The Most Important Aspect of Third-Party Risk Management

Written by

Third-party risk management, or TPRM, is a perpetual hot topic in banking and financial services.

Banks are outsourcing and using third parties for a range of products, services and activities as the financial services landscape becomes more digital and distributed. A common refrain among regulators is that “you can outsource the activity, but you can’t outsource the responsibility.” Banks can engage third parties to do what they can’t or don’t want to do, but are still on the hook as if they were providing the product or service directly. This continues to be a common area of focus for examiners and has been identified as an area for potential enforcement actions in the future.

Given the continuing intense focus on third party activities and oversight, one word comes to mind as the most critical component of TPRM compliance: structure. Structure is critical in the development of a TPRM program, including each of its component parts.

Why is it so critical? Structure promotes consistency. Consistency supports compliance. Compliance mitigates risk and liability.

Banks with a consistent approach to TPRM conduct risk assessments more easily, plan for third party engagements, complete comprehensive due diligence, adequately document the relationship in a written agreement and monitor the relationship on an ongoing basis. Consistency, through structure, ultimately promotes compliance.

Structure will become increasingly important in TPRM compliance, given that the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued proposed interagency guidance on TPRM last summer. While the guidance has not been finalized as of this publication, the concepts and substantive components have been in play for some time; indeed, they are based largely on the OCC’s 2013 guidance and FAQs on the topic.

Generally, the proposed guidance contemplates a “framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.” Like other areas of risk management, this framework should be tailored based on the risks involved and the size and complexity of the banking organization. Fortunately, interagency guidance will enhance the consistency of the regulatory examination of TPRM compliance across banks of all sizes and charter-types.

The proposed guidance outlines the general TPRM “life cycle” and identifies a number of principles for each of the following stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. The first three stages of this TPRM life cycle benefit the most from a structured approach. These three stages have more stated principles and expectations outlined by the banking agencies, which can be broken down effectively through a properly structured TPRM program.

So, when looking at improvements to any TPRM program, I suggest bank executives and boards start with structure. Going forward, they should consider the structure of the overall program, the structure of each of the stages of the life cycle outlined by the banking agencies and the structure of compliance function as it relates to TPRM. An effective strategy includes implementing a tailored structure at each stage. If executives can accomplished that, they can streamline compliance and make it more consistent throughout the program. Structure provides certainty as to internal roles and responsibilities, and promotes a consistent approach to working with third parties.

Outsourcing the Service, Not the Oversight

Written by


oversight-7-2-19.pngEvery bank director has heard it: You can outsource a service, but you cannot outsource the responsibility.

That sounds clear enough, but how does a board know what its role should be when an opportunity to partner with a financial technology firm, or fintech, arises? The board’s role is oversight and guidance, not day-to-day management. But oversight is not passive. So what does board oversight look like in the evolving world of bank and fintech relationships?

Consider a bank that is reviewing a proposal from a fintech. Management believes that this is a great opportunity for the institution, and presents it to the board for approval. What is the board’s role here? The board’s involvement must be flexible enough that it can react to these situations, but it should also consider some essential inquiries, such as:

Does the proposal match up with the bank’s strategic plan? The board is responsible for the strategic direction of the bank. Directors should consider if the proposal is an appropriate project for the size, resources and initiatives of the bank. They must also think about whether the proposal aligns with the bank’s strategic plan. If the proposal does not match up with the strategic plan, they may also want to consider if it is material enough that the strategic plan should be amended.

What are the risks? The board is responsible for ensuring that an effective risk management program is in place at the bank, which includes the ability to fully assess risks and establish controls and oversight to mitigate those risks. It should assess the fintech proposal through its risk management process

Management should provide the board with a comprehensive risk assessment of the proposed relationship that thoroughly outlines how each identified risk will be mitigated. The board should look at that assessment critically. Was it prepared by competent and experienced personnel? Does it appear to be thorough? Does it focus on IT risks or other narrow issues, or take into account all of the compliance issues? Does it include state laws, which is especially important if the bank is state-chartered? How does the assessment address concerns about privacy and cybersecurity? What does it say about reputation risk?

Is there a negotiated contract that addresses all of the risks? The board is responsible for ensuring that all third-party relationships are documented in negotiated contracts that protect the interests of the bank. The board needs to ensure that appropriate legal counsel is engaged to negotiate the arrangement, depending on the riskiness of a proposed fintech relationship. Counsel should have a thorough understanding of the legal issues involved in the proposed program and the applicable regulatory guidelines for third-party contracts.

The actual contract negotiation should be done by management. However, the board could consider requiring a summary of the important contract provisions or a presentation by management or legal counsel about the terms, depending on the level of risk involved and materiality to the bank.

How will the board know if the program is performing? The board should receive ongoing reports relating to monitoring of the program and the fintech. These reports should be sufficient for the board to establish that the program is compliant with law, operates in accordance with the contract and meets the strategic objectives of the bank. If the program is not performing, the board should know whether appropriate action is underway to either facilitate performance or terminate the program.

A bank’s board cannot outsource its responsibility for outsourced services, even if a fintech partner seems to have a fantastic product. The board must ask enough questions to be certain that management has engaged in appropriate due diligence, identified the risks and determined how to mitigate those risks through the contract and oversight. The implementation of all of those steps is up to management. But one role in particular rests with the board: ensuring that the relationship with the fintech partner furthers the strategic goals of the bank.

Competition for Credit Analysts Creating New Challenge for Banks

Written by


analyst-5-3-18.pngSuccessfully recruiting a qualified credit analyst is proving to be quite a challenge in today’s banking environment. There are a number of contributing factors, including compensation compared to other industries, the evaporation of commercial credit training, and a lack of college graduates in certain areas.

With this shortage, credit analysts are highly sought after, and analysts are demanding higher wages than what the banking industry is accustomed to paying.

In the past, it has been common practice for banks to outsource loan review, compliance testing, and internal audit functions — so why not the credit analyst role?

Thin talent pools flow two ways
Historically, banks have hired recent college graduates as credit analysts with the expectation of developing them into commercial lenders and potentially future management. In theory, this practice makes sense. But in today’s market, the success rate of banks converting a credit analyst into a long-term employee seems to be the exception rather than the norm, causing many banks to abandon their commercial training programs.

Over the past decade, many banks have begun hiring seasoned credit analysts who aren’t looking to move to a customer-facing role, making it more difficult to find affordable, permanent analysts.

In recent years, outsourced providers have started meeting the demand for credit analysts. With the increase in compensation for this role, outsourcing may now be the cost-effective option. This is especially true when you factor in the time and effort spent recruiting and training, while accounting for increased efficiency or production from an experienced analyst/outsourced provider.

Banks Still Have Underwriting Control
It is clear many bankers do not want an outside vendor impacting their underwriting decisions. Banks want to make loans to familiar borrowers, and they don’t want the potential for an overly critical or negative analysis from a third party to hinder their ability to do so.

It’s important to understand that your bank will always own and control the underwriting process. The primary focus for outsourced credit analyst services is to provide all the relevant credit information in a consistent format, which will allow the bank to make a well-informed decision. Outsourcing credit analysis should not impact the bank’s underwriting practices.

Banks take pride in their ability to provide quick responses to their borrowers. Outsourcing analyst work doesn’t mean longer turnaround times. If you are considering an outsourced solution, make sure that you establish clear deadlines with your vendor.

You could also consider segmenting the credit analyst work flow between new credit requests and ongoing portfolio monitoring. It may make sense for a bank to analyze new money requests in-house, and then to outsource the less time-sensitive renewal requests and annual reviews.

Training, Retaining Analysts Can Cost You
Even if you are successful in hiring a qualified analyst candidate, the time and resources needed to properly train a new hire with little or no previous credit experience can be quite extensive. Typically, when a bank is large enough to have a pool of credit analysts, there is usually a full-time employee who helps train and develop their skill set. But if you work at a smaller community bank, you might only have one or two analysts on staff.

It is common for a senior analyst, credit officer, or a manager from the credit administration area to oversee a new analyst. But these employees usually maintain a full workload in addition, which may result in inadequate training, or an overstressed manager.

The challenge doesn’t end once you hire and train a new credit analyst. One of the biggest challenges still remains — keeping the analyst in the role. Most banks are lucky if they can keep an analyst in the role for two or three years before the individual leaves for higher pay or a more satisfying analyst role somewhere else. And then it’s time to start the recruiting and training process all over again.

At the end of the day, banks want a viable option to end the what seems like a revolving door of credit analysts. By outsourcing this role, banks have new opportunities to provide cost savings and improve quality for their customers.

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader. For more information, visit CLAconnect.com.

The Advantages of Nearshoring

Written by


outsourcing.png

For tech companies, the main allure of outsourcing lies in the promise of improved cost efficiency. Outsourcing’s popular cousin, nearshoring, has been a solid solution for IT companies over the years and still represents a viable staffing option. But the relevance of nearshoring will most likely increase in the months to come because of the Trump administration’s plans for the H-1B visa program, which is vital to the high tech industry.

Technology enterprises are always transforming, evolving and researching to improve themselves, which is why these companies spend generous amounts of money on recruiting the best teams.

That’s where the outsourcing concept comes to life; a company engages another organization to do some of its work rather than using its own in-house employees. Teams built across the border can get the same job done less expensively while addressing issues that IT companies are having in the current environment.

The tech world is known for pushing forward and past what’s previously been established to pursue a different norm. That’s why IT is so keen to look beyond borders to find the most qualified talent without regard to geographical limitations. To have the entire world as your contracting pool is the best way to face one massive issue in the tech world: the lack of talent per vacancies available. IT companies have many seats to fill and talent is getting harder to find, especially when time-worn, traditional methods of hiring are used.

What nearshoring offers is a large selection of high quality profiles of people with vast knowledge, a high level of self-motivation and the diligence necessary to work within a multinational company. How can you resist enthusiasm and quality? We can’t ignore that immigrants in Silicon Valley created more than half (44 of 87) of America’s startup companies valued at $1 billion dollars or more, according to the National Foundation for American Policy brief in 2016.

Cost Advantage
It’s the holy grail of arguments for outsourcing, and the reason that companies get interested in hiring people abroad in the first place. To assemble a team of great value simply costs less in Singapore or Argentina than it does in the U.S.

Another consideration for nearshoring companies is the expense of building a business in some cities as opposed to others. Just compare two of the biggest IT destinations: It would cost roughly 66 percent more to maintain the same lifestyle in San Francisco—considered by many to be sacred territory for tech companies—than in Buenos Aires. These cost savings would have a significant effect on a company’s bottom line.

The Importance of Proximity
Hiring teams outside the U.S. has become a must to develop growth and create a fully functioning company. With more work and additional responsibilities, there needs to be increased communication with improved methods of delivery. Time overlap due to widely differing time zones can result in high costs and reduced efficiency.

When teams share time zones and are relatively close, geographically speaking, they can more easily coordinate meetings, book flights and share project progress. This translates into better work efficiency because time management goes hand in hand with budgets and deadlines.

Culture Matters
As stated before, effective communication is the foundation of workplace productivity and its importance increases significantly when you have employees in distant places. However, the presiding culture where your remote teams are based also matters. Nearshoring gives businesses the capability of hiring people who share similar values, work habits and sense of urgency. This is key in solidifying trust among team players who are abroad in the way they approach a task or face a challenge.

Even with all the advantages that nearshoring specific tasks and projects can provide, very few companies have yet to try it. This year represents an opportunity to invest in nearshoring teams, specifically in the tech industry, which is currently experiencing widespread uncertainty in response to President Trump’s clear intentions of reforming the H-1B visa program.

Seven Steps to Strengthen Your Vendor Management Process

Written by


vendor-management-10-30-15.pngWhat’s one of the scariest things that keeps a bank CEO up at night? Two words: data breach.

The Federal Financial Institutions Examinations Council document on board and senior management responsibilities says:

“The responsibility for properly overseeing outsourced relationships lies with the institution’s board of directors and senior management. Although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue.”

Target corporation had 40 million credit card numbers exposed and eventually settled with Visa for $67 million. In 2014, we saw bigger companies in the headlines such as Home Depot and Sony fall victim to the same fate.

Target’s breach came through an HVAC vendor that had access to the retailer’s internal network. That means the bad guys only had to figure out how to sneak by the HVAC company’s security, not Target’s. This was a perfect example of how more robust vendor management practices could have prevented unauthorized access.

Think about all the people who need access to your building, systems, network, hardware, telephone lines, lighting, security, and so forth. How diligent are those other businesses about security?

If it’s time to ask your vendors for their annual SOC reports, reports that deal with organizational controls related to security and process integrity, insurance documents and financials, and you’re just checking boxes to satisfy an audit requirement, then you are doing it wrong.

Follow these seven steps to reinvent and strengthen your vendor management process.

Step 1: Obtain Executive Sponsorship
Vendor management should start at the top. You will need someone leading the charge and who has access to your bank’s board leaders.

Step 2: Create a Vendor Management Committee
These people should be from different departments and have different backgrounds, such as IT, legal, compliance, finance and senior leadership. Diversity here is crucial; everyone sees threat differently.

Step 3: Create a Centralized Vendor Management program
No single person can possibly be responsible for the entire program. It’s imperative that it becomes a collaborative effort.

Step 4: Gain Buy-In
Involving the staff creates a sense of ownership. It’s no longer just IT’s problem; it’s everyone’s responsibility.

Step 5: Create a Vendor Inventory
Make sure you know who your vendors are. Do you have multiple vendors doing the same function? Work with accounts payable to determine active vendors. The normal time span is 12 to 24 months.

Step 6: Categorize All Vendors
Does this vendor have access to customer data? Do they have facilities access? What is our risk if this vendor is compromised? This is where you identify critical and high-risk vendors.

Step 7: Remove the Silo
Save the documents to a shared resource. Everyone involved should have access.

How Would These Steps Prevent the Target Scenario?
Step six says to categorize all vendors and identify the risk. The HVAC vendor seems like it would be a low risk vendor, but when you dive into the level of access it had, you would quickly discover the HVAC should be a high risk vendor. The HVAC vendor was allowed access to the internal network which gave the hackers a way in. Although the HVAC didn’t have access to the customer data, they did have the keys to open the door.

How Banks Can Profit from SBA Lending

Written by


4-7-14-SBA.pngAll community banks are looking for ways to leverage their staff, maximize profit, minimize expense and build flexibility into their loan portfolios.

One effective way to do this is to participate in SBA lending and to use an SBA outsource provider to provide your bank with a simple and cost effective way to offer this product.

The primary SBA lending program, the SBA 7(a) guaranty loan, allows the bank to make small business loans and receive a 75 percent guarantee from the U.S. government. The guaranteed portions of these loans can be sold in the secondary market, with current gain on sale premiums of 13.5 percent net to the bank. So if a bank makes a $1 million SBA loan and sells the $750,000 guaranteed portion, it will generate a premium or fee income of $101,250.

In addition, when the guaranteed portion of an SBA loan is sold, the investor buys the guaranty at a rate that is 1 percent less than the note rate. In this example, if you have a $1 million SBA loan at an interest rate of 6 percent and the bank sells the $750,000 guaranteed piece, the investor buys it at a 1 percent discount off the note rate and receives a yield of 5 percent. This means that the bank will earn 6 percent on the $250,000 portion that they retained and 1 percent on the $750,000 or $7,500 per year, not accounting for amortization of the loan. If you compare that $7,500 per year in servicing income to the $250,000 that the bank retains on its books, you can see that it represents an additional 3 percent yield on the retained portion. That 3 percent of servicing, plus the note rate of 6 percent, shows that the bank’s gross yield on the retained portion of the loan is now 9 percent. This additional yield is something to consider if your bank is competing for a loan with a larger bank that is trying to undercut your bank on pricing. The added servicing income will enable you to maintain your yield even on loans that have lower pricing.

While SBA lending can be very profitable, it should be viewed as more than just a profit center for your bank.

The SBA loan guarantee can be used to refinance existing loans to mitigate risk in your loan portfolio or to help retain clients who are close to the bank’s legal lending limits. Using SBA lending to refinance existing bank loans can be helpful in reducing real estate concentrations since properties like hotels, mini storage facilities and care facilities are included as investment properties by regulators. If a bank has these types of properties on their books, they can often refinance the loan and sell the guaranteed portion to reduce a concentration and free up capital. Using the SBA guaranty to make loans that fall into an investment property category is a good way of managing portfolio concentrations.

Why does SBA outsourcing make sense?
Outsourcing your SBA lending department eliminates the need to allocate resources and budget for an SBA department since there are no upfront or overhead costs associated with it. Outsourcing eliminates the risk of hiring an SBA team and then not generating sufficient loan volume to support the cost of that staff. SBA personnel costs are high, and it can be difficult to find qualified people. Also, without an experienced and dedicated SBA group, your loan officers will typically avoid handling SBA loan applications for fear of dealing with the complex SBA rules and process.

Outsourcing also enables a community bank to acquire, through the outsource provider, an experienced staff, which in turn enables it to provide an accurate and efficient process to its SBA borrowers. An SBA outsource provider can efficiently process, document, close, sell to the secondary market and service your loans. Typically these services charge between 0.6 percent to 2 percent of the loan amount.

Conclusion
In today’s competitive market, the SBA program offers too many profit enhancement and risk mitigation opportunities to simply ignore its value. In order to maximize success, bankers need to have every tool available to them.

Making Outsourcing Work for Your Bank

Written by


With increased regulatory compliance demands, many financial institutions are looking to relieve the pressure by outsourcing their non-core functionality. In this video, Beth Merle of Sutherland Global Services provides insight into which services can be outsourced, how much banks can save and the best way to hold providers accountable.


Regulators Go After Banks for Vendor Management

Written by


2-5-14-Bryan-Cave.pngWhile the issue of vendor oversight and management is not new to the financial services industry, recent enforcement actions by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) manifest heightened attention by federal regulators. A bank’s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution.

Federal regulators traditionally have looked with an understanding, yet skeptical, eye towards the issue of outsourcing. Current guidance is clear, however, as to where the responsibility lies. As summarized by the Federal Deposit Insurance Corp. (FDIC) in FIL-44-2008, “An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

Meet the New Boss

Armed with its mandate by Title X of the Dodd-Frank Act to protect consumers, the CFPB entered the vendor management fray by issuing Bulletin 2012-03. Although the message contained in the bulletin was nearly identical to previously issued guidance by the OCC and FDIC, it did provide additional insight. First, the bulletin noted that Title X of Dodd-Frank provides a definition of a “service provider,” which includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Although the legislation did not specifically define the word material, bankers should assume such subjectivity will be interpreted broadly by federal regulators.) Secondly, and more importantly, the bulletin provided banks a non-exhaustive list of “steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers,” which include:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
  • Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
  • Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive act or practices;
  • Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and
  • Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

(Not the) Same as the Old Boss

While the message from the federal regulators has not varied over the years, recent actions by the various agencies indicate they are more likely to use enforcement as a means of guaranteeing compliance with their vendor management mandates. A detailed discussion of the cases listed below is beyond the scope of this article, but to a large degree each case focused on deceptive sales practices by third-party vendors while marketing a bank product:

  • CFPB: Discover Bank, $14 million civil penalty (September 2012)
  • OCC: American Express Bank, estimated $6 million in restitution (September 2012)
  • CFPB: J.P. Morgan Chase, $309 million in restitution and $20 million civil penalty (September 2013)
  • CFPB: American Express, $59.5 million in restitution and $9.6 million civil penalty (December 2013)

Although neither the FDIC, OCC nor the CFPB provides community banks with an explicit exemption from the vendor management mandates, each set of rules does include a statement similar in content to that expressed in FIL-44-2008: “The precise use of a risk management process is dependent upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risk identified.” For community banks that offer only traditional banking services, senior management and the board should use a common sense level of due diligence before, during and after a third-party relationship is commenced.

We Won’t Be Fooled Again

Bank management and boards of directors should not allow recent enforcement actions to deter their use of third-party vendors to provide critical functions. The economics supporting such outsourcing decisions certainly outweigh the risks posed by potential regulatory enforcement action. However, regulators have given notice that a failure to implement and follow vendor management protocols will no longer be tolerated, and boards and management bear ultimate responsibility for any harm caused by a vendor’s failure to adhere to federal consumer financial law.