Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship



Similar documents
Any business relationship between a bank and another entity, by contract or otherwise

Vendor Management. Outsourcing Technology Services

Statement of the Office of the Comptroller of the Currency. Provided to the Subcommittee on Financial Institutions and Consumer Protection

2015 REGULATORY CHALLENGES FOR FINANCIAL INSTITUTIONS E L L IOT T DAVIS D E COSIMO R I S K MANAG E MENT

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Vendor Management Compliance Top 10 Things Regulators Expect

OCC 98-3 OCC BULLETIN

Outsourcing Technology Services A Management Decision

White Paper on Financial Institution Vendor Management

To: Our Clients and Friends March 25, 2014

Navigating Vendor Management Issues in Today s Regulatory Environment

Mortgage Banking. Solutions in Compliance, Transactions, and Defense. Attorney Advertising

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

Privacy Impact Assessment of the CHAT Suite of Analysis Tools

30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC)

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Risk Management of Outsourced Technology Services. November 28, 2000

Outsourcing Technology Services OT

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

1. Entities and Accounts Covered by the New Rules Covered Entities

Reverse Due Diligence A New Trend In Financial M&A

Table of Contents Chapter 1 Introduction Goals & Objectives Required Review Applicability...

retained in a form that accurately reflects the information in the contract or other record,

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

FinTech Webinar Series: Vendor Management Principles

Vendor Risk Management in the New Regulatory Environment. kpmg.com

VII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background

Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management

What You Need to Know About the CFPB and Why You Should Care

IDENTITY THEFT RED FLAGS, ADDRESS DISCREPANCIES, AND CHANGE OF ADDRESS REGULATIONS Examination Procedures

Supporting Effective Compliance Programs

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

WHITE PAPER. Steps to select the right Outsourcing Vendor

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Risk Management of Remote Deposit Capture

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Office of Inspector General

New CFPB mortgage servicing rules present significant challenges for mortgage servicers

CFPB Update: Regulatory and Enforcement Developments

Putting the Management Back in Vendor Management February 20, 2014

Washington Update. Payments News from our Nation s Capital. October Contents. CFPB Finalizes Two Rules Related to International Money Transfers

Vendor Management Best Practices

CFPB Examination Resource Guide

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

Company Name Vendor Management Policy and Procedure. Table of Contents

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

MISSION VALUES. The guide has been printed by:

Credit Union Liability with Third-Party Processors

Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program

FDIC Updates Guidance on Payment Processor Relationships

Navigating Consumer Financial Protection Bureau ( CFPB ) Investigations and Enforcement Actions

Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014

Minimizing Legal and Compliance Risk for Credit Furnishers

Adverse Action Guide for Employers

Statement of Guidance: Outsourcing All Regulated Entities

Identifying Key Risk Indicator

Privacy Impact Assessment of the Nationwide Mortgage Licensing System and Registry

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Executive Summary. Guidelines on Merchant and ISO Underwriting and Risk Monitoring MARCH 2014 COUNSEL DEVELOPED BY

Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies

How To Make Money From A Loan

CCE Consumer Compliance Examination. Compliance Management System. Comptroller s Handbook. August 1996 CCE-CMS

Identity Theft Red Flags & Address Discrepancies under the FACT Act of Summary of Final Rule

Third Party Relationships

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY OFFICE OF THE COMPTROLLER OF THE CURRENCY ) ) ) ) ) ) ) ) ) ) ) ) STIPULATION AND CONSENT ORDER

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Best Practices for Engaging With Intermediaries. Introduction

Are You Ready for the New Foreclosure Processing Regulations?

Vendor Management Best Practices

CREDIT RISK MANAGEMENT GUIDANCE FOR HOME EQUITY LENDING

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose

Information Technology

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Remarks by. Thomas J. Curry Comptroller of the Currency. Before a Meeting of CES Government. Washington, DC April 16, 2014

Technology Outsourcing. Effective Practices for Selecting a Service Provider

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008

OCC BULLETIN OCC

Managing Outsourcing Arrangements

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

New Hampshire & Maine Compliance Conference

Fortifying the Three Lines of Defense to Combat Compliance Risk

CFPB COMPLIANCE: Interaction Between Compliance Assessments and Systems Issues

Outsourcing has become a critical component of financial institutions management

POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

Servicing Issues Update

TABLE OF CONTENTS INTRODUCTION... 1

Vendor Management: Your Questions Answered

TB 82a Handbooks: Thrift Activities Section: 310 Subject: Oversight by the Board of Directors

Risk Management Examiners

GUIDANCE NOTE ON OUTSOURCING

Information Technology Risk

Chief Executive Officers of All National Banks, Department and Division Heads, and All Examining Personnel.

Transcription:

THE 4 TH NATIONAL CONFERENCE ON OUTSOURCING IN FINANCIAL SERVICES NEGOTIATING, MANAGING & TERMINATING OUTSOURCING RELATIONSHIPS WHILE ENSURING REGULATORY COMPLIANCE Renaissance Mayflower, Washington, DC April 20-21, 2005 Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship By Steven M. Kaplan, Esq. Kirkpatrick & Lockhart Nicholson Graham LLP 1800 Massachusetts Avenue Washington, DC (202) 778-9204 (202) 778-9100 - fax skaplan@klng.com www.klng.com M:\Cross Marketing\May 05\DC-#710478-v1-MBG_Outsourcing_Speech_Outline.DOC

Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship I. INTRODUCTION: PREPARING A DUE DILIGENCE GAME PLAN A. Defining the Goals and Risks B. Assembling the Team C. Choosing a Law Firm or Deciding to Not Use a Law Firm II. RISK MANAGEMENT: DEFINING THE RISKS The broader context for due diligence is risk management: Pre-contractual due diligence is an essential component of effective risk management in outsourcing services. The FFIEC defines risk management as: The Process of identifying, measuring, monitoring and making risk. 1 The FFIEC s recently issued Outsourcing Handbook divides risk management in four interrelated areas: Risk assessment and the definition of outsourcing requirements; RFPs and due diligence on prospective service providers; Negotiation and implementation of the outsourcing contract; and Monitoring the outsourcing relationship. 1 THE FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL (the FFIEC ) Information Technology ( IT ) Examination Handbook on Outsourcing Technology Services (the OTS Handbook ). The FFIEC issued the Outsourcing Technology Services IT Examination Handbook in June 2004. It is available online at http://www.ffiec.gov/ffiecinfobase/booklets/outsourcing/outsourcing_booklet.pdf; see also, e.g., FEDERAL DEPOSIT INSURANCE CORPORATION, Offshore Outsourcing of Data Services by Insured Institutions and Associated Privacy Risks (June 10, 2004); OFFICE OF THE COMPTROLLER OF THE CURRENCY, OCC 2002-16: Bank Use of Foreign- Based Third Party Service Providers (May 15, 2002); OFFICE OF THE COMPTROLLER OF THE CURRENCY, OCC 2001-47: Third Party Relationships (Nov. 1, 2001). - 2 -

A. First Steps: Risk Assessment and Requirements Definition The FFIEC emphasizes that outsourcing can contribute to operational risks. These risks can range from a service provider s errors or fraud in processing mortgage loan applications or payments through the service provider s substandard maintenance of computer systems and consequent hacking and theft of customer information. 2 The Outsourcing Handbook identifies four risks associated with operational risks that form the backdrop against which management should determine whether the institution should outsource and, if so, its specifications for the outsourced services: Reputational risks: problems with outsourced technology could come to public attention and thereby harm the financial institution s reputation e.g., a service provider s failure to get a back-up system up and running and the institution s resulting failure to maintain business continuity; Strategic risks: outsourcing could impair the institution s ability to make good strategic decisions e.g., a service provider provides inaccurate information that leads management to make a bad decision as to the loan customers that the institution targets or the financial products that it promotes; Compliance risks: the potential consequences to the institution if a service provider fails to comply with applicable regulatory and other legal requirements e.g., a service provider makes inaccurate or late consumer compliance disclosures or uses customers confidential information in an unauthorized way; and Interest rate, liquidity, and market risks: a service provider could fail to provide information, or could provide inaccurate information, that leads to interest rate errors, impaired liquidity, or bad investment decisions. Scope: The FFIEC s Broad Definition of Outsourcing Outsourcing is the practice of contracting with another entity to perform services that might otherwise be conducted in-house. (2) Contracting with third parties to perform activities, duties, or functions. 2 The Outsourcing Handbook notes that the IT Handbook s Supervision of Technology Service Providers (service provider) Booklet, available online at http://www.ffiec.gov/ffiecinfobase/booklets/service provider/tech_ser_provider.pdf, provides an analysis of operational risks associated IT generally. - 3 -

Outsourcing can span origination, processing and settlement services, information processing, loan processing, security monitoring and testing, development and maintenance of computer systems, network and help desk operations, servicing, debt collection, telemarketing and call centers. It is the key that institutions IT staff and lawyers bear in mind the Outsourcing Handbook s guidelines when selecting and negotiating contracts with service providers to perform any IT functions that could be performed internally, as well as any other significant services. Board and Senior Management Responsibilities The Outsourcing Handbook emphasizes that the board of directors and senior management of a financial institution must bear ultimate responsibility for determining whether to enter into outsourcing transactions and for overseeing the outsourcing relationships that the financial institution establishes. The directors and officers of a financial institution should determine, as a matter of institutionwide management, whether, and to what extent, the institution s internal functions can and should be outsourced. The FFIEC directs a financial institution s board and management to base their conclusions on risks that outsourcing presents for the institution and whether the outsourcing is appropriate in light of the institution s size and complexity. The FFIEC further directs the board and management to adopt and execute policies to ensure consistency in the institution s outsourcing decisions, management, and oversight. B. Next Step: Selecting the Service Provider The Outsourcing Handbook next specifies the following steps for institutions to follow in selecting a service provider: 1. The Request for Proposal: First, should the RFP process be limited to the service provider? Should it also include selecting due diligence team (law firms, consultants, etc.)? An institution s IT and other staff members involved in outsourcing may be as unaccustomed to issuing RFPs as they are to creating a formal requirements document. The FFIEC prescribes the RFP process in the Outsourcing Handbook, however, and an examiner consequently may wish to review an institution s RFPs, especially those for significant outsourcing transactions. If the IT staff and other outsourcing stakeholders have prepared the detailed requirements document described above, compiling the RFP should be relatively - 4 -

straightforward. The issues to be addressed in the RFP mirror those covered in that document. Noting that the level of detail in RFPs may vary (presumably according to the complexity and criticality of the functions to be outsourced), the Outsourcing Handbook states that an RFP should address the following: Objectives Scope and nature of outsourced functions Service levels Delivery timelines Technology and services metrics Controls Security Policies Business continuity Change of control 2. Due Diligence: The FFIEC stresses that the institution should perform due diligence on both the service provider and the service provider s response to the RFP. The FFIEC acknowledges, however, that the extent and formality of due diligence may vary according to the risks that the proposed outsourcing transaction poses, familiarity with the prospective service provider, and the stage that the institution has reached in the selection process. The Outsourcing Handbook states that the institution should, in the course of due diligence, accomplish the following: Ensure that the service provider is a validly existing entity, and check its corporate history. Check the qualifications of the service provider and its principals. Perform criminal background checks in sensitive outsourcing cases. Check references and otherwise investigate the service provider s reputation. Investigate the service provider s finances. Review audited financial statements. Investigate the service provider s ability to deliver on its commitments and overall effectiveness. Investigate the service provider s system of internal quality and other controls, its security history, and the extent to which it is audited, financially and otherwise. - 5 -

Check the service provider s compliance history and the extent, if any, to which it has been subject to complaints, litigation, and regulatory actions. Pursue the service provider s reliance on third party service providers. Check into the service provider s insurance coverage. Investigate the service provider s disaster recovery and business continuity plans. Consider intangibles, such as the service provider s culture and business style and the service provider s consequent fit with the institution. Consider other unique issues such as rating agency requirements. C. Information Security and Safeguarding The FFIEC also emphasizes that an institution should perform due diligence on a prospective service provider s ability to maintain the security of the institution s data and should filter the sensitive information that the institution provides to a service provider. D. Foreign Service Providers Compliance Risks: Outsourcing to a foreign service provider increases risks monitoring compliance with U.S. laws and regulations. Outsourcing to a foreign service provider also places additional compliance obligations, including export control obligations and obligations to comply with sanctions and embargos implemented by the U.S. Treasury Office of Foreign Assets Control, on the institution. Due Diligence: An institution must perform due diligence on the extent to which the foreign location of the service provider will add to outsourcing risks, in addition to performing the due diligence that the Outsourcing Handbook specifies for non-foreign service providers. Regulatory Access to Information: An institution must ensure that U.S. regulatory institutions have the ability to assess the services performed by the foreign service provider and that it keeps at a U.S. location English language documentation that the institution and the foreign service provider are meeting their U.S. regulatory obligations. - 6 -

III. DUE DILIGENCE STRATEGY The due diligence process will depend on the nature of the service. The process will be more or less comprehensive depending on the complexity of the service. Perform on-site due diligence whenever possible. If the service provider is a foreign corporation, more on-site time may be necessary. Permit sufficient on-site time to ensure that representations regarding the service provider s compliance operations are accurate. It is beneficial to: Engage an international law firm in that country with attorneys who can spend significant time assessing the service provider or do so over the course of a few months; AND/OR Engage local counsel to assess the service provider s compliance with the laws of the service provider s jurisdiction, and who also has knowledge of the jurisdiction s legal environment (such as an awareness of which laws are actually enforced). A. Overall Compliance Capability: Does the management demonstrate a commitment to regulatory/legal compliance? What is their background and experience? Has the service provider demonstrated a capacity to comply with applicable law in providing similar services for other entities? Is the service provider familiar with the legal/regulatory compliance issues of the outsourcing company? For example Federal Regulations Engage local counsel to assess the service provider s compliance with the laws of the service provider s jurisdiction, and who also has knowledge of the jurisdiction s legal environment (such as an awareness of which laws are actually enforced). - 7 -

Is the service provider capable of complying with all federal requirements that apply to the outsourcing company? Depending on the type of service provider (e.g., loan processor, loan servicer, debt collector, telemarketer, call center, etc.) is the provider capable of complying with requirements unique to that service provider e.g. RESPA, TILA, ECOA, HMDA, FCRA, Fair Housing, Flood, HOEPA, GLBA/information security, FDCPA, TCPA, to name a few). State Regulations Does the service provider understand and is the service provider capable of complying with all state requirements that apply to the service provider and the outsourcing company, where necessary? Does the service provider understand and is the service provider capable of complying with all state requirements that apply to the service provider and the outsourcing company, where necessary? Is the service provider s process of updating state requirements adequate? B. Current Compliance Status: Is the service provider in compliance with all applicable laws, including any licensing requirements and regulatory approvals, as well as federal, state, and local laws and regulations. - 8 -

C. Compliance Procedures: Does the service provider have a compliance or legal/compliance department? What are the experience and skill levels of the key legal/compliance personnel? How long have they worked for the service provider? Does the service provider conduct regular compliance audits/reviews? Do available compliance reviews reveal any patterns of legal/regulatory noncompliance or internal procedures irregularities that could lead to noncompliance? Does the service provider have written policies and procedures that accurately and adequately address applicable legal/regulatory requirements? How does the service provider track employee/system adherence to policies and procedures? Does the service provider provide employees with compliance training? What are the experience and skill levels of employees who will perform functions with sensitive legal/regulatory implications? What are their retention rates? D. Customer Complaints/Customer Satisfaction Surveys: Does the service provider use customer satisfaction surveys? Does the service provider have a customer complaints process in place? How (and how quickly) does the service provider address customer complaints? Do available customer complaints and surveys reveal any patterns of legal/regulatory noncompliance or internal procedures irregularities that could lead to noncompliance? E. Regulatory Audits: Has the service provider been subject to regulatory audits/examinations? What legal/regulatory issues were revealed by those examinations? - 9 -

How has the service provider dealt with those issues? Are any of those issues recurring? Are the service provider s management and legal/compliance teams experienced in communicating with regulators? Have they demonstrated a willingness and capacity to cooperate with regulators? F. Litigation/Administrative Actions: Is any material litigation or administrative action pending against the service provider that involves the types of services that the outsourcing company needs? Will an adverse outcome have a material impact on the service provider s ability to perform services? Does pending litigation or administrative action indicate a pattern of noncompliance in a particular area of operations critical to delivery of services to the outsourcing company? G. Legal Compliance Technology: Is the service provider s compliance-related hardware and software (if any) state-of-the-art? Does the service provider have a compliance technology maintenance program? What changes may need to be made to the service provider s compliance technology to integrate special legal compliance issues of the outsourcing company? Is the service provider s compliance technology capable of integrating those changes? Does the software have sufficient flexibility to do so? Is it easy to make changes/customize the compliance software to the outsourcing company s needs? Can the system be updated easily? Does the service provider s compliance technology have sufficient capacity to support an increased load from the outsourcing company? - 10 -

Is system documentation comprehensive and clear? Does the system produce a wide range of customizable compliance reports? Do compliance and other technology systems of the service provider and any subcontractors interface easily and appropriately? H. Privacy/Information Security: Is the service provider capable of ensuring that its employees will not have unauthorized access to the outsourcing company s customer data, or other confidential data regarding the institution? 3 I. Subcontractors: If relevant, what is the service provider s process for conducting due diligence of subcontractors, support vendors, and other third parties that may be involved in performing services for the outsourcing company? J. Record Retention/Access: What records must the service provider maintain? For how long? Is the service provider capable of doing so? Will the outsourcing company have easy access to service provider records and other compliance-related documents for compliance monitoring and audits? K. Effect on Relationship with Primary Regulator IV. CASE STUDIES: HOW NOT TO CONDUCT DUE DILIGENCE THIS OUTLINE IS FOR INFORMATIONAL PURPOSES AND DOES NOT CONTAIN OR CONVEY LEGAL ADVICE. THE INFORMATION HEREIN SHOULD NOT BE USED OR RELIED UPON IN REGARD TO ANY PARTICULAR FACTS OR CIRCUMSTANCES WITHOUT FIRST CONSULTING A LAWYER. 3 See, e.g., FFIEC, Interagency Guidance on Response Programs: Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, FIL-27-2005 (April 1, 2005) http://www.fdic.gov/news/news/financial/2005/fil2705.html. - 11 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information