Any business relationship between a bank and another entity, by contract or otherwise

Transcription

1 An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise Third Party Relationships Outsourcing part of bank operations Offering services or products to bank customers Franchising bank s name Purpose 1

2 Reduce bank costs Increase bank revenue Accessing special expertise or efficiency Increasing bank s product offerings Benefits FDIC and OCC expect banks to identify significant or critical relationships, such as: New relationship New bank activity Material effect on bank s revenues or expenses Significant effect on bank s earnings or capital Identifying Significant/Critical Relationships FDIC and OCC expect banks to identify significant or critical relationships, such as: Critical function for bank Access to customer information Vendor is marketing bank products or services Potential for significant customer impacts Identifying Significant/Critical Relationships 2

3 Mortgage related front-end services and foreclosures Technology services Data processing services Payment processing services Examples of Common Relationships Compliance audits and monitoring Affinity and credit card providers Flood insurance monitoring Debt collection services Disclosure preparers Examples of Common Relationships Bank should have a risk management process commensurate with the level of risk and complexity of its third party relationships and bank s organizational structure Bank Responsibility Risk Management Process 3

4 Bank cannot shift responsibility to third party and is responsible for ensuring that activity is conducted in a safe and sound manner and in compliance with all applicable laws and regulations as well as bank s internal policies Bank Responsibility Risk Management Process Board of directors (or a committee of the board) and senior management are responsible for overseeing bank s risk management processes Bank Responsibility Risk Management Process Compliance Risk Violation of laws, rules or regulations or non-compliance with policies Privacy, UDAP, Fair Lending, TILA (Reg B), RESPA Third Party Relationship Risks 4

5 Strategic Risk Adverse business decisions Failure to implement appropriate business decisions in a manner consistent with institution s goals Third Party Relationship Risks Operational Risk Inadequate or failed internal processes, people or systems External events Third Party Relationship Risks Transaction Risk Third party s inability to perform its functions Inadequate capacity Technological failure Human error Fraud Threats to security and integrity of systems and resources Third Party Relationship Risks 5

6 Credit Risk Third party is unable to meet the terms of the contractual arrangements with bank Unable to financially perform as agreed Third Party Relationship Risks Other Risks Liquidity Interest Rate Price Foreign currency transaction Third Party Relationship Risks Risk Assessment Due Diligence Contract Negotiation Ongoing Monitoring Bank Responsibility Managing Risk 6

7 Is relationship consistent with bank s strategic planning and risk strategy? Risk/reward analysis for significant matters performed by management and reviewed by the board Involve outside parties if necessary attorneys, accountants, IT consultants Identify internal controls necessary to monitor third party relationships Risk Assessment For significant third party relationships, board may consider appointing a senior manager with requisite knowledge and experience to manage relationship Estimate long-term financial effect of third party relationship Risk Assessment Bank s due diligence process design should provide management with information needed to address quantitative and qualitative aspect of third party relationship to determine if relationship will achieve bank s goals and mitigate identified risks Due Diligence 7

8 Scope of due diligence depends on significance of activity High-risk large scale activities require more comprehensive review Due Diligence When conducting due diligence, banks may consider the following: Financial condition Business experience and reputation Qualifications Legal and regulatory compliance Due Diligence When conducting due diligence, banks may consider the following: Scope of internal controls Risk management Systems and data security Privacy protections Due Diligence 8

9 When conducting due diligence, banks may consider the following: Business resumption/contingency plans Knowledge of relevant consumer protection/civil rights laws Human resource management Reliance on subcontractors Insurance Due Diligence Ensure specific expectations and obligations of bank and third party are outlined in written contract Board approval should be obtained before entering into any material third party relationships Contract Structure and Negotiation Legal counsel should review significant contracts prior to finalization Bank contracts should generally address the following: Nature and scope of relationship Cost/compensation Performance standards Responsibility for compliance with applicable laws and regulations Contract Structure and Negotiation 9

10 Bank contracts should generally address the following: Reports and audit rights Confidentiality and security Customer complaints Business resumption/contingency plans Dispute resolutions Ownership and license Contract Structure and Negotiation Bank contracts should generally address the following: Indemnification Limits on liability Insurance Subcontracting Default and termination Contract Structure and Negotiation Maintain adequate oversight of third party activities and adequate quality control over those products and services provided by third parties Minimize exposure to financial loss, reputation damage and supervisory action Ongoing Monitoring 10

11 Board should initially approve, oversee and review at least annually significant third party arrangements, and review arrangements and contracts whenever this is a material change to the program Ongoing Monitoring Performance monitoring may include the following: Business strategy potential conflicts of interest Review of financial conditions and audits Compare actual earnings/costs to projections Review compliance with internal controls and security procedures Evaluate performance standards and compliance with those standards Ongoing Monitoring Performance monitoring may include the following: Determine adequacy of training and monitor changes in key personnel Monitor compliance with applicable laws and regulations, especially when third party interacts with consumers on behalf of bank Review business resumption contingency planning and costs Review customer complaints and responses to them Ongoing Monitoring 11

12 Ensure effective process is in place to manage risks related to third party relationships in a manner consistent with bank s strategic goals, organization s objectives and risk appetite Board Responsibility Oversight and Accountability Approve bank s risk-based policies that govern third party risk management process and identify critical activities Review and approve management plans for using third parties that involve critical activities/significant relationships Board Responsibility Oversight and Accountability Review summary of due diligence results and management s recommendations to use third parties that involve critical activities Approve significant contracts that involve critical activities Board Responsibility Oversight and Accountability 12

13 Review the results of management s ongoing monitoring of significant third party relationships, including relationships that involve critical activities Board Responsibility Oversight and Accountability Ensure management takes appropriate steps to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring Review results of periodic independent reviews of bank s third party risk management process Board Responsibility Oversight and Accountability FDIC reviews bank s management of significant third party relationships in safety and soundness examinations and compliance examinations Safety and soundness examinations review management s record and process of assessing, measuring, monitoring and controlling risks associated with bank s significant third party relationships Supervisory Reviews/Examinations 13

14 FDIC reviews bank s management of significant third party relationships in safety and soundness examinations and compliance examinations Compliance examinations: Evaluate the quality and effectiveness of bank s compliance risk management program as it pertains to third party relationships Supervisory Reviews/Examinations FDIC reviews bank s management of significant third party relationships in safety and soundness examinations and compliance examinations Compliance examinations: Review operations to ensure that products, services and activities of third party vendors comply with consumer protection and civil rights laws and regulations Supervisory Reviews/Examinations OCC expects banks to engage in robust analytical process to identify, measure, monitor and control the risks associated with third party relationships and to avoid excessive risk-taking that may threaten safety and soundness Failure to have effective risk management process may be an unsafe and unsound banking practice Supervisory Reviews/Examinations 14

15 Financial loss to the bank bad contracts may mean that bank will incur actual costs that harm the bank Litigation costs indemnification, termination provisions, limits of liability, etc. Penalties Regulators will note deficiencies on the examination reports, which may lead to enforcement actions and/or civil money penalties Reputation costs Penalties Financial Institution Letter Third Party Risks: Guidance for Managing Third Party Risk /fil08044a.pdf Additional Resources 15

16 OCC Bulletin Third Party Relationships: Risk Management Guidance bulletins/2013/bulletin html Additional Resources Federal Reserve Outlook Live Webinar Vendor Risk Management Compliance Considerations, May 2, pdf Additional Resources CFPB Bulletin Service Providers _cfpb_bulletin_serviceproviders.pdf Additional Resources 16

17 FFIEC IT Examination Handbook Outsourcing Technology Services June, Additional Resources FFIEC IT Examination Handbook Supervision of Technology Service Providers March, Additional Resources Federal Reserve Bank of New York Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks October, circulars/outsource.pdf Additional Resources 17