FINANCIAL SERVICES FLASH REPORT

Transcription

1 FINANCIAL SERVICES FLASH REPORT OCC Updates Guidance on Third-Party Relationships December 2, 2013 Introduction On November 4, 2013, the Office of the Comptroller of the Currency (OCC) released Bulletin ( the Bulletin ) titled Third-Party Relationships. The Bulletin, which rescinds guidance previously issued in 2000 and 2001, 1 updates the OCC s published expectations regarding how national banks and federal thrifts are expected to identify, mitigate and monitor the risks associated with vendors and other third parties with which the institutions do business. This Flash Report: Discusses OCC in the context of recent economic and regulatory issues the financial services industry has faced. Highlights some of the key requirements of the Bulletin, with emphasis on those provisions that go above and beyond previous guidance. Shares our insights regarding the unique challenges these new guidelines will create for financial institutions, and offers practical ideas to help address those challenges. Background Myriad regulatory standards and expectations related to third-party management have been in place for years. Financial institutions have long had programs to manage risks associated with third-party relationships, focusing on areas such as privacy/information security, protection of the bank s intellectual property, and the third party s business continuity/disaster recovery practices, among others. Financial services organizations traditionally place more emphasis on due diligence when a new third party is engaged and rely on protections set forth in their third-party contracts. Typically, there is less active oversight throughout the life of the third-party relationship, and any ongoing third-party risk management activities are undertaken in silos, rather than on a consolidated, enterprisewide basis. However, events tied to the global financial crisis are changing this paradigm significantly. For example, as foreclosure volumes spiked during the onset of the crisis in 2007, many institutions found that thirdparty foreclosure attorneys, property preservation firms and other service providers had improperly handled cases assigned to them. This led to multiple regulatory enforcement actions and settlements requiring mortgage servicers to improve their risk management efforts, including third-party oversight practices. Also, the Consumer Financial Protection Bureau (CFPB), established as part of the Dodd-Frank Act, now has responsibility for administering various consumer protection laws that previously were within the purview of the OCC and other federal agencies. Since assuming its authority in July 2011, the CFPB has published its own mortgage servicing standards with significant new service provider oversight 1 OCC AL and Bulletin , respectively.

2 requirements, and issued other bulletins related in whole or in part to third-party management (e.g., and ). In addition, the CFPB has taken numerous public enforcement actions against credit card lenders and other financial service providers that were based in large part on activities performed by or in cooperation with their third-party service providers. The CFPB also is exercising its authority to supervise service providers that participate in offering consumer financial products CFPB examinations and investigations have led to public enforcement actions against both the service providers and the banks with which they partnered. Meanwhile, facing increased pressure to cut costs and find new sources of revenue, financial institutions continue to expand the number and types of their third-party relationships in the form of traditional outsourcing of additional bank processes as well as increased use of joint marketing arrangements, including offering add-on products through third-party business partners. In light of the evolving risks financial institutions and their customers face related to growing reliance on third parties, the OCC recognized the need to strengthen the third-party relationship standards it first issued 13 years ago. Which Financial Services Institutions Are Affected? By definition, the Bulletin only strictly applies to national banks and federal savings associations. However, it should be noted that OCC Bulletin historically was viewed as the most allencompassing standard issued by any of the regulatory agencies with respect to third-party management. As such, it was commonly considered a de facto standard across the industry. Additionally, the current regulatory environment is one in which no regulatory agency wants to be seen as taking a softer line on supervision than its peers, so we expect similar guidelines to be issued by other agencies as well. As a result, banks of all types should examine the Bulletin closely and assess its relevance to their operations. What Does OCC Bulletin Say? A brief comparison of to could lead one to conclude that there are very few differences. The old and new standards broadly cover the same topics, with both viewing third-party risk management as a lifecycle and setting forth the expectation that banks identify and manage third-party risk from the time the arrangement is contemplated, to selection and onboarding of third parties, and then throughout the active life of the relationship. Similarly, most of the major risk domains included in , such as Legal and Regulatory Compliance, Financial Condition, and Information Security, are addressed in as well. However, it would be a mistake to view simply as a reframing of existing guidance. As the layers of each lifecycle stage and type of risk are peeled back, it becomes clear that establishes significantly more detailed and prescriptive standards than existed previously. Put simply, takes what up until now would have been considered best-in-class leading practices, adopted by relatively few firms to date, and makes those the new universal standard for the entire national bank industry. Key aspects of OCC include: A refreshed view of the Risk Management Life Cycle in the third-party oversight context, as displayed in the following graphic: Protiviti 2

3 The concept of critical activities in which third parties are involved, requiring more comprehensive and rigorous oversight and management of third-party relationships that are subject to this standard Critical activities defined as significant bank functions (such as payments, clearing, settlements or custody), as well as those activities that expose the bank to significant risk in the event of third-party failures, could have a significant impact on bank customers, require a significant resource investment on the part of the bank to manage, and/or could not easily be replaced with another third party or in-sourced if the particular relationship in question had to be terminated. One area of risk covered in both the historical and new standards is the need to consider legal, regulatory and reputation risks prior to initiating a new third-party relationship. The following table provides a comparison of how the OCC s expectations related to this topic have evolved: OCC Requirements At the outset, banks should identify the strategic purposes, benefits, legal aspects, costs and risks associated with the third-party activity, including reputational risks if the standards associated with the activity or product differ from those customarily employed by the bank. Banks should involve their compliance management function in the due diligence and monitoring process when third-party products or services present significant risk to regulatory compliance. OCC Updates Before entering into a third-party relationship, senior management should develop a plan to manage the relationship. The management plan should be commensurate with the level of risk and complexity of the third-party relationship and should assess the extent to which the activities are subject to specific laws and regulations (e.g., privacy, information security, Bank Secrecy Act/Anti-Money Laundering [BSA/AML], fiduciary requirements). Protiviti 3

4 Internal auditors, compliance officers and legal counsel could help to analyze the risks associated with the third-party relationship and establish the necessary control and reporting structures. Due diligence should involve a thorough evaluation of all available information about the third party, and may include: Business reputation, complaints and litigation (by checking references, the Better Business Bureau, state attorneys general offices, state consumer affairs offices and, when appropriate, audit reports and regulatory reports); Qualifications, backgrounds and reputations of company principals to include criminal background checks, when appropriate. The bank should consider the following during due diligence: Evaluate the third party s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes and controls to enable the bank to remain compliant with domestic and international laws and regulations. Check compliance status with regulators and self-regulatory organizations as appropriate. Evaluate the third party s depth of resources and previous experience providing the specific activity. Assess the third party s reputation, including history of customer complaints or litigation. Determine how long the third party has been in business, its market share for the activities, and whether there have been significant changes in the activities offered or in its business model. Conduct reference checks with external organizations and agencies such as industry associations, Better Business Bureau, Federal Trade Commission, state attorneys general offices, state consumer affairs offices and similar foreign authorities. Check U.S. Securities and Exchange Commission or other regulatory filings. Review the third party s websites and other marketing materials to ensure statements and assertions are in line with the bank s expectations and do not overstate or misrepresent activities and capabilities. Determine whether and how the third party plans to use the bank s name and reputation in marketing efforts. As should be clear from this comparison, establishes significantly more specific guidelines in this area, particularly the expectation that each applicable law and regulation to which the new relationship will be subject is mapped prior to contract, and that the bank independently review the third party s legal and regulatory compliance program. Numerous other examples exist throughout , especially in areas such as review of the third party s internal audit and training programs, consideration of contract termination risks, expectations related to the bank s board of directors in third-party risk management, and the bank s oversight of subcontractors used by the third party. Action Steps and Other Points to Consider Naturally, all institutions will need to do a gap assessment between their current practices and the standards now set forth in , and adjust their third-party risk management programs accordingly. In Protiviti 4

5 support of that effort, we ve summarized below a few of the unique dynamics and challenges the banking industry will face in this area: Dueling regulatory guidelines OCC concludes with an appendix listing other OCC guidelines applicable to third-party risk management. This list includes nine (9) separate releases under the Comptroller s Handbook, two (2) alerts, two (2) news releases, 37 bulletins, four (4) advisory letters, and one (1) banking circular. For good measure, the OCC also highlights two (2) FFIEC Handbooks related to third-party management. Daunting as they are to begin with, these lists do not include relevant standards issued by other regulatory agencies, such as the aforementioned CFPB regulations and bulletins, FDIC FIL , SEC guidance and enforcement actions related to use of third parties for specific activities such as fair value pricing, and countless others. The burden grows heavier still for multinational institutions doing business in the United States, which must comply with most or all of the requirements mentioned above along with similar standards issued by the authorities in their home countries or other jurisdictions in which they do business. Very few institutions have inventoried all applicable third-party management standards comprehensively and performed an assessment of how effectively the firm s current practices address them both individually and collectively. Considering the significant changes likely to result from on its own, now is an opportune time to make sure your program not only meets the recent OCC guidance, but also all other relevant standards issued by other agencies with jurisdiction over your institution. Building third-party inventories In our experience, many institutions are still struggling to develop and maintain a complete, up-to-date listing of all third parties with which the firm does business. Some firms keep separate lists by line of business and/or service type using different platforms and tools. Others have a good handle on their vendor list at an enterprise level (often validated using accounts payable information), but do not have a comprehensive listing of other third-party business partners, such as joint marketing arrangements. As regulatory burdens in this area continue to grow, they will be increasingly impossible to manage without confidence that a complete list of third parties exists as a starting point. Establishing such an inventory often requires a dedicated and time-consuming consolidation and cleansing effort with participation of multiple corporate functions and lines of business. Related to the comment above, institutions are often unable to identify consistently all of the various services provided by a particular vendor across all lines of business within the enterprise. Even if a master vendor listing exists, for example, it will often contain duplicate entries showing different trade names for what is ultimately a single third-party provider, and/or contain only the original and not all current services the third party provides, etc. These types of data integrity issues represent a significant barrier to being able to assess comprehensively the risk posed by a particular vendor and determine whether they should be considered critical under the new guidelines. Once complete lists of third parties and the services they provide have been developed as of a point in time, institutions should ensure their enhanced third-party lifecycle management programs developed under include effective change control mechanisms to maintain these lists on an ongoing basis. Need for unified risk assessment activities OCC and many other third-party management standards either require risk assessments or advocate a risk-based approach to managing third-party exposure. However, as noted above, many institutions still assess thirdparty risks by domain (e.g., information security, consumer protection, etc.) or by the particular type of service provided to a single line of business, and are unable to identify or report on the aggregate types and levels of risk posed by a particular third party across the enterprise. This approach can not only cause material risks to go undetected or be underrated, but also introduces significant inefficiencies and duplication of effort, as multiple functions across the enterprise request, analyze and document their review of the same information from the same vendors over and over again in a disconnected fashion. As financial institutions are already Protiviti 5

6 challenged to comply with what seems like an unlimited number of new requirements using a limited amount of resources, there is significant value in finding areas like this in which personnel currently assigned to unproductive tasks can be reallocated to performing the new activities that now must be developed. Roles and responsibilities As risk assessment and other third party-related processes are rationalized, many institutions are taking a fresh look at how accountability for these activities is distributed across the organization. Particularly in light of more specific OCC expectations for independent reviews of individual critical vendors as well as the third-party risk management process as a whole, it will be increasingly important to have clear delineation of roles and responsibilities in order to avoid duplicative efforts and preserve the independence of functions that must perform testing activities. As it relates to reviews of individual vendors, many firms are exploring how they might establish centralized functions at the second line of defense (usually either within operational risk or compliance) or their supplier management/procurement organization to perform these tasks. As these types of functions are built, organizations must ensure their mandate is clear relative to that of the day-to-day monitoring and oversight activities performed by the owners of the vendor relationships at the first line. Second-line functions may also struggle to make sure they have the right level of expertise in specialized risk areas such as technology and information security, antimoney laundering and consumer compliance. This is a particular challenge in the face of what is currently an unprecedented level of demand for these same skill sets in other areas of the bank, and across the industry as a whole. Generally speaking, most organizations are performing (or will perform) the independent review of the overall third-party risk management program at the third line of defense within the internal audit function, often supplemented initially by subject-matter experts on a co-sourced basis. Key areas of focus for internal audit should include completeness of the third-party universe, definitions of and processes to assess third-party risk and identify critical vendors, and the quality and depth of initial due diligence and ongoing oversight activities (including, especially, seeing that weaknesses identified with respect to particular vendors are properly escalated and completely resolved in a timely manner). Need to rationalize number of vendors If our problem statement is that each individual vendor relationship now requires more time and resources to oversee than the institution can afford, one obvious solution is to reduce the number of third parties your firm does business with in order to enhance oversight of the surviving providers. This is another point in favor of developing a complete view of all services provided across the enterprise by a particular third party, as it can help to identify opportunities to move additional services to providers that have already been risk Protiviti 6

7 assessed, are subject to existing oversight programs and consistently deliver high-quality levels of service. It is important, however, to balance these consolidation efforts with the risk highlighted in of over-dependence on particular service providers that could not be replaced easily or inexpensively. The need for shared assessments For a few risk domains and service provider categories, there already exist broadly accepted standards for the vendors themselves to engage independent reviews of their operations, which can then be shared with all of the interested clients of those vendors, eliminating the need for redundant reviews of the same functions by each client. Examples of these types of reviews include the SSAE 16 assessment standard (which replaced SAS 70 reviews) and Payment Card Industry audit requirements. We are aware of efforts underway to expand these solutions into other risk domains, such as standardized shared assessments for mortgage foreclosure attorneys. Although these initiatives must clear numerous hurdles privacy and information sharing restrictions, difficulty among all interested parties in agreeing on appropriate scope and coverage, questions about whether the results will be accepted by all appropriate regulators, etc. their necessity in the new environment is clear and we expect them to continue to gain interest and support. Impact on vendor organizations and their cost structures Although we ve focused primarily on how banks will respond to the new guidance, it s important to recognize that these heightened expectations will have at least as large and probably a larger impact on the third parties with which the banks do business, particularly critical vendors. At a minimum, third parties should expect a lengthier and more involved contracting process, with the need to disclose more detail than ever before about their internal control practices. Third parties will also need to support more regular and intrusive audits during the life of the relationship. Perhaps even more significantly, many third-party vendors will find that their own risk management systems require considerable enhancements to meet the new expectations of their bank clients and the regulators that supervise them. These enhancements, of course, will not be free in terms of the people required to build and execute them, potential lengthening of transaction cycle time as control checkpoints are added, investments in technology required to provide improved automated controls and reporting, etc. Together with an increased desire on the part of banks to reduce the number of third parties with which they do business, we see these combined factors driving a significant wave of consolidation within the bank service provider industry. Third parties will need to grow to a size that provides the critical mass necessary to implement the infrastructure and controls now expected. The increased cost of providing these services in a better-controlled manner, coupled with reduced competition as a result of consolidation, will result in higher fees being passed along to the financial services industry itself. These trends were already apparent in many areas (such as mortgage servicing), and are likely to be accelerated by the new OCC guidance. The cost/benefit analysis of outsourcing And that leads to our final point of consideration. Although and other historical guidelines have highlighted the need for institutions to analyze the benefits, costs and risks associated with partnering with third parties, few institutions maintained objective, robust models to do this for all (or even all critical) third parties. OCC adds more specific expectations in this regard, but even if it did not, the financial impact of all of the other dynamics above should be good cause for organizations in the banking industry to enhance their capabilities in this area on their own. When the increased costs of upfront due diligence and ongoing oversight are considered, banks may find it is more appropriate to continue to self-service activities that otherwise might have been outsourced. Similarly, increased regulatory scrutiny of joint marketing arrangements in general (and areas like add-on products, in particular) is already changing the risk-reward calculus for these types of programs, and the fact that the regulatory bar related to them is now being raised yet again will continue that trend. Protiviti 7

8 Summary OCC establishes game-changing expectations for third-party relationships. Financial institutions will need to be ready to provide evidence that a thoughtful, comprehensive third-party relationship program has been designed and implemented. Those banks that have established clear roles and responsibilities for risk management across the enterprise, invested in robust operational controls and technology platforms to assess, manage, and report on the effectiveness of these efforts, and can appropriately analyze the costs, risks, and benefits of existing and proposed third-party relationships will have significant advantages in the new environment. For all banks, though, the old adage that you can outsource the process, but you can t outsource the risk has never been more true. About Protiviti Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000 and FORTUNE Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Contacts Carol Beaumier carol.beaumier@protiviti.com Tim Long timothy.long@protiviti.com Cory Gunderson cory.gunderson@protiviti.com Matthew Moore matthew.moore@protiviti.com Michael Brauneis michael.brauneis@protiviti.com 2013 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.