P-R Stark assists Promontory clients with regulatory and compliance issues, focusing on consumer financial products and services. Prior to joining Promontory, she was one of the first employees at the Consumer Financial Protection Bureau. Join Ms. Stark at ARM-U (October 14-15 in Washington, DC) as she dives into the challenging – and growing – task of service provider compliance for debt collectors. It’s a presentation you won’t want to miss!
New guidance from the Office of the Comptroller of the Currency and the Federal Reserve makes it clear that supervised institutions must be vigilant throughout every stage of the relationship with a third party. For third parties, many of which are not subject to direct supervision by the prudential regulators or are transitioning to supervision from the Consumer Financial Protection Bureau, the change is substantial: They must meet the regulatory standards applicable to their bank partners, rather than let their stand-alone activities define their compliance obligations.
The first step in determining whether to outsource an activity begins with a risk assessment, determining not only the nature and scale of the risks but also how those risks fit the firm’s business model, strategy, and risk management capacity. The aim is to develop a clear view of necessary controls, expertise and resources, and to create a framework for identifying activities best kept in-house.
The risk assessment should identify specific costs and benefits related to outsourcing and consider how to verify that it can meet the expectations of customers, management, and regulators. Data security is a key element of this analysis, especially where third parties would have access to the firm’s systems and customer records. Collection agencies must also consider contingency plans for transferring activity (to another third party or in-house).
Diligence and Selection of Third Parties
The next step after an affirmative decision to outsource an activity is to identify the right partner. The new guidance directs firms to investigate each prospective third party rather than rely on informal reputational or market views – or even past practice – as was once considered sufficient. That investigation has traditionally included the prospective third party’s operating structure, financial performance, reputation, regulatory record, key personnel and risk management. Expectations have been expanded to include:
- Legal and regulatory compliance, including a review of necessary controls and required operating licenses
- Information and physical security, and the proposed business partner’s ability to detect and respond to physical and data security threats
- Compensation and incentives, whether the proposed compensation structure could lead to noncompliance or inappropriate risks
- Issue management and reporting, from identification to remedy
- Contractual arrangements, and whether a prospective third party’s own outsourcing relationships will shape its ability to meet the firm’s requirements
- Human resource management, including how the third party trains its employees on compliance obligations and its diversity policies
The operational structure of the third party, including its own reliance on outsourcing, and its response to disruptions are important. This is especially true for data security, because this is an area where supplementing firm resources with specialized expertise provides a strong incentive for outsourcing. The risks are substantial, however, and firms are grappling with exposing sensitive data in conducting business, while depending on entities with which they do not have a direct contractual relationship. Part of the answer is a significant expansion in due diligence.
Contracting for Effective Oversight
Contracts are a critical vehicle for defining expectations and protecting interests, and regulators’ attention to them has clearly ramped up. The detail in both the OCC and Federal Reserve guidance suggests that industry contracting practices are struggling to keep pace with evolving risk management standards and expectations, especially in establishing performance standards and reporting requirements. The guidance provides a list of more than 15 topics to address in contracts with third parties, including: compensation, performance benchmarks, confidentiality of customer complaints, dispute resolution, and termination. New topics include:
- Legal and regulatory mandates that apply to the third party’s activities
- Frequency of compliance-performance reporting
- The right to conduct periodic reviews
- Subcontracting and notification when subcontracting relationships change
Each contract should be tailored to the risks identified in the strategic planning and diligence phases, and simple, generic provisions on access to information on demand are unlikely to offer sufficient protection. Contracts that specify the level of effort required – e.g., quarterly on-site audits or exhaustive reviews of all customer complaints and inquiries – can be helpful in making sure the relationship is economically sustainable. Explicit contractual limitations – e.g., geographic limitations on sharing data with or subcontracting to foreign firms – may be needed to address differences in prevailing legal and regulatory standards.
Supervised firms will also have to consider new communications standards. The OCC specifically stated that contracts should specify the circumstances in which the supervised firm must notify third parties of strategic or operational issues, including incidents such as data security breaches that may affect the third party’s ability to perform under the contract.
However, the agencies did not provide guidance on what to do when third parties resist providing information or participating in oversight activities – scenarios that supervised firms are facing in the transition to new, more rigorous oversight expectations. Transitioning to new oversight practices mid-contract is particularly challenging. Supervised firms confronting a third party that resists providing appropriate information or access should document good-faith efforts to comply under the existing contract and negotiate relevant issues at renewal. However, prompt termination of a relationship may be necessary in rare cases.
Monitoring Adherence of Third Parties
Collection agencies are expected to devote sufficient resources to monitoring each third party’s adherence to laws and regulations, as well as to contractual requirements. In effect, the agency’s staff should periodically assess all areas that were the focal point of its strategic assessment and diligence processes so that changing risks are appropriately detected and addressed. Ongoing monitoring should include periodic contract reviews to assess whether they address pertinent risks. Gaps may require adjustments to existing contracts, and in any case should be addressed in future contracts.
Regulators are also focused on the expertise of staff charged with monitoring responsibilities and how information collected in oversight activities is aggregated, analyzed, and shared internally.
Termination and Contingency Planning
In a break from past guidance, the regulators now explicitly require that a firm’s risk management controls extend through the termination of third-party relationships, whether at the natural end of a contract or due to default or other disruption that terminates the relationship. Firms must make sure that terminations have minimal impact on customers and firm operations; transition plans should address data retention and destruction, joint intellectual property, mitigation of reputational risks and seamless adherence to applicable requirements.
Documentation and Reporting
New processes – such as the designation of critical activities and additional diligence requirements – require documentation standards. It will be an ongoing challenge for firms to keep policies, procedures, and program documentation current as expectations and processes change. Nowhere is this challenge greater than in the development and maintenance of an accurate inventory of a firm’s third-party relationships.
Regulators will also look to see who receives reports on third-party performance and how often they receive them, in addition to evaluating the quality of reported information. But the critical inquiry is less about the reporting process than it is the impact on the firm’s risk management behavior.
Periodic Independent Reviews
Supervised firms are expected to use independent reviews of third-party performance as a risk management tool. The reviews, which are to be conducted by the supervised firm’s internal audit group or an independent party, measure how well the third party is adhering to regulatory and contractual requirements. They may cause friction with third parties unaccustomed to being audited in this way, or when contracts do not specifically authorize this form of oversight. Further, conducting certain kinds of audits – such as security assessments- can require specialized resources that supervised firms may not currently have.
In their separate guidance, both the OCC and Federal Reserve raise the stakes for the boards and executive management of regulated entities, though their methodologies differ significantly.
The Federal Reserve charges the board to adopt policies governing the use of third-party service providers. Those policies should establish a third-party risk management program that governs risk assessments and due diligence, contracting, ongoing monitoring, and business continuity and contingency planning. Senior management is then responsible for assuring proper execution of board-approved policies.
The OCC’s guidance differs, directing that the board be more involved in arrangements involving any “critical activity” performed for an OCC-supervised institution by a third party. For those, the board of directors of the institution is expected to:
- Approve management’s strategic plan for the use of a third party
- Review due-diligence summaries on prospective third parties
- Approve contracts
- Review the results of management’s ongoing monitoring and periodic independent reviews
- Ensure appropriate action is taken to address deterioration in performance, changing risks, and material issues identified through oversight activities
Although weighing in on strategic decisions about operational structure conforms to prior board norms, requiring approval of the selection of third parties, and reviewing related contracts, represents the most dramatic application of the concept of criticality in the new guidance.
Julie Williams, Chris Lewis and Justin Guo contributed to this article.