We discussed the ways that Fintech companies are on a mission to “disrupt” financial services.   In this case, the disruption doesn’t necessarily have to be a negative connotation.  In fact, in many cases, the disruption that fintech are causing are geared towards improving product delivery.  At the end of the day, FinTechs are working to create efficiencies and deliver products with greater speed and flexibility, and this is ultimately a good thing for financial institutions. 

In addition to the disruptive nature of FinTechs, we also noted that these companies are aiming right at the large pool of unbanked and underbanked families. These are the households that not only represent potential customers for the current banking model, but they also represent financial institutions customer of the future.   There is a growing reliance on smart phones to conduct banking transactions.  In addition, customer expectation credit products continue to evolve.  Several platforms allow customers to apply for loans entirely online and with minimal human contact.   Even the idea of who is and is not a credit-worthy customer have changed.  Concepts such as collateral have changed; intellectual property can be a replacement for real estate in some cases.  As the needs and expectations of financial institution customers change, the manner which financial products are delivered must also change.  FinTechs are leading the change in these areas.

Despite their numerous advantages that FinTechs may have, there are inefficiencies in the regulatory scheme that have severely limited the growth and influence of these companies.   FinTechs are defined by the regulations as Money Service Business (“MSB’s”) and as such, they are required to get licenses in each of the states in which they transact business.  The process for obtaining these licenses can be tedious, time consuming and expensive.   A company may have to re-packing its information repeatedly to satisfy the application information requests for each state.  Of course, depending on the structure of the state agency and the resources available for processing applications, the process can take a long time to complete. 

Many banks today rely on outsourced functions ranging from core operating systems to monthly billing programs.  The reliance on third parties to provide core functions at banks is no longer viewed as a less  than desirable situation, it is normal.  However, over time the types of relationships that banks began to form with outside vendors became more complicated and in some cases exotic.  Some banks used third parties to offer loan products and services that would otherwise not be offered.  In many cases, the administration of the contractual relationship was minimal; especially when the relationship was profitable.

The level and type of risk that these agreements created came under great scrutiny during the financial crisis of 2009.  Among the relationships that are most often scrutinized for areas of risk are:  

• Third-party product providers such as mortgage brokers, auto dealers, and credit card providers;
• Loan servicing providers such as providers of flood insurance monitoring, debt collection, and loss mitigation/foreclosure activities;
• Disclosure preparers, such as disclosure preparation software and third-party documentation preparers;
• Technology providers such as software vendors and website developers; and
• Providers of outsourced bank compliance functions such as companies that provide compliance audits, fair lending reviews, and compliance monitoring activities.[1]

 The FDIC, the OCC and the FRB have all issued guidance on the proper way to administer vendor management.   While the published guidance from each of these regulators its own idiosyncrasies, there are clear basic themes that appear in each. 

All of the guidance has similar statements that address the types of risk involved with third party relationships and all discuss steps for mitigating risks.  We will discuss the methods for reducing risk further in part two of this series. 

Types of Risk Associated with Third-Party Relationships.

Regardless of the size of your bank, or the overall complexity of the operation, the risks that follow will exist at some level with any third-party relationship.  

Operational Risk

Operational risk is present in all products, services, functions, delivery channels, and processes.  Third-party relationships may increase a bank’s exposure to operational risk because the bank may not have direct control of the activity performed by the third party.

Operational risk can increase significantly when third-party relationships result in concentrations. Concentrations may arise when a bank relies on a single third party for multiple activities, particularly when several of the activities are critical to bank operations. Additionally, geographic concentrations can arise when a bank’s own operations and that of its third parties and subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.

Compliance Risk

Compliance risk exists when products, services, or systems associated with third-party relationships are not properly reviewed for compliance or when the third party’s operations are not consistent with laws, regulations, ethical standards, or the bank’s policies and procedures. Such risks also arise when a third party implements or manages a product or service in a manner that is unfair, deceptive, or abusive to the recipient of the product or service. Compliance risk may arise when a bank licenses or uses technology from a third party that violates a third party’s intellectual property rights. Compliance risk may also arise when the third party does not adequately monitor and report transactions for suspicious activities to the bank under the BSA or OFAC. The potential for serious or frequent violations or noncompliance exists when a bank’s oversight program does not include appropriate audit and control features, particularly when the third party is implementing new bank activities or expanding existing ones, when activities are further subcontracted, when activities are conducted in foreign countries, or when customer and employee data is transmitted to foreign countries.

Compliance risk increases when conflicts of interest between a bank and a third party are not appropriately managed, when transactions are not adequately monitored for compliance with all necessary laws and regulations, and when a bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records. Compliance failures by the third party could result in litigation or loss of business to the bank and damage to the bank’s reputation.

Reputation Risk

Third-party relationships that do not meet the expectations of the bank’s customers expose the bank to reputation risk. Poor service, frequent or prolonged service disruptions, significant or repetitive security lapses, inappropriate sales recommendations, and violations of consumer law and other law can result in litigation, loss of business to the bank, or negative perceptions in the marketplace. Publicity about adverse events surrounding the third parties also may increase the bank’s reputation risk. In addition, many of the products and services involved in franchising arrangements expose banks to higher reputation risks. Franchising the bank’s attributes often includes direct or subtle reference to the bank’s name.  Thus, the bank is permitting its attributes to be used in connection with the products and services of a third party.  In some cases, however, it is not until something goes wrong with the third party’s products, services, or client relationships, that it becomes apparent to the third party’s clients that the bank is involved or plays a role in the transactions. When a bank is offering products and services actually originated by third parties as its own, the bank can be exposed to substantial financial loss and damage to its reputation if it fails to maintain adequate quality control over those products, services, and adequate oversight over the third party’s activities.

Strategic Risk

A bank is exposed to strategic risk if it uses third parties to conduct banking functions or offer products and services that are not compatible with the bank’s strategic goals, cannot be effectively monitored and managed by the bank, or do not provide an adequate return on investment. Strategic risk exists in a bank that uses third parties in an effort to remain competitive, increase earnings, or control expense without fully performing due diligence reviews or implementing the appropriate risk management infrastructure to oversee the activity. Strategic risk also arises if management does not possess adequate expertise and experience to oversee properly the third-party relationship.

Conversely, strategic risk can arise if a bank does not use third parties when it is prudent to do so. For example, a bank may introduce strategic risk when it does not leverage third parties that possess greater expertise than the bank does internally, when the third party can more cost effectively supplement internal expertise, or when the third party is more efficient at providing a service with better risk management than the bank can provide internally.

Credit Risk

Credit risk may arise when management has exercised ineffective due diligence and oversight of third parties that market or originate certain types of loans on the bank’s behalf, resulting in low-quality receivables and loans. Ineffective oversight of third parties can also result in poor account management, customer service, or collection activities. Likewise, where third parties solicit and refer customers, conduct underwriting analysis, or set up product programs on behalf of the bank, substantial credit risk may be transferred to the bank if the third party is unwilling or unable to fulfill its obligations

Managing Risk

One of the most important points that all of the regulators are driving home is that they intend to hold financial institutions responsible for the action for the third party service providers.   For example, if an automobile dealer with whom a bank has a relationship engages in lending activities that have fair lending concerns, the bank under whose name they are providing the service will also be found to have fair lending concerns. 

This is not to say that there is a general distaste for outsourcing of third party arrangements.  It is to say that when the arrangement is made, there should be a risk management system in place ahead of the formation of the relationship.  The program should include at a minimum the following: 

• A Risk Assessment;
• Due Diligence in Selecting a Third Party;
• Contract Structuring and Review;
•  Oversight;  

---

[1] See Vendor Risk Management — Compliance Considerations

By Cathryn Judd, Examiner, and Mark Jennings, Former Examiner, Federal Reserve Bank of San Francisco 

[2] FDIC Compliance Manual

[3] OCC BULLETIN 2013-29 Managing Third Party Relationships

We discussed the ways that Fintech companies are on a mission to “disrupt” financial services.   In this case, the disruption doesn’t necessarily have to be a negative connotation.  In fact, in many cases, the disruption that fintech are causing are geared towards improving product delivery.  At the end of the day, FinTechs are working to create efficiencies and deliver products with greater speed and flexibility, and this is ultimately a good thing for financial institutions. 

In addition to the disruptive nature of FinTechs, we also noted that these companies are aiming right at the large pool of unbanked and underbanked families. These are the households that not only represent potential customers for the current banking model, but they also represent financial institutions customer of the future.   There is a growing reliance on smart phones to conduct banking transactions.  In addition, customer expectation credit products continue to evolve.  Several platforms allow customers to apply for loans entirely online and with minimal human contact.   Even the idea of who is and is not a credit-worthy customer have changed.  Concepts such as collateral have changed; intellectual property can be a replacement for real estate in some cases.  As the needs and expectations of financial institution customers change, the manner which financial products are delivered must also change.  FinTechs are leading the change in these areas.

Despite their numerous advantages that FinTechs may have, there are inefficiencies in the regulatory scheme that have severely limited the growth and influence of these companies.   FinTechs are defined by the regulations as Money Service Business (“MSB’s”) and as such, they are required to get licenses in each of the states in which they transact business.  The process for obtaining these licenses can be tedious, time consuming and expensive.   A company may have to re-packing its information repeatedly to satisfy the application information requests for each state.  Of course, depending on the structure of the state agency and the resources available for processing applications, the process can take a long time to complete. 

Many banks today rely on outsourced functions ranging from core operating systems to monthly billing programs.  The reliance on third parties to provide core functions at banks is no longer viewed as a less  than desirable situation, it is normal.  However, over time the types of relationships that banks began to form with outside vendors became more complicated and in some cases exotic.  Some banks used third parties to offer loan products and services that would otherwise not be offered.  In many cases, the administration of the contractual relationship was minimal; especially when the relationship was profitable.

The level and type of risk that these agreements created came under great scrutiny during the financial crisis of 2009.  Among the relationships that are most often scrutinized for areas of risk are:  

• Third-party product providers such as mortgage brokers, auto dealers, and credit card providers;
• Loan servicing providers such as providers of flood insurance monitoring, debt collection, and loss mitigation/foreclosure activities;
• Disclosure preparers, such as disclosure preparation software and third-party documentation preparers;
• Technology providers such as software vendors and website developers; and
• Providers of outsourced bank compliance functions such as companies that provide compliance audits, fair lending reviews, and compliance monitoring activities.[1]

 The FDIC, the OCC and the FRB have all issued guidance on the proper way to administer vendor management.   While the published guidance from each of these regulators its own idiosyncrasies, there are clear basic themes that appear in each. 

All of the guidance has similar statements that address the types of risk involved with third party relationships and all discuss steps for mitigating risks.  We will discuss the methods for reducing risk further in part two of this series. 

Types of Risk Associated with Third-Party Relationships.

Regardless of the size of your bank, or the overall complexity of the operation, the risks that follow will exist at some level with any third-party relationship.  

Operational Risk

Operational risk is present in all products, services, functions, delivery channels, and processes.  Third-party relationships may increase a bank’s exposure to operational risk because the bank may not have direct control of the activity performed by the third party.

Operational risk can increase significantly when third-party relationships result in concentrations. Concentrations may arise when a bank relies on a single third party for multiple activities, particularly when several of the activities are critical to bank operations. Additionally, geographic concentrations can arise when a bank’s own operations and that of its third parties and subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.

Compliance Risk

Compliance risk exists when products, services, or systems associated with third-party relationships are not properly reviewed for compliance or when the third party’s operations are not consistent with laws, regulations, ethical standards, or the bank’s policies and procedures. Such risks also arise when a third party implements or manages a product or service in a manner that is unfair, deceptive, or abusive to the recipient of the product or service. Compliance risk may arise when a bank licenses or uses technology from a third party that violates a third party’s intellectual property rights. Compliance risk may also arise when the third party does not adequately monitor and report transactions for suspicious activities to the bank under the BSA or OFAC. The potential for serious or frequent violations or noncompliance exists when a bank’s oversight program does not include appropriate audit and control features, particularly when the third party is implementing new bank activities or expanding existing ones, when activities are further subcontracted, when activities are conducted in foreign countries, or when customer and employee data is transmitted to foreign countries.

Compliance risk increases when conflicts of interest between a bank and a third party are not appropriately managed, when transactions are not adequately monitored for compliance with all necessary laws and regulations, and when a bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records. Compliance failures by the third party could result in litigation or loss of business to the bank and damage to the bank’s reputation.

Reputation Risk

Third-party relationships that do not meet the expectations of the bank’s customers expose the bank to reputation risk. Poor service, frequent or prolonged service disruptions, significant or repetitive security lapses, inappropriate sales recommendations, and violations of consumer law and other law can result in litigation, loss of business to the bank, or negative perceptions in the marketplace. Publicity about adverse events surrounding the third parties also may increase the bank’s reputation risk. In addition, many of the products and services involved in franchising arrangements expose banks to higher reputation risks. Franchising the bank’s attributes often includes direct or subtle reference to the bank’s name.  Thus, the bank is permitting its attributes to be used in connection with the products and services of a third party.  In some cases, however, it is not until something goes wrong with the third party’s products, services, or client relationships, that it becomes apparent to the third party’s clients that the bank is involved or plays a role in the transactions. When a bank is offering products and services actually originated by third parties as its own, the bank can be exposed to substantial financial loss and damage to its reputation if it fails to maintain adequate quality control over those products, services, and adequate oversight over the third party’s activities.

Strategic Risk

A bank is exposed to strategic risk if it uses third parties to conduct banking functions or offer products and services that are not compatible with the bank’s strategic goals, cannot be effectively monitored and managed by the bank, or do not provide an adequate return on investment. Strategic risk exists in a bank that uses third parties in an effort to remain competitive, increase earnings, or control expense without fully performing due diligence reviews or implementing the appropriate risk management infrastructure to oversee the activity. Strategic risk also arises if management does not possess adequate expertise and experience to oversee properly the third-party relationship.

Conversely, strategic risk can arise if a bank does not use third parties when it is prudent to do so. For example, a bank may introduce strategic risk when it does not leverage third parties that possess greater expertise than the bank does internally, when the third party can more cost effectively supplement internal expertise, or when the third party is more efficient at providing a service with better risk management than the bank can provide internally.

Credit Risk

Credit risk may arise when management has exercised ineffective due diligence and oversight of third parties that market or originate certain types of loans on the bank’s behalf, resulting in low-quality receivables and loans. Ineffective oversight of third parties can also result in poor account management, customer service, or collection activities. Likewise, where third parties solicit and refer customers, conduct underwriting analysis, or set up product programs on behalf of the bank, substantial credit risk may be transferred to the bank if the third party is unwilling or unable to fulfill its obligations

Managing Risk

One of the most important points that all of the regulators are driving home is that they intend to hold financial institutions responsible for the action for the third party service providers.   For example, if an automobile dealer with whom a bank has a relationship engages in lending activities that have fair lending concerns, the bank under whose name they are providing the service will also be found to have fair lending concerns. 

This is not to say that there is a general distaste for outsourcing of third party arrangements.  It is to say that when the arrangement is made, there should be a risk management system in place ahead of the formation of the relationship.  The program should include at a minimum the following: 

• A Risk Assessment;
• Due Diligence in Selecting a Third Party;
• Contract Structuring and Review;
•  Oversight;  

---

[1] See Vendor Risk Management — Compliance Considerations

By Cathryn Judd, Examiner, and Mark Jennings, Former Examiner, Federal Reserve Bank of San Francisco 

[2] FDIC Compliance Manual

[3] OCC BULLETIN 2013-29 Managing Third Party Relationships