A Three-Part Series. Part Three -Choose Your Partner
Many banks today rely on outsourced functions ranging from core operating systems to monthly billing programs. The reliance on third parties to provide core functions at banks is no longer viewed as a less than desirable situation, it is normal. However, over time the types of relationships that banks began to form with outside vendors became more complicated and in some cases exotic. Some banks used third parties to offer loan products and services that would otherwise not be offered. In many cases, the administration of the contractual relationship was minimal; especially when the relationship was profitable.
The level and type of risk that these agreements created came under great scrutiny during the financial crisis of 2009. Among the relationships that are most often scrutinized for areas of risk are:
- Third-party product providers such as mortgage brokers, auto dealers, and credit card providers;
- Loan servicing providers such as providers of flood insurance monitoring, debt collection, and loss mitigation/foreclosure activities;
- Disclosure preparers, such as disclosure preparation software and third-party documentation preparers;
- Technology providers such as software vendors and website developers; and
- Providers of outsourced bank compliance functions such as companies that provide compliance audits, fair lending reviews, and compliance monitoring activities.
According to the FDIC, a third-party relationship could be considered “significant” if:
- The institution’s relationship with the third party is a new relationship or involves implementing new institution activities;
- The relationship has a material effect on the institution’s revenues or expenses;
- The third party performs critical functions;
- The third party stores, accesses, transmits, or performs transactions on sensitive customer information;
- The third-party relationship significantly increases the institution’s geographic market;
- The third party provides a product or performs a service involving lending or card payment transactions
- The third party poses risks that could materially affect the institution’s earnings, capital, or reputation;
- The third party provides a product or performs a service that covers or could cover a large number of consumers;
- The third party provides a product or performs a service that implicates several or higher risk consumer protection regulations;
- The third party is involved in deposit taking arrangements such as affinity arrangements; or
- The third-party markets products or services directly to institution customers that could pose a risk of financial loss to the individual
The FDIC, the OCC and the FRB have all issued guidance on the proper way to administer vendor management. While the published guidance from each of these regulators its own idiosyncrasies, there are clear basic themes that appear in each.
All of the guidance has similar statements that address the types of risk involved with third party relationships and all discuss steps for mitigating risks. We will discuss the methods for reducing risk further in part two of this series.
Level of Due Diligence
One of the questions that we noted above was about what level of due diligence is required for a third-party contract. The OCC guidance defines a critical activity as
Critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that
- could cause a bank to face significant risk if the third party fails to meet expectations;
- could have significant customer impacts require significant investment in resources to implement the third-party relationship and manage the risk;
- Could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.
For those arrangements that involve critical activities, the expectation is that the that bank will perform comprehensive due diligence at the start of the contracting process as well as monitoring throughout the execution of the contract.
The steps that are necessary for the proper engagement of a third party for a critical activity are discussed in each of the regulatory guidance documents that have been released. The OCC bulletin provides the most comprehensive list that includes:
- Relationship Plan: Management should develop a full plan for the type of relationship it seeks to engage. The plan should consider the overall potential risks, the manner in which the results will be monitored and a backup plan in case the vendor fails in its duties.
- Due Diligence: The bank should conduct a comprehensive search on the background of the vendor, obtain references, information on its principals, financial condition and technical capabilities. It is during this process that a financial institution can ask a vendor for copies of the results of independent audits of the vendor. There has recently been a great deal of attention given to the due diligence process for vendors. Several commenters and several banks have interpreted the guidance to require that a bank research a vendor and all of its subcontractors in all cases. We do not believe that this is the intention of the guidance. It is not at all unusual for a third-party provider to use subcontractors. We believe that a financial institution should get a full understanding of how the subcontracting process works and consider that as part of the due diligence, however, it impractical to expect a bank to research the backgrounds of all potential subcontractors before engaging a provider.
- Risk Assessment: Management should prepare a risk assessment based upon the specific information gathered for each potential vendor. The risk assessment should compare the characteristics of the firms in a uniform manner that allows the Board to fully understand the risk associated with each vendor. 
- Contract Negotiation: The contract should include all of the details of the work to be performed and the expectations of management. The contract should also include a system of reports that will allow the bank to monitor performance with the specifics of the contract. Expectations such as compliance with applicable regulations must be spelled out. The OCC bulletin includes the following phrase:
Ensure that the contract establishes the bank’s right to audit, monitor performance, and require remediation when issues are identified. Generally, a third-party contract should include provisions for periodic independent internal or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the bank’s in-house functions to monitor performance with the contract
This language has also been the subject of a great deal of media and financial institution attention. Some have interpreted this phrase to mean that a community bank that uses one of the large core providers has the right to perform an independent audit of the provider. We believe that this interpretation is inaccurate as it would be impractical to carry out. We believe that the phrase means that the financial institution is entitled to a copy of the report of the independent auditor.
- Ongoing Monitoring: Banks must develop a program for ongoing monitoring of the performance of the vendor. We recommend that the monitoring program should include not only information provided by the vendor, but also internal monitoring including
- Customer complaints;
o Significant changes in sources of expenses and revenues
o Changes in loan declines, withdrawals or approvals
o Changes in the nature of customer relations ships (e.g. large growth in CD customers).
- Oversight and Evaluation: There should be a fixed period for evaluating the overall success and efficacy of the vendor relationship. The Board should, on a regular basis evaluate whether or not the relationship with the vendor is on balance a relationship with keeping.
While all of the above steps represent best practices for developing relationships with vendors, it is important to remember that a balance must be maintained. The vendor management program cannot be so time consuming or stringent that a bank is left without the ability to engage consultants. However, there must be sufficient diligence and monitoring of vendor relationship to ensure that the bank is managing risks effectively.
James DeFrantz is the Principal of Virtual Compliance Management Services LLC. He can be reached directly at JDeFrantz@VCM4you.com
 OCC BULLETIN 2013-29