Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship

Transcription

1 THE 4 TH NATIONAL CONFERENCE ON OUTSOURCING IN FINANCIAL SERVICES NEGOTIATING, MANAGING & TERMINATING OUTSOURCING RELATIONSHIPS WHILE ENSURING REGULATORY COMPLIANCE Renaissance Mayflower, Washington, DC April 20-21, 2005 Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship By Steven M. Kaplan, Esq. Kirkpatrick & Lockhart Nicholson Graham LLP 1800 Massachusetts Avenue Washington, DC (202) (202) fax skaplan@klng.com M:\Cross Marketing\May 05\DC-# v1-MBG_Outsourcing_Speech_Outline.DOC

2 Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship I. INTRODUCTION: PREPARING A DUE DILIGENCE GAME PLAN A. Defining the Goals and Risks B. Assembling the Team C. Choosing a Law Firm or Deciding to Not Use a Law Firm II. RISK MANAGEMENT: DEFINING THE RISKS The broader context for due diligence is risk management: Pre-contractual due diligence is an essential component of effective risk management in outsourcing services. The FFIEC defines risk management as: The Process of identifying, measuring, monitoring and making risk. 1 The FFIEC s recently issued Outsourcing Handbook divides risk management in four interrelated areas: Risk assessment and the definition of outsourcing requirements; RFPs and due diligence on prospective service providers; Negotiation and implementation of the outsourcing contract; and Monitoring the outsourcing relationship. 1 THE FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL (the FFIEC ) Information Technology ( IT ) Examination Handbook on Outsourcing Technology Services (the OTS Handbook ). The FFIEC issued the Outsourcing Technology Services IT Examination Handbook in June It is available online at see also, e.g., FEDERAL DEPOSIT INSURANCE CORPORATION, Offshore Outsourcing of Data Services by Insured Institutions and Associated Privacy Risks (June 10, 2004); OFFICE OF THE COMPTROLLER OF THE CURRENCY, OCC : Bank Use of Foreign- Based Third Party Service Providers (May 15, 2002); OFFICE OF THE COMPTROLLER OF THE CURRENCY, OCC : Third Party Relationships (Nov. 1, 2001)

3 A. First Steps: Risk Assessment and Requirements Definition The FFIEC emphasizes that outsourcing can contribute to operational risks. These risks can range from a service provider s errors or fraud in processing mortgage loan applications or payments through the service provider s substandard maintenance of computer systems and consequent hacking and theft of customer information. 2 The Outsourcing Handbook identifies four risks associated with operational risks that form the backdrop against which management should determine whether the institution should outsource and, if so, its specifications for the outsourced services: Reputational risks: problems with outsourced technology could come to public attention and thereby harm the financial institution s reputation e.g., a service provider s failure to get a back-up system up and running and the institution s resulting failure to maintain business continuity; Strategic risks: outsourcing could impair the institution s ability to make good strategic decisions e.g., a service provider provides inaccurate information that leads management to make a bad decision as to the loan customers that the institution targets or the financial products that it promotes; Compliance risks: the potential consequences to the institution if a service provider fails to comply with applicable regulatory and other legal requirements e.g., a service provider makes inaccurate or late consumer compliance disclosures or uses customers confidential information in an unauthorized way; and Interest rate, liquidity, and market risks: a service provider could fail to provide information, or could provide inaccurate information, that leads to interest rate errors, impaired liquidity, or bad investment decisions. Scope: The FFIEC s Broad Definition of Outsourcing Outsourcing is the practice of contracting with another entity to perform services that might otherwise be conducted in-house. (2) Contracting with third parties to perform activities, duties, or functions. 2 The Outsourcing Handbook notes that the IT Handbook s Supervision of Technology Service Providers (service provider) Booklet, available online at provider/tech_ser_provider.pdf, provides an analysis of operational risks associated IT generally

4 Outsourcing can span origination, processing and settlement services, information processing, loan processing, security monitoring and testing, development and maintenance of computer systems, network and help desk operations, servicing, debt collection, telemarketing and call centers. It is the key that institutions IT staff and lawyers bear in mind the Outsourcing Handbook s guidelines when selecting and negotiating contracts with service providers to perform any IT functions that could be performed internally, as well as any other significant services. Board and Senior Management Responsibilities The Outsourcing Handbook emphasizes that the board of directors and senior management of a financial institution must bear ultimate responsibility for determining whether to enter into outsourcing transactions and for overseeing the outsourcing relationships that the financial institution establishes. The directors and officers of a financial institution should determine, as a matter of institutionwide management, whether, and to what extent, the institution s internal functions can and should be outsourced. The FFIEC directs a financial institution s board and management to base their conclusions on risks that outsourcing presents for the institution and whether the outsourcing is appropriate in light of the institution s size and complexity. The FFIEC further directs the board and management to adopt and execute policies to ensure consistency in the institution s outsourcing decisions, management, and oversight. B. Next Step: Selecting the Service Provider The Outsourcing Handbook next specifies the following steps for institutions to follow in selecting a service provider: 1. The Request for Proposal: First, should the RFP process be limited to the service provider? Should it also include selecting due diligence team (law firms, consultants, etc.)? An institution s IT and other staff members involved in outsourcing may be as unaccustomed to issuing RFPs as they are to creating a formal requirements document. The FFIEC prescribes the RFP process in the Outsourcing Handbook, however, and an examiner consequently may wish to review an institution s RFPs, especially those for significant outsourcing transactions. If the IT staff and other outsourcing stakeholders have prepared the detailed requirements document described above, compiling the RFP should be relatively - 4 -

5 straightforward. The issues to be addressed in the RFP mirror those covered in that document. Noting that the level of detail in RFPs may vary (presumably according to the complexity and criticality of the functions to be outsourced), the Outsourcing Handbook states that an RFP should address the following: Objectives Scope and nature of outsourced functions Service levels Delivery timelines Technology and services metrics Controls Security Policies Business continuity Change of control 2. Due Diligence: The FFIEC stresses that the institution should perform due diligence on both the service provider and the service provider s response to the RFP. The FFIEC acknowledges, however, that the extent and formality of due diligence may vary according to the risks that the proposed outsourcing transaction poses, familiarity with the prospective service provider, and the stage that the institution has reached in the selection process. The Outsourcing Handbook states that the institution should, in the course of due diligence, accomplish the following: Ensure that the service provider is a validly existing entity, and check its corporate history. Check the qualifications of the service provider and its principals. Perform criminal background checks in sensitive outsourcing cases. Check references and otherwise investigate the service provider s reputation. Investigate the service provider s finances. Review audited financial statements. Investigate the service provider s ability to deliver on its commitments and overall effectiveness. Investigate the service provider s system of internal quality and other controls, its security history, and the extent to which it is audited, financially and otherwise

6 Check the service provider s compliance history and the extent, if any, to which it has been subject to complaints, litigation, and regulatory actions. Pursue the service provider s reliance on third party service providers. Check into the service provider s insurance coverage. Investigate the service provider s disaster recovery and business continuity plans. Consider intangibles, such as the service provider s culture and business style and the service provider s consequent fit with the institution. Consider other unique issues such as rating agency requirements. C. Information Security and Safeguarding The FFIEC also emphasizes that an institution should perform due diligence on a prospective service provider s ability to maintain the security of the institution s data and should filter the sensitive information that the institution provides to a service provider. D. Foreign Service Providers Compliance Risks: Outsourcing to a foreign service provider increases risks monitoring compliance with U.S. laws and regulations. Outsourcing to a foreign service provider also places additional compliance obligations, including export control obligations and obligations to comply with sanctions and embargos implemented by the U.S. Treasury Office of Foreign Assets Control, on the institution. Due Diligence: An institution must perform due diligence on the extent to which the foreign location of the service provider will add to outsourcing risks, in addition to performing the due diligence that the Outsourcing Handbook specifies for non-foreign service providers. Regulatory Access to Information: An institution must ensure that U.S. regulatory institutions have the ability to assess the services performed by the foreign service provider and that it keeps at a U.S. location English language documentation that the institution and the foreign service provider are meeting their U.S. regulatory obligations

7 III. DUE DILIGENCE STRATEGY The due diligence process will depend on the nature of the service. The process will be more or less comprehensive depending on the complexity of the service. Perform on-site due diligence whenever possible. If the service provider is a foreign corporation, more on-site time may be necessary. Permit sufficient on-site time to ensure that representations regarding the service provider s compliance operations are accurate. It is beneficial to: Engage an international law firm in that country with attorneys who can spend significant time assessing the service provider or do so over the course of a few months; AND/OR Engage local counsel to assess the service provider s compliance with the laws of the service provider s jurisdiction, and who also has knowledge of the jurisdiction s legal environment (such as an awareness of which laws are actually enforced). A. Overall Compliance Capability: Does the management demonstrate a commitment to regulatory/legal compliance? What is their background and experience? Has the service provider demonstrated a capacity to comply with applicable law in providing similar services for other entities? Is the service provider familiar with the legal/regulatory compliance issues of the outsourcing company? For example Federal Regulations Engage local counsel to assess the service provider s compliance with the laws of the service provider s jurisdiction, and who also has knowledge of the jurisdiction s legal environment (such as an awareness of which laws are actually enforced)

8 Is the service provider capable of complying with all federal requirements that apply to the outsourcing company? Depending on the type of service provider (e.g., loan processor, loan servicer, debt collector, telemarketer, call center, etc.) is the provider capable of complying with requirements unique to that service provider e.g. RESPA, TILA, ECOA, HMDA, FCRA, Fair Housing, Flood, HOEPA, GLBA/information security, FDCPA, TCPA, to name a few). State Regulations Does the service provider understand and is the service provider capable of complying with all state requirements that apply to the service provider and the outsourcing company, where necessary? Does the service provider understand and is the service provider capable of complying with all state requirements that apply to the service provider and the outsourcing company, where necessary? Is the service provider s process of updating state requirements adequate? B. Current Compliance Status: Is the service provider in compliance with all applicable laws, including any licensing requirements and regulatory approvals, as well as federal, state, and local laws and regulations

9 C. Compliance Procedures: Does the service provider have a compliance or legal/compliance department? What are the experience and skill levels of the key legal/compliance personnel? How long have they worked for the service provider? Does the service provider conduct regular compliance audits/reviews? Do available compliance reviews reveal any patterns of legal/regulatory noncompliance or internal procedures irregularities that could lead to noncompliance? Does the service provider have written policies and procedures that accurately and adequately address applicable legal/regulatory requirements? How does the service provider track employee/system adherence to policies and procedures? Does the service provider provide employees with compliance training? What are the experience and skill levels of employees who will perform functions with sensitive legal/regulatory implications? What are their retention rates? D. Customer Complaints/Customer Satisfaction Surveys: Does the service provider use customer satisfaction surveys? Does the service provider have a customer complaints process in place? How (and how quickly) does the service provider address customer complaints? Do available customer complaints and surveys reveal any patterns of legal/regulatory noncompliance or internal procedures irregularities that could lead to noncompliance? E. Regulatory Audits: Has the service provider been subject to regulatory audits/examinations? What legal/regulatory issues were revealed by those examinations? - 9 -

10 How has the service provider dealt with those issues? Are any of those issues recurring? Are the service provider s management and legal/compliance teams experienced in communicating with regulators? Have they demonstrated a willingness and capacity to cooperate with regulators? F. Litigation/Administrative Actions: Is any material litigation or administrative action pending against the service provider that involves the types of services that the outsourcing company needs? Will an adverse outcome have a material impact on the service provider s ability to perform services? Does pending litigation or administrative action indicate a pattern of noncompliance in a particular area of operations critical to delivery of services to the outsourcing company? G. Legal Compliance Technology: Is the service provider s compliance-related hardware and software (if any) state-of-the-art? Does the service provider have a compliance technology maintenance program? What changes may need to be made to the service provider s compliance technology to integrate special legal compliance issues of the outsourcing company? Is the service provider s compliance technology capable of integrating those changes? Does the software have sufficient flexibility to do so? Is it easy to make changes/customize the compliance software to the outsourcing company s needs? Can the system be updated easily? Does the service provider s compliance technology have sufficient capacity to support an increased load from the outsourcing company?

11 Is system documentation comprehensive and clear? Does the system produce a wide range of customizable compliance reports? Do compliance and other technology systems of the service provider and any subcontractors interface easily and appropriately? H. Privacy/Information Security: Is the service provider capable of ensuring that its employees will not have unauthorized access to the outsourcing company s customer data, or other confidential data regarding the institution? 3 I. Subcontractors: If relevant, what is the service provider s process for conducting due diligence of subcontractors, support vendors, and other third parties that may be involved in performing services for the outsourcing company? J. Record Retention/Access: What records must the service provider maintain? For how long? Is the service provider capable of doing so? Will the outsourcing company have easy access to service provider records and other compliance-related documents for compliance monitoring and audits? K. Effect on Relationship with Primary Regulator IV. CASE STUDIES: HOW NOT TO CONDUCT DUE DILIGENCE THIS OUTLINE IS FOR INFORMATIONAL PURPOSES AND DOES NOT CONTAIN OR CONVEY LEGAL ADVICE. THE INFORMATION HEREIN SHOULD NOT BE USED OR RELIED UPON IN REGARD TO ANY PARTICULAR FACTS OR CIRCUMSTANCES WITHOUT FIRST CONSULTING A LAWYER. 3 See, e.g., FFIEC, Interagency Guidance on Response Programs: Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, FIL (April 1, 2005)