It’s no longer enough for banks and other financial institutions to simply have good working relationships with the third parties that provide IT and other services.

Stricter standards and increased scrutiny by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB), as well as the Federal Deposit Insurance Corporation (FDIC) and the Federal Financial Institutions Examination Council (FFIEC), mean financial institutions now have the same responsibilities for in-house and out-of-house services.

For many banks and non-banks, this will mean reevaluating vendor relationships and instituting increased safeguards and oversight to meet these new, stricter standards.

In short, many of the same risk management practices used for internal operations will have to be applied to vendor relationships and operations. Even if customers choose their own vendors for various services, such as real estate settlements, the CFPB says that the lender is still responsible.

Highlights of the standards

CFPB Bulletin 2012-03 and OCC Bulletin 2013-29 include a number of regulations that cover every aspect of the relationship between banks and third-party vendors, including:

  • Due diligence
  • Internal policies and procedures
  • Contracting for compliance
  • Internal controls and oversight
  • Addressing compliance issues
  • Risk management and disaster recovery

While the regulations don’t spell out specific requirements in each area, such as what sort of due diligence a bank should do, they make it clear that banks must oversee and control every operation that can affect a customer. To ensure that vendors comply with the regulations, we recommend that financial institutions follow these steps:

  • Perform due diligence before selecting a vendor (including an objective, in-depth assessment, commensurate with the risk and complexity of the activities) of the provider’s ability to perform in a safe and sound manner
  • Review each service provider’s policies, procedures, internal controls, and training materials
  • Establish internal controls, including procedures for ongoing monitoring and reporting
  • Establish contracts that provide clear expectations of compliance and consequences for noncompliance
  • Take prompt action to address any compliance problems or issues
  • Mutually design risk management and disaster recovery strategies with each vendor to ensure that critical operations continue uninterrupted during a man-made or natural disaster, including security breaches
  • Document all policies, procedures, and interactions with third-party vendors

The key is the contract

Many of these actions should be spelled out in the contract between the bank and a vendor. These guidelines can help ensure third parties are compliant with the new regulations.

First, contracts with vendors should specify the nature and scope of the business arrangement and operations; the frequency, content, and format of the service, product, or function the vendor will provide; where and how the services will be performed; and the use of the bank’s information, facilities, personnel, systems, and equipment, as well as access to and use of the bank’s or customers’ information.

Contracts should also include how the vendor will safeguard customer information, and include clear performance objectives, as well as rewards or penalties for meeting or not meeting those objectives, if applicable. Banks should have the written right to audit and monitor the vendor, and require the vendor to provide remediation when issues are identified. Audit reports also should include a review of the third party’s risk management and internal control as well as disaster recovery and business continuity plans.

One area, however, has not been settled: whether a bank is responsible if one of its vendors uses an outside firm for some of its operations. The current consensus is that these “twice removed” operations are not a bank’s responsibility, but that issue is still an open question.

Non-bank service providers now under increased scrutiny

Certain non-bank service providers are now experiencing a much higher level of scrutiny from both the banks they engage with and regulatory bodies, most notably the CFPB. Service providers that partner with banking organizations now fall under the CFPB regulations, either directly or indirectly because of their relationships with banks. Accordingly, these companies must be compliant with CFPB standards and guidelines and provide assurance to their bank counterparties of such compliance. The most affected service providers include:

  • Debt collection agencies
  • Non-bank consumer credit servicers
  • Auto dealerships

Penalties for noncompliance

The penalties for third-party violations of OCC and CFPB rules can be severe.

  • A major bank used a vendor to offer identity protection products to customers, and that vendor was found to have violated CFPB and FTC acts. The bank entered a consent order that included improved oversight of its vendors, as well as $618 million in restitution and $80 million in civil penalties.
  • Another financial institution outsourced its telemarketing, and violations by its vendor cost the bank restitution and $14 million in civil penalties.
  • A credit card company used two vendors who were found to have violated several acts in separate incidents, costing the company $144.5 million in restitution and $43.7 million in civil penalties.

With the OCC and CFPB indicating that banks and other financial institutions will be facing increased scrutiny by auditors, the stakes have never been higher for third-party vendors and the institutions that use them.

Ensuring vendor management

An outside firm can provide an unbiased perspective to help banks implement guidelines for due diligence, as well as ongoing monitoring and oversight. With an understanding of compliant risk management and disaster recovery strategies, mock audits can be performed to uncover issues before an agency audit or examination.

Any third party, especially one that provides services that affect consumers, exposes a bank or other financial institution to additional regulatory risk. Just as a bank must ensure that its own operations comply with OCC, CFPB, and other regulations, it now must ensure that its vendors meet these same standards.

For more information on this topic, or to learn how Baker Tilly financial services industry specialists can help, contact our team.

© 2024 Baker Tilly US, LLP

The ASC 606 transition: Identifying the contract
Next up

The ASC 606 transition: Identifying the contract