It’s increasingly common for small and midsize banks to outsource operational functions or to rely on third parties to provide products or services to bank customers. Banks often outsource activities such as data processing and other IT functions, card processing, mortgage processing, call centers, and even Bank Secrecy Act / Anti-Money Laundering (BSA/AML) compliance.
Outsourcing to third parties offers significant benefits: Shifting day-to-day responsibility for certain noncore functions frees up management time to focus on core functions and strategic initiatives. It also can produce significant cost savings. With access to sophisticated technology and expertise — and the advantage of economies of scale — third-party providers typically can perform these functions far more cost-effectively than an individual bank could.
If you’re considering outsourcing, or are already doing so, make sure you have policies and procedures in place to manage the risks associated with the use of third parties.
Review regulatory guidance
A good place to start is by reviewing FDIC Financial Institution Letter 44-2008, “Guidance for Managing Third-Party Risk.” The Guidance emphasizes that a bank’s board of directors and senior management are ultimately responsible for managing outsourced activities and identifying and controlling the risks associated with third-party relationships, just as if those activities were handled in-house.
The Guidance summarizes many of these risks, noting that some are associated with the activity itself — regardless of who performs them — while other risks are heightened by the involvement of a third party. For example, missteps by a third party or negative publicity involving one can increase a bank’s reputation risk. And compliance risk is a big concern, particularly if a third party experiences security breaches involving bank customer information or otherwise fails to act consistently with the laws, regulations and ethical standards that apply to banks. Outsourcing may also raise concerns about strategic, operational, transaction and credit risks.
It’s also important to consider consumer protection laws, particularly prohibitions on unfair, deceptive or abusive acts or practices. In a recent bulletin, the Consumer Financial Protection Bureau (CFPB) said it expects supervised banks and nonbanks to conduct thorough due diligence and take other steps to ensure that service providers comply with consumer protection laws. Although most community banks don’t fall under the CFPB’s direct supervision, it’s a good idea to follow the Bureau’s guidelines, which may evolve into industrywide best practices in the future.
Create a process
The FDIC Guidance outlines four essential elements of an effective third-party risk management process:
1. Risk assessment. Ensure that a proposed outsourcing relationship is consistent with the bank’s overall business strategy. Analyze the benefits, costs, legal aspects and potential risks associated with the third party being considered and then compare the proposed relationship with alternative methods of performing the activity or providing the product or service. Review management’s ability to provide adequate oversight and management of the proposed relationship.
2. Due diligence. Conduct comprehensive due diligence when selecting a third-party provider and do so periodically during the relationship, particularly when the contract is up for renewal. The Guidance lists several items the bank might review, noting that the scope and depth of due diligence is directly related to the importance and magnitude of the relationship. For example, a third party dealing with sensitive data would require more intensive due diligence than one involved with a low-risk activity.
3. Contract structuring and review. The parties’ respective expectations and obligations should be outlined in a written contract, with board approval of any material third-party relationships and review by appropriate legal counsel. The Guidance contains a detailed list of items that should be addressed, including compliance with applicable law, bank access to third-party records, performance standards and audit requirements.
4. Oversight. To minimize its risk exposure, the bank should maintain adequate oversight of third-party activities. Among other things, an effective oversight program should provide for board approval and periodic review of significant outsourcing arrangements and management review of third-party operations.
If your bank uses outsourcing, be prepared to demonstrate to bank examiners that you’re managing third-party risk effectively. Simply having a program in place isn’t enough —you’ll need to provide documentation of the four elements described above.