Optimize Fintech Spending With 3 Key ROI Drivers

Bankers are evaluating their innovation investments more closely as customer expectations continue to skyrocket and margins shrink. Technology spending shows no sign of slowing any time soon. In fact, Insider Intelligence forecasts that U.S. banks’ overall technology spending will grow to an estimated $113.71 billion in 2025, up from $79.49 billion in 2021.

The evolution of the fintech marketplace is challenging banks to strategically choose their next fintech project and calculate the return on those investments. How do they ensure that they’re spending the money in the right places, and with the right providers? How can they know if the dollars dedicated toward their tech stack are actually impacting the bottom line? They can answer these key questions by evaluating three key ROI drivers that correlate with different stages of the customer journey: acquire, serve and deepen or broaden.

The first ROI driver, acquire, relates to investments focused on customer acquisition that are often the main focus of new technology initiatives — for good reason. Technology that supports customer acquisition, such as account opening or loan origination, makes bold claims about reducing abandonment and driving higher conversion rates. However, these systems can also lead to a disjointed user experience when prospects move between different systems, each with their own layout and aesthetic.

When bankers search for solutions that improve customer acquisition, they should ensure the solution provides the level of flexibility required to meet and exceed customer expectations. A proof of concept as part of the procurement process can help the bank validate the claims made by the fintechs under consideration. Remember: A tool that is more configurable on the front-end likely requires more up-front work to launch, but should pay dividends with a higher conversion rate. A style guide that describes the bank’s design principles can help implementation go smoother by ensuring new customers enjoy a visually consistent, trustworthy onboarding experience that reinforces their decision to open the account or apply for the loan.

The next ROI driver, serve, is about critically evaluating customer service costs, whether that’s achieved through streamlining internal processes, integrating disparate systems or empowering customers with self-service interfaces. While these investments are usually aimed at increasing profitability, they often contribute to higher customer satisfaction.

An often-overlooked opportunity is to delegate and crowdsource content through nonbank messaging channels, like YouTube or Reddit. A Gartner study found that millennials and Gen Z customers prefer third-party customer service channels; some customers even reported higher satisfaction after resolving their issue via outside channels. A majority of financial services leaders say they are challenged to provide enough self-service options for customers; those looking to address that vulnerability and improve profitability and customer satisfaction may want to explore self-service as a compelling way to differentiate.

The final ROI driver is about unlocking growth by pursuing strategies that deepen or broaden your bank’s relationships with existing customers while expanding the strategic core of the company. A study by Bain & Co. evaluated the effectiveness of different growth moves performed by 1,850 companies over a five-year period. Researchers found six types of growth strategies that outperformed: expand along the value chain, grow new products and services, use new distribution channels, enter new geographies, address new customer segments and finally, move into the “white space” with a new business built around a strong capability.

The key to any successful innovation initiative is to view it not as a one-time event, but rather a discipline that becomes central to your institution’s strategic planning. Bain found that the average companies successfully launches a new growth initiatives only 25% of the time. However, that rate more than doubles when organizations embrace innovation as a cyclical process that they practice with rigor and discipline.

As your bank seeks to better prioritize, optimize and evaluate its fintech investments, carefully consider these three key ROI drivers to identifying where the greatest need stands can help. This will ensure your institution’s valuable technology dollars and employee efforts are spent wisely for both the benefit of the customer and growth of the bottom line.

Core Processing? Find the Aces Up Your Sleeve

Outsourced core processing usually represents regional and community banks’ most significant — and most maligned — contractual relationship. Core technology is a heavy financial line item, an essential component of bank operations and, too often, a contractual minefield.

But contrary to popular belief, it is possible for banks to negotiate critical contractual issues with core processing providers. No matter their size, banks can negotiate both the business and legal terms of these agreements. Technology consultants and outside legal counsel can play impactful, complementary roles to help level the playing field. Be certain that your bank is well advised and allocating adequate resources to these matters.

Critical Contractual Issues
From a legal angle, we at BFKN routinely look at and comment on dozens of separate points in a typical agreement — some of which are of critical importance as the arrangement matures. We have favorably revised termination penalties, service levels and remedies, the definition and ownership of data, caps on annual fee increases, limitations of liability, information security and business continuity provisions, ongoing diligence and audit rights, deconversion fees and the co-termination of all services and products, among many other items.

Exclusivity provisions which prevent banks from securing competing products without incurring penalties are also a focus for many organizations seeking to futureproof their core processing; a vendor reserving exclusivity, whether outright or through volume minimums, can hinder the bank’s ability to innovate.

Engaging External Resources
Banks are generally at a disadvantage in vendor contract negotiations, given that vendors negotiate their forms frequently against many parties and banks do not. Fortunately, there is a robust industry of technology consultants, of varying degrees of competence and quality, that work specifically in the core processing and technology vendor space. Most banks should engage both technology consultants, which can tackle the practical and business angles of the vendor relationship, and outside legal counsel, to focus on legal and regulatory concerns.

When considering whether to bring in outside advisors, executives at institutions considering a change in their vendor or approaching a renewal or significant change in their core processing services should ask the following questions:

  • Has the bank thoroughly evaluated its existing relationship and potential alternatives?
  • Would it be helpful to have an outside consultant with a perspective on the current market review the key business terms and pricing considerations?
  • Is the bank confident that the existing agreement sufficiently details the parties’ legal rights and responsibilities? Could it benefit from an informed legal review?
  • If considering an extension of an existing relationship, can any proposed changes be addressed sufficiently in an amendment to the existing contract, or is it time for a full restatement (and a full review) of the documentation?
  • Are there strategic considerations, such as a potential combination with another entity or the exploration of a fintech venture, that may raise complex issues down the line?

Leveraging Internal Resources
Dedicating the right internal resources also helps banks ensure that they maximize their leverage when negotiating a core processing agreement. As a general matter, directors and senior management should have an ongoing familiarity with the bank’s vendor relationship. For many, this can seem a Herculean task. Core processing contracts often span hundreds of pages and terms are gradually added, dropped and altered through overriding amendments. Nevertheless, by understanding, outlining, and tracking key contractual terms and ongoing performance, directors and senior management can proactively assess the processor and apprise its limitations.

This engagement can result in better outcomes. Are there any performance issues or problems with the bank’s current vendor? If a provider is falling short, there may be alternatives. Diverse technology offerings are introduced to the market continually. Of course, establishing a new relationship can be a painstaking process, and there are risks to breaking with the “devil you know.” Yet we are having more conversations with banks that are exploring less-traditional core technology vendors and products.

Short of a wholesale switch of vendors and products, it is possible for banks to negotiate for contractual protections against a vendor’s limitations. And even if senior management takes the lead in negotiating against the vendor, directors can play a valuable role in the negotiation process. We’ve seen positive and concrete results when the board or a key director is engaged at a high level.

If it’s time to start negotiating with a core processing provider, don’t leave your chips on the table. Fully utilizing both internal and external resources can ensure that the bank’s core processing relationship supports the bank for years to come.

Effective Oversight of Fintech Partnerships

For today’s banks, the shift to digital and embracing financial technology is no longer an option but a requirement in order to compete.

Fintechs enable banks to deploy, originate and service customers more effectively than traditional methods; now, many customers prefer these channels. But banks are often held back from jumping into fintech and digital spaces by what they view as insurmountable hurdles for their risk, compliance and operational teams. They see this shift as requiring multiple new hires and requiring extensive capital and technology resources. In reality, many smaller institutions are wading into these spaces methodically and effectively.

Bank oversight and management must be tailored to the specific products and services and related risks. These opportunities can range in sophistication from relatively simple referral programs between a bank and a fintech firm, which require far less oversight to banking as a service (often called BaaS) which requires extensive oversight.

A bank’s customized third-party oversight program, or TPO, is the cornerstone of a successful fintech partnership from a risk and compliance perspective, and should be accorded appropriate attention and commitment by leadership.

What qualifies as an existing best-in-class TPO program at a traditional community bank may not meet evolving regulatory expectations of a TPO that governs an institution offering core products and services through various fintech and digital partners. Most banks already have the hallmarks of a traditional TPO program, such as reviewing all associated compliance controls of their partner/vendor and monitoring the performance on a recurring basis. But for some banks with more exposure to fintech partners, their TPO need to address other risks prior to onboarding. Common unaccounted-for risks we see at banks embarking on more extensive fintech strategies include:

  • Reviewing and documenting partners’ money transmission processes to ensure they are not acting as unlicensed money transmitters.
  • Reviewing fintech deposit account’s set up procedures.
  • Assessing fintech partner marketing of services and/or products.
  • Ensuring that agreements provide for sufficient partner oversight to satisfy regulators.
  • Procedures to effectively perform required protocols that are required under the Bank Secrecy Act, anti-money laundering and Know Your Customer regulations, and capture information within the bank’s systems of record. If the bank relies on the fintech partner to do so, implementing the assessment and oversight process of the fintech’s program.
  • Assessing the compliance and credit risks associated with fintech partner underwriting criteria such as artificial intelligence, alternative data and machine learning.
  • Assessing the impact of the fintech strategy on the bank’s fair lending program and/or Community Reinvestment Act footprint.
  • The potential risk of unfair, deceptive or abusive acts or practices through the fintech partner’s activities.
  • True lender risks and documenting the institution’s understanding of the regulations surrounding the true lender doctrine.
  • Assessing customer risk profile changes resulting from the expansion of the bank’s services and or products and incorporating these changes into the compliance management system.
  • Revising your overall enterprise risk management program to account for the risks associated with any shift in products and services.

Finally, regulators expect this shift to more fintech partnerships to become the norm rather than the exception. They view it as an opportunity for banks to provide greater access to products and services to the underbanked, unbanked and credit invisible. Over the last couple of years, we have seen a number of resources deployed by bank regulators in this space, including:

  • Regulators creating various offices to address how banks can best utilize data and technology to meet consumer demands while maintaining safety, soundness, and consumer protection. The Federal Deposit Insurance Corp. has built FDITECH, the Office of the Comptroller of the Currency has an Office of Innovation, as does the Federal Reserve Board. The CFPB has aggregated their efforts to deploy sandboxes and issue “No-Action Letters” through its own Innovation Office.
  • The Federal Reserve issued a guide for community banks on conducting due diligence on financial technology firms in August 2021.
  • OCC Acting Comptroller Michael Hsu gave remarks at the Fintech Policy Summit 2021 in November 2021.
  • In November 2021, the OCC issued a release clarifying bank authority to engage in certain cryptocurrency activities, as well as the regulator’s authority to charter national trust banks.

Adopting best practices like the ones we listed above, as well as early communication with regulators, will place your bank in a great position to start successfully working with fintechs to expand and improve your bank’s products and services and compete in today’s market.

Three Tips to Manage Third-Party Cybersecurity Risk

Third-party vendors enable community banks to deliver essential products and services to consumers, but they can also be a weak link in their cybersecurity strategy.

The events of 2020 have made it imperative for banks to focus on protecting their employees, consumers and valuable assets — making cybersecurity a persistent priority for executive management. Ransomware has escalated at an alarming rate, leading community banks to engage even more with managed security service providers to strengthen their cybersecurity strategies. Given the critical nature of omnipresent cybersecurity and the continuous dependency on third-party providers, here are some practical tips for managing third-party risk in your cybersecurity strategy.

1. Collaborate Across Your Institution
It’s common to have a dedicated vendor management team or department at community banks, but it’s important to avoid a silo mentality when dealing with risk. Know your bank’s risk appetite and make sure everyone involved in risk management knows it as well.

Evaluate third parties against that appetite. Vendor assessments are critical to ensure your business will reap the benefits of the services you expect to receive.

Document third-party products and services in your environment. Update operational, IT and cybersecurity policies, as well as business continuity plans to include your vendors, outlining their roles and responsibilities — especially in the event of an outage, incident, or disaster.

2. Due Diligence is Key
Ensure your bank has a detailed process for evaluating third parties prior to signing contracts. One good way to prevent a third-party cyber incident is to ensure third parties have strong cybersecurity programs. The Federal Financial Institutions Examination Council states, “Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”

Establish how your bank’s data is handled to protect the privacy of your employees and customers. Who owns the data and who has access to it? How long will data be retained? What happens to data if you terminate your contract? Make sure the bank documents data ownership and management in its third-party contracts. A data breach caused by a third party can endanger customer privacy and violate data privacy laws, including the General Data Protection Regulation and California Consumer Privacy Act.

3. Trust but Verify
It’s important to ensure that services continue to perform as expected after determining the need for third-party services and conducting due diligence to ensure the best fit. The phrase “trust but verify,” while originally used in a political context, is often used to describe this practice in vendor management.

Periodically review the bank’s vendors to ensure they’re meeting the obligations set in the Service Level Agreements (SLAs), which can help address issues before an incident can occur. If appropriate, the board should consider engaging an independent provider to audit, monitor or alert of any issues that could impact the vendor’s ability to meet their SLA.

Banks should consider supporting their vendor management strategy with technology solutions that can:

  1. Track vendors, subsidiaries, relationship owners, documentation and contacts.
  2. Perform vendor due diligence and analyze criticality, usage and spend.
  3. Deliver surveys and risk assessments to external third-party contacts.
  4. Manage contract review and renewals.
  5. Coordinate with legal, procurement, compliance and other functions.
  6. Monitor key vendor metrics via personalized dashboards and dynamic reports.

Third-party risk is an important component of any bank’s cybersecurity strategy and should align with its enterprise risk management and information security programs. Using a common risk framework that includes vendor management will promote collaboration, integration and visibility across the bank. Ultimately, the result is a reliable and consistent process that can help you protect and service your customers.

Nine Vendor Risk Management Tips for the Board


risk-management-7-19-17.png2017 is already proving to be a very difficult year for bank boards. While being on a board can be a rewarding experience, increasing regulatory pressures certainly don’t make the position and its corresponding responsibilities any easier.

One particular area of intense focus by the regulators is third-party risk management. Ultimately, the regulators have stated that it is your responsibility to ensure that you have a third-party risk program in place that addresses your vendors and the level of risk they pose.

Aside from potential enforcement actions and fines from the regulators, an inadequate third-party risk program can leave your institution ill-prepared or vulnerable to a host of issues. Worsening vendor financial performance could be an indicator of woes to come, such as poor customer service, bugs and issues with its system. Banks that auto-renew vendor contracts could miss a chance to re-negotiate old contracts.

Poor due diligence could mean partnering with a vendor that is damaging to your institution’s reputation. For example, if you don’t understand where customer complaints are coming from and why, regulators could question your ability to properly oversee and monitor your vendor’s performance and manage the corresponding impact on your customers.

While there will always be unforeseen issues you cannot avoid, having an effective third-party risk policy and program in place can ensure your full compliance with the guidance and help steer you to partnerships that will benefit your institution.

And, even when those unforeseen issues do occur, and they will, you’re better prepared to react in an effective and organized manner. To help, here are nine tips to keep you on the right path.

Nine Vendor Risk Management Tips for the Board

1. Read and understand the guidance from your primary regulator as it pertains to third-party risk management. There are key expectations clearly identified in the guidance and they should give you ample fodder for asking your institution’s senior management team pertinent questions.

2. Set expectations and tone from the top. Make sure that from senior management all the way to the front-line customer service representatives, everyone understands his or her responsibilities when it comes to compliance with the rules, as well as how your organization wants to handle vendor-risk management.

3. Have your vendor risk management program thoroughly reviewed for any possible deficiencies and focus on areas that are often overlooked, such as fourth-party risk management or reviewing third parties’ procedures for complaint management.

4. Automate your third-party risk program. Most institutions have already taken the steps away from Excel and other spreadsheet programs in favor of ones that help to manage a complicated network of vendors and regulatory expectations.

5. Involve your internal audit department, compliance team and counsel in evaluating the effectiveness of the vendor management program.

6. Strongly consider making vendor management directly accountable to the board or the most senior risk committee at your institution. Firmly establish its independence from the various lines of business and ensure the needs of vendor management do not fall on deaf ears. Ensure that any issues raised, whether in the course of normal business or during examinations, are promptly and thoroughly addressed.

7. Invite the head of your vendor management program to report regularly at board meetings. A standard set of reports is adequate, but make sure that any concerns or significant issues are clearly called out and reflected in the minutes of the meetings.

8. Ensure those involved in vendor management have adequate resources, such as staffing and a high enough budget, as well as ample training and experience to do the job well. Seek outside independent expertise or outsource tasks where needed, particularly for highly technical items such as business continuity plan reviews for SSAE 18 analysis, attestation standards issued by the American Institute of CPAs.

9. Ask pertinent questions and drill down when anything seems amiss. Use industry news, new regulations and enforcement actions as opportunities to view your own vendor management program through that lens and see if there are areas of concern that should be addressed.

The world of vendor management isn’t easy and your job as a director is incredibly complex and overwhelming at times. Fortunately, done well, vendor risk management can also be a significant strategic advantage, allowing you to do business with well-managed companies in a compliant and cost-efficient manner.

Resources
Venminder Library
CFPB guidance 2016-02
FDIC FIL 44 2008
OCC Bulletin 2013 29
OCC Bulletin 2017 21
FFIEC Appendix J

The Three Top Reasons For Vendor Consolidation


vendor-manangement-11-8-16.pngWhy should banks and credit unions consider consolidating their vendor relationships? Here are three top reasons why:

1. Save Time And Money
Banks and credit unions that reduce the number of their vendor partnerships can increase their operational efficiency and productivity. When an institution partners with multiple vendors, typically that means staff has to deal with multiple back-end systems, often accessing each system numerous times a day and struggling to keep abreast of all of the updates for every system. Sometimes, staff is even unnecessarily bogged down with having to deal with duplicative systems from multiple vendors.

Consolidating vendor relationships also can significantly reduce the amount of training for staff as well as for customers. Bank and credit union staff typically has to train customers on how to use vendors’ private-labeled portals, and that can be time-consuming, particularly if a financial institution uses multiple vendors with multiple portals. But if an institution uses the same vendor for multiple solutions that all have the same look and feel and the same technology, then training of both staff and customers is significantly reduced.

When banks and credit unions are able to negotiate fewer contracts, they can conduct less due diligence on potential vendors, as well as get more for their money by reducing the amount of monitoring and reporting required for risk and assessment compliance. On the other hand, having multiple contracts with multiple vendors adds even more burden to staff because they will also have to monitor different contract term dates for renewal, and then they’ll have to determine how one expiring contract could impact solutions from other vendors.

Furthermore, when a bank or credit union uses fewer vendors, the institution has more negotiating power because it frees up more dollars with the remaining vendors. The higher the volume provided to a vendor, the more likely they will offer their best pricing resulting in lower cost.

2. Save On Vendor Due Diligence
Financial institutions are increasingly responsible for keeping up with the third-party vendor management requirements of the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the National Credit Union Administration, the Federal Reserve, and for state-chartered institutions, the requirements of state regulators.

For example, the FDIC’s Guidance for Managing Third-Party Risk (FIL-44-2008), provides four main elements of an effective third-party risk management process: risk assessment, due diligence in selecting a third party, contract structuring and review and oversight. But today, there’s even more heightened scrutiny, as a number of high-profile security breaches of major vendors has caused regulators to make sure that financial institutions are actually taking all the necessary steps spelled out in the regulations, such as the IT handbook of the Federal Financial Institutions Examination Council (FFIEC).

Banks and credit unions can find it very time consuming to conduct the proper due diligence and ongoing monitoring on each vendor. By partnering with a one vendor, financial institutions can significantly reduce their compliance burden.

3. Help Customers
Consolidating vendors can enable banks to greatly elevate the experience for their customers, by providing a single platform that is easy to navigate. Banks may also have access to additional monitoring and reporting of customer activity to help prevent and detect fraud.

Vendor consolidation can provide substantial return on investment by saving time and achieving cost savings, as well as reduce regulatory burdens by providing the right monitoring and reporting to meet compliance requirements. Partnering with a one vendor can not only save time and money and boost return on investment, but also enhance customer loyalty by elevating the user experiences on the platform.

Why Banks Are Buying Design Firms


design-1-22-16.pngWithin the past 18 months, two of the industry’s more innovative banks have made some seemingly odd acquisitions. McLean, Virginia-based Capital One Financial Corp., in October 2014, acquired Adaptive Path. The Spanish-based BBVA (Banco Bilbao Vizcaya Argentaria) acquired Spring Studio in April 2015. The common thread between these acquisitions? Both are San Francisco-based user experience and design firms.

Banks are seeing a critical need to improve customer experience, says Norm DeLuca, managing director of digital banking at Bottomline Technologies, a technology provider for commercial banks. He believes that changing consumer expectations and competition both within the industry and from fintech startups are contributing to a heightened focus on user experience. “One of the biggest differentiators that fintechs and new innovators lead with is a much simpler and [more] attractive user experience,” he says.

Customers increasingly identify their financial institution through their online experiences more than personal interactions, says Simon Mathews, chief strategy officer at San Francisco-based Extractable, a digital design agency. He believes that Capital One and BBVA found a way to more quickly improve the digital experience at their institutions. It’s a relatively new field, and good user experience designers aren’t easy to find. “What’s the quickest way to build a team? Go buy one,” says Mathews.

Design is only one piece of the puzzle. “Great design is important, but it really is only the tip of the iceberg on user experience,” says DeLuca.

A bank can’t expect to place a great design on top of outdated technology and create a good user experience, says Mathews. Data plays a key role. Customers with multiple accounts want to see their total relationship with the bank in one spot. That requires good, clean data, says Mathews.

The products and services offered by a financial institution need to be integrated. Can the customer easily manage and access separate products, such as loans and deposit accounts? Often, the process can be disjointed, and it’s a competitive disadvantage for the bank. “You might as well be buying from separate providers, if the experiences are separate,” says DeLuca.

Data analytics can also help banks personalize products and services for the customer, says Stephen Greer, an analyst with the research firm Celent. The industry is spending a lot on data analytics, “largely to craft that perfect customer experience,” he says.

While technology can be updated, organizational challenges are more difficult to overcome. Banks tend to operate within silos–deposit accounts in one area, wealth management in another and that doesn’t align with the needs of the consumer. “They don’t think, necessarily, about the total experience the user has,” says Mathews. “Users move fluidly between [delivery] channels.”

Great user experience requires “a really deep understanding of customer’s lives, and the environment they’re in, and what they’re trying to do and why,” says Jimmy Stead, executive vice president of e-commerce at Frost Bank, based in San Antonio, Texas, with $28 billion in assets.

Many banks rely on vendors for their technology needs, but “if the user experience relies on the vendors that they’re working with, and those vendors have solutions that are not customizable, then it’s really hard for them to address the customer experience,” says Alex Jimenez, a consultant and formerly senior vice president of digital and payments innovation at $7.1 billion asset Rockland Trust Co., based in Rockland, Massachusetts.

According to a June 2015 poll of banks and credit unions conducted by Celent, more than one-third rely on the user experience supplied by the bank’s vendor for online banking, mobile and tablet applications, with minimal customization. Realizing the increasing importance of the online channel, Frost Bank decided to build its own online banking platform internally in 2000, and continues to manage its user experience in-house. The bank still works with vendors, but is picky when it comes to those relationships. “How can we integrate them seamlessly into our experience?” Stead says he asks of vendors.

Today, expectations are shaped by Apple and Amazon, companies that have done a great job of defining the consumer experience. While more innovative banks like BBVA and Capital One are making user experience a priority, many financial institutions don’t provide a cohesive digital experience, or let their website and mobile app lag behind consumer expectations.

“We can’t fall too much in love with what we have today,” says Stead. “Technology moves so fast.”

Getting Started With Third-Party Risk Management: Two Key Questions


risk-manangement-12-22-15.pngBanks often outsource technology services to third-party vendors. In light of increased regulatory attention and third-party involvement in day-to-day business operations, many bank boards and senior management teams are considering their approach to developing a third-party risk management program. A thoughtful approach based on an initial assessment of the bank’s current state can result in better risk management and compliance that aren’t overly burdensome. Addressing two important questions will help begin the process of successfully launching an effective third-party risk management program.

Does our bank have a full inventory of its contracts and agreements?
While most banks have some type of contract management system, many typically use low-tech storage facilities—like databases of scanned copies or even hard copies in file cabinets—from which data can’t be extracted. Such storage facilities rarely contain complete records of all executed contracts, and even simple data like contract renewal notification and expiration dates are not tagged or automated. In such environments, contract terms and conditions don’t keep pace with changes to regulations and the business environment, and financial reporting and accounting concepts, such as unrecorded liabilities, contingencies, and financial commitments, exist but may not be understood or monitored.

To address such drawbacks, banks should do a complete inventory of critical relationships to ensure that they have a complete inventory of current contracts. The contracts should meet current regulatory and business requirements, and data within the contracts should be metatagged, meaning tagged with coding in a web page so it can found with a search engine. Banks should consider establishing standard, required contract terms and using technology to track compliance. Increasingly, contracts are being moved into third-party risk management systems for a “single-book-of-record” view and improved risk management beyond basic compliance.

How do we identify all relevant third parties and manage the overall effort?
The potential universe of third parties in an organization can seem endless—from global companies to intercompany affiliates to mom-and-pop providers. On top of that, the potential universe of third parties is never constant. Companies regularly are onboarding and terminating third parties and expanding or reducing third-party services. While it is important to build data and artifacts (certificates of insurance, documentation of financial viability, or Service Organization Control reports, for example) that support a risk assessment at the third-party relationship level, it is easy to lose sight of the entire population of third-party relationships. Depending on how a bank defines third parties, that population could include franchisees, external salespeople and debt holders, among others. This is one area of risk management where completeness counts.

To make such a project manageable, banks should create a strategy and roadmap to systematically identify third parties using an inclusive definition. Banks should invest in the initial data-gathering phase and make it an enterprise-wide endeavor. Effective sources of relevant information include surveys conducted by the various lines of business, contract facilities and databases, accounts-payable systems, and legal counsel. The process needs to be sustainable or the population soon will become invalid. Banks should conduct an initial review of third-party relationships by identifying categories and potential risk factors to assist with prioritizing the evaluation. The project strategy and roadmap should start with the third parties that pose a higher risk. The project roadmap should include necessary activities and the timing and resource needs related to existing and future third-party due diligence and assessments.

Moving Forward
As financial institutions work to effectively comply with the regulatory guidance and manage the risks associated with third-party relationships, creating a strategy and roadmap will help achieve compliance and avoid an overly burdensome process.

Six Tips to Safely Sell Add-On Products


Walking the High WireFinancial services executives face a tough dilemma these days.

Most Americans are satisfied with their primary bank and eager to learn about additional products, according to a 2012 study conducted by the Banking Administration Institute. And it’s no secret that selling add-on products is a great way to increase loyalty, retention and ultimately, revenue. But offering add-on products in today’s regulatory environment can be like trying to keep your balance on a high-wire. How do you sell these products without jeopardizing your relationships with federal regulators?

The key is to sell products that benefit consumers such as credit monitoring, payment protection plans, car rental insurance and identity theft protection. In fact, credit score reporting services and identity theft alerts have the highest growth and revenue potential, according to the 2013 Growth and Revenue Potential of Emerging Financial Services study. The Market Rates Insight study found that credit score reporting has a 71.4 percent potential growth rate, while identity theft alerts have a 70.8 percent potential growth rate.

In addition, some add-on products—like credit monitoring—are not only good for your business, but they’re also good for the economy. Credit monitoring helps educate consumers about their credit reports and scores so they can work toward achieving—or keeping—high scores. This, in turn, makes them better candidates for loans and lines of credit, which not only helps your institution but also helps the economy when these individuals buy cars, homes or start a business.

Regulators, however, not only look at the add-on products, but they also look at how organizations market and service these products. Therefore, organizations need to be honest and forthright during the entire lifecycle of the product.

Below are six best practices for a safe and effective way to market and service add-on products.

  1. Transparency Tops the List
    This is of the utmost importance, as regulators continue to crack down on credit card companies and banks that employ deceptive and unfair marketing practices. To avoid punitive damage, companies need to make sure their marketing materials accurately and precisely describe their products. Marketing materials should be written clearly and designed in an easy-to-read format.
  2. Tread Lightly with Employee Incentive Programs
    It’s okay to offer employee incentive programs to sell add-on products but make sure these programs follow appropriate guidelines. Employees need to realize that honesty trumps incentives or commissions every time and they need to be monitored to make sure they abide by this ethical standard.
  3. Stir Customer Care into the Mix
    Customer care scripts and manuals need to be as transparent and easy-to-understand as your marketing materials. Be sure to conduct quality assurance reviews on a regular basis to assess scripts and training materials to make sure they are fair to your customers. Organizations should also conduct real time monitoring of calls to make sure your employees treat your customers with respect.
  4. Cancellations Must Be Honored
    This is where some companies have gone awry. Cancellation requests should be handled in a manner that’s consistent with your product’s terms and conditions. Don’t mislead your consumers by advertising one thing and doing another. Cancellations should be handled with the same courtesy as enrollments.
  5. Keep a Watchful Eye on Affiliates
    Affiliates and third-party providers aren’t always accountable. After all, they may come and go, but your business is here to stay. If you hire third parties to handle marketing or other functions related to your add-on products, make sure they are held to the same standards as your in-house staff.
  6. Keep a Tight Lid on It
    In order to keep a tight lid on the lifecycle of your add-on products, you need a systematic program of controls, monitoring, auditing and documentation. By implementing a company-wide program you can ensure that everyone is on the same page and that you have documentation and controls in place for auditors and regulators.

Is It Worth It?
At a glance, implementing these measures may seem like a lot of work. But in reality, these measures should probably be implemented for your core products and services anyway, so including the add-ons shouldn’t be too demanding. Plus, the add-ons can add value to your products and help the economy at the same time. Taking care of consumers helps the economy, the longevity of your business, and it pleases regulators, so there is no reason not to do so.

For more information, visit www.experian.com/affinity.

Risks Surrounding New Products and Services and Third-Party Vendors


6-6-14-barack.pngWe advise our clients to read the speeches given by all of the bank regulators to get an early indication of what issues might be highlighted at their upcoming examinations, and to prepare accordingly. With the financial crisis hopefully in the rear view mirror, this year regulators seem to be emphasizing issues surrounding risk management. Of particular concern seems to be the establishment of new products and services and the oversight of third-party vendors, which are topics that both Rick Warren of Crowe Horwath LLP and I will discuss at the upcoming Bank Audit & Risk Committees Conference.

As banks explore new products and services to help improve their earnings, and as the number and complexity of their third-party relationships increases, regulators are becoming concerned that risk management is not keeping pace. In response, the OCC recently issued its “Third-Party Relationships” guidance and the Federal Reserve issued its “Guidance on Managing Outsourcing Risk.” These were in addition to the FDIC’s existing “Guidance for Managing Third-Party Risk” and the OCC’s 2004 guidance, “Risk Management of New, Expanded, or Modified Bank Products and Services.” Through these documents and others, the agencies are conveying their collective concern that new products and services and vendor relationships could significantly impact banks’ operational, compliance, reputation, strategic and credit risk profiles. Accordingly, directors and senior management should understand that there are now heightened expectations in those areas, and not just for the largest institutions.

General Requirements
To place this issue in proper context, the establishment of new products and services and monitoring of third party vendors should be handled in a risk-based manner. A bank’s arrangement with its snow plow vendor will not require the same amount of scrutiny as its relationship with its core processor. Banks are expected to employ more comprehensive and rigorous oversight and management resources in those areas where there is significant risk of major customer impact, resource investment, or operational disruption.

New Products and Services
Regulators expect banks to engage in a rigorous and deliberative process when establishing new products and services. This process should involve all relevant stakeholders within the organization, including directors, and include the following elements:

  1. Due diligence. All risks associated with the new product or service should fit within the bank’s overall business strategy and risk profile.
  2. Risk management controls and processes. Policies, procedures, information and reporting systems, audit and compliance should all be adapted to the implementation of the product or service.
  3. Performance monitoring. Ongoing monitoring systems should be established to ensure that the product or service continually meets applicable expectations.

Third-Party Vendor Management
The regulatory agencies consistently discuss an effective third-party vendor risk management process involving a continuous cradle-to-grave “life cycle,” rather than a static analysis that is applied only at the inception of the relationship. This approach should include:

  1. Appropriate planning. Conduct a thorough cost-benefit analysis and assess the impact of the relationship throughout the bank’s operations.
  2. Due diligence and third-party selection. Ensure that the vendor has the requisite experience, reputation, financial capabilities and security systems.
  3. Contract negotiation. Imbed into contracts important provisions such as those relating to appropriate responsibilities, performance measures, indemnification, contingency plans and dispute resolution.
  4. Ongoing monitoring. Dedicate employees with sufficient experience and expertise to oversee and monitor the vendor, commensurate with the level of risk and complexity of the relationship.
  5. Termination. Plan to ensure that relationships terminate in an efficient and seamless manner, either through discontinuance or migration of the responsibilities to another provider or to the bank itself.
  6. Oversight and accountability. Commit appropriate oversight resources from the board level through senior management to employees who manage third-party relationships on a daily basis.
  7. Documentation and reporting. Create an effective system to inventory all third-party relationships and report findings appropriately throughout the bank.
  8. Independent review. Ensure that periodic reviews are conducted by internal auditors or an independent third party and that the results are reported directly to the board.

It has become clear over the last few months that examiners are increasingly asking more probing questions regarding new products and services and third-party vendor risk. Judging by the corrective and punitive enforcement actions being issued or threatened by regulators, banks should be prepared to give good answers to those questions, or risk serious consequences.