In our initial article announcing our top 10 considerations for financial institutions in 2016, which can be found here, our sixth consideration was vendor risk management in 2016. Third party (vendor) risk management has consistently been among the hot topics discussed at financial institution conferences in the past few years. This trend is likely to continue in 2016 as the CFPB and the banking agencies increasingly outline their expectations for risk management practices and as financial institutions continue to be found liable for certain actions of their vendors.
Over the past few years, the CFPB and the prudential banking regulators have issued updated guidance and resources with respect to vendor risk management. For example, the Board of Governors of the Federal Reserve System (FRB) released SR 13-19, Guidance on Managing Outsourcing Risk, on December 5, 2013, the Office of the Comptroller of the Currency (OCC) released Bulletin 2013 -29, Risk Management Guidance on third-party relationships, on October 30, 2013, the Bureau of Consumer Financial Protection (CFPB) issued Bulletin 2012-03, Service Providers, on April 13, 2012, and the Federal Deposit Insurance Corporation (FDIC) issued Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk, on June 6, 2008.
As the CFPB Bulletin indicates, financial institutions may outsource specific functions to third party vendors “due to resource constraints,” may use third parties to develop or market specific products or services, or may rely on expertise from third parties that would not otherwise be available without significant investment, something that might be particularly difficult for smaller financial institutions. However, compliance and reputation risks, among others, may lurk behind such outsourcing. Therefore, the CFPB and the prudential regulators have developed and updated their guidance to warn of, and identify, these areas of risk.
The updated guidance from these agencies contains similar themes and considerations, including the ultimate responsibility of boards and senior management, expectations for robust risk management processes, due diligence for onboarding vendors, specific contracting considerations, internal controls and prompt action, including termination of the relationship where compliance deficiencies or other significant problems arise.
For example, the CFPB’s guidance on service providers very clearly indicates that the CFPB expects its supervised institutions to take certain steps to ensure that these “arrangements do not present unwarranted risks to consumers,” including, but not limited to:
- “conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law;
- requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in any unfair, deceptive or abusive acts or practices;
- establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; and
- taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.”
Going forward, vendor risk management will continue to be an area of potential liability and risk for banks and non-banks alike. The CFPB and the prudential regulators expect to see certain risk management practices and contract provisions in material third-party business arrangements and, as such, financial institutions are well advised to conduct wholesale reviews of such material arrangements, amend them as necessary and engage in thoughtful, ongoing monitoring of the activities of their third parties.