate the playing field, earlier this year the OCC issued updated guidance in response to questions on third-party risk management raised by banks and federal savings associations. In OCC Bulletin 2017-21, the regulator addresses a range of queries from the basics, such as defining what it considers a third-party relationship, to more substantive topics like how banks should structure their third-party risk management process and whether an arrangement with a financial technology (fintech) company is considered a critical activity requiring inclusion in the bank’s third-party risk management process.
Not surprisingly, the OCC defines a third-party relationship rather broadly: any business arrangement between the financial institution and another entity, by contract or otherwise. The arrangement may incorporate one or more of several activities involving outsourced products and services; use of outside consultants or networking arrangements; joint ventures; and other business arrangements in which a bank has an ongoing third-party relationship or is responsible for maintaining the related records. If a fintech company performs services or delivers products to a bank’s customer base, says the OCC, the relationship meets the definition of a third-party relationship.
As for how banks should structure their third-party risk management process, the OCC readily acknowledges that various approaches are acceptable so long as the process is appropriate to the level of risk and complexity of the banks’ third-party relationships. Bank management should conduct in-depth due diligence and ongoing monitoring of each of the bank’s third-party service providers that support critical activities. Third-party risk management must be an integral, embedded component of a financial institution’s overall approach to risk management.
Typically, a bank will either centralize the process under its compliance, audit, risk management, information security or procurement functions or it will distribute accountability for the third-party risk management process among its business lines. Most important, for critical activities the OCC expects that due diligence and ongoing monitoring will be robust, comprehensive and appropriately documented.
Similarly, the CFPB this past spring signaled its intention to involve itself deeper in third-party vendor oversight. Previously, the CFPB stressed that effective service provider oversight is a crucial component of any Compliance Management System (CMS). More recently, however, the CFPB emphasized that it “has and will continue” to directly evaluate the oversight of service providers in its compliance management reviews. In the Spring 2017 issue of the CFPB’s Supervisory Highlights, the CFPB warns of the risk posed by a single service provider that provides compliance tools – including software packages, electronic system platforms and other types of technological tools to facilitate compliance with Federal consumer financial laws – to many institutions. To be sure, an error committed by, or attack perpetrated on, the service provider could impact thousands of participants in any particular market.
To the point, the CFPB has begun to develop and implement a program to supervise third-party service providers directly. The stated goal is to provide the CFPB the opportunity to monitor and potentially reduce risks to consumers at their source. What is particularly striking is the prescient timing of the CFPB’s action. The Spring 2017 issue of the CFPB’s Supervisory Highlights carries an April 2017 publication date: four months prior to the revelation of the massive Equifax data breach. No doubt the form and structure of the CFPB’s future service provider supervisory activities will be shaped by what it learns through its initial examination of some service providers to learn about the structure of these companies, their operations, their compliance systems as well as their CMS. One point of interest: Left unsaid by the CFPB are the details of how its direct supervision of third-party service providers will synchronize with the risk management processes being implemented by financial institutions.
What is certain, however, is that as a direct response to greater awareness of risk, sensitivity to the critical issues and related consequences and greater regulatory scrutiny, financial institutions are stepping up to address and manage their third-party risk management process.
An honest and thorough self-assessment of all vendor business relationships and arrangements is essential for understanding third-party risk. In addition, the board and top management must be fully engaged and key decision-makers and stakeholders held accountable for effectively overseeing and managing third-party risk in a manner that is appropriate to the level of risk and complexity of the banks’ third-party relationships.