On June 6, 2008, the FDIC issued Guidance for Managing Third Party Risk (FIL-44-2008) (the “Guidance”), reaffirming that “an institution's board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.” As used in the Guidance, the term third party is broadly defined to include both bank and non-bank, affiliated and unaffiliated, regulated and unregulated and domestic and foreign entities with whom an institution has a business relationship. Such relationships are common, and it is generally expected that a bank will outsource certain operational functions to a third party or engage a third party to deliver products and services, including products funded by the institution and originated by a third party. By its terms, the Guidance applies to any third party arrangements; however, heightened board and management oversight and risk management, including initial and annual review and approval, should apply to significant third-party relationships. In part, a relationship is deemed significant if it:
- involves a new relationship or new bank activities;
- has a material effect on revenues or expenses;
- involves a third party that performs critical functions;
- permits a third party to store, access, transmit or perform transactions on sensitive customer information;
- allows for third party marketing of bank products or services;
- involves subprime lending or card payment transactions; or
- poses risks that could significantly affect earnings or capital.
Failure to manage risks expose an institution to regulatory action, financial loss, litigation and reputation damage and impairment of the ability to retain or establish new customer relationships. The first step to managing risk is proper risk assessment and identification. Depending on the given facts and circumstances, a third party relationship may present risks that include:
Strategic Risk - risk arising from adverse third party business decisions or failure to implement appropriate decisions in a manner that is consistent with strategic goals.
Reputation Risk - risk arising from negative public opinion of the institution due to actions or inactions of the third party.
Operational Risk - risk of loss resulting from inadequate or failed third party internal processes, people and systems or external events.
Transaction Risk - risk of problems with third party service or product delivery and execution.
Credit Risk - risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the contractual terms or perform as agreed.
Compliance Risk - risk arising from statutory or regulatory violations, or from noncompliance with internal policies, procedures or business standards of the institution.
Other Risks – the potential for additional risks is fact-specific and an institution should develop a comprehensive list of potential risks for each third party arrangement, possibly including liquidity, interest rate, price, foreign currency translation and country risks.
Third party due diligence is essential to adequately assess and mitigate risk. As noted in the Guidance, “the scope and depth of due diligence is directly related to the importance and magnitude of the institution’s relationship with the third party.” Comprehensive due diligence involves review of all available third party information with attention toward financial condition (including bond or insurance coverage), specific relevant experience, compliance knowledge, reputation (in part determined through complaints or litigation involving the third party) and scope and effectiveness of operations and controls (which information may be supplemented with external audits, SAS-70 reports or other supporting materials, if available).
Third party contracts form the basis of the relationship. To that end, contracts should reflect specific expectations and obligations of the parties. Depending on the materiality of the relationship, board and legal review and approval may be warranted. Of paramount importance is the need to clearly and explicitly establish the scope of the relationship, compensation terms, events of default, performance standards, term and time deadlines, format of deliverables, agency access to relevant third party records, insurance requirements, confidentiality, use of subcontractors and indemnification.
A third party risk management oversight program should generally include ongoing monitoring of the third party’s quality of service, risk management practices, financial condition and applicable controls and reports. Results of oversight activities for significant third party relationships should be reported to the board of directors or a designated board committee periodically. The Guidance directs that “identified weaknesses should be documented and promptly addressed.”
Conceptually, a regulatory examination of a financial institution will include a review of third party services “to the same extent as if the third-party activity were handled within the institution.” Third party relationships and risk management and oversight are typically reflected in the management evaluation for an institution. As a final comment in the Guidance, the FDIC noted that Section 7 of The Bank Service Company Act mandates written notice to the appropriate federal banking agency of third party contracts for certain services such as check and deposit sorting and posting; computation and posting of interest and other credits and charges; preparation and mailing of checks, statements, notices, and similar items; or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution. While the Guidance does not create new requirements for banks, it does reaffirm the need to focus attention and resources on third party relationships and risks.