We advise our clients to read the speeches given by all of the bank regulators to get an early indication of what issues might be highlighted at their upcoming examinations, and to prepare accordingly. With the financial crisis hopefully in the rear view mirror, this year regulators seem to be emphasizing issues surrounding risk management. Of particular concern seems to be the establishment of new products and services and the oversight of third-party vendors, which are topics that both Rick Warren of Crowe Horwath LLP and I will discuss at the upcoming Bank Audit & Risk Committees Conference.
As banks explore new products and services to help improve their earnings, and as the number and complexity of their third-party relationships increases, regulators are becoming concerned that risk management is not keeping pace. In response, the OCC recently issued its “Third-Party Relationships” guidance and the Federal Reserve issued its “Guidance on Managing Outsourcing Risk.” These were in addition to the FDIC’s existing “Guidance for Managing Third-Party Risk” and the OCC’s 2004 guidance, “Risk Management of New, Expanded, or Modified Bank Products and Services.” Through these documents and others, the agencies are conveying their collective concern that new products and services and vendor relationships could significantly impact banks’ operational, compliance, reputation, strategic and credit risk profiles. Accordingly, directors and senior management should understand that there are now heightened expectations in those areas, and not just for the largest institutions.
To place this issue in proper context, the establishment of new products and services and monitoring of third party vendors should be handled in a risk-based manner. A bank’s arrangement with its snow plow vendor will not require the same amount of scrutiny as its relationship with its core processor. Banks are expected to employ more comprehensive and rigorous oversight and management resources in those areas where there is significant risk of major customer impact, resource investment, or operational disruption.
New Products and Services
Regulators expect banks to engage in a rigorous and deliberative process when establishing new products and services. This process should involve all relevant stakeholders within the organization, including directors, and include the following elements:
- Due diligence. All risks associated with the new product or service should fit within the bank’s overall business strategy and risk profile.
- Risk management controls and processes. Policies, procedures, information and reporting systems, audit and compliance should all be adapted to the implementation of the product or service.
- Performance monitoring. Ongoing monitoring systems should be established to ensure that the product or service continually meets applicable expectations.
Third-Party Vendor Management
The regulatory agencies consistently discuss an effective third-party vendor risk management process involving a continuous cradle-to-grave “life cycle,” rather than a static analysis that is applied only at the inception of the relationship. This approach should include:
- Appropriate planning. Conduct a thorough cost-benefit analysis and assess the impact of the relationship throughout the bank’s operations.
- Due diligence and third-party selection. Ensure that the vendor has the requisite experience, reputation, financial capabilities and security systems.
- Contract negotiation. Imbed into contracts important provisions such as those relating to appropriate responsibilities, performance measures, indemnification, contingency plans and dispute resolution.
- Ongoing monitoring. Dedicate employees with sufficient experience and expertise to oversee and monitor the vendor, commensurate with the level of risk and complexity of the relationship.
- Termination. Plan to ensure that relationships terminate in an efficient and seamless manner, either through discontinuance or migration of the responsibilities to another provider or to the bank itself.
- Oversight and accountability. Commit appropriate oversight resources from the board level through senior management to employees who manage third-party relationships on a daily basis.
- Documentation and reporting. Create an effective system to inventory all third-party relationships and report findings appropriately throughout the bank.
- Independent review. Ensure that periodic reviews are conducted by internal auditors or an independent third party and that the results are reported directly to the board.
It has become clear over the last few months that examiners are increasingly asking more probing questions regarding new products and services and third-party vendor risk. Judging by the corrective and punitive enforcement actions being issued or threatened by regulators, banks should be prepared to give good answers to those questions, or risk serious consequences.