Stricter standards and increased scrutiny by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB), as well as the Federal Deposit Insurance Corporation (FDIC) and the Federal Financial Institutions Examination Council (FFIEC), mean financial institutions now have the same responsibilities for in-house and out-of-house services.
For many banks and non-banks, this will mean reevaluating vendor relationships and instituting increased safeguards and oversight to meet these new, stricter standards.
In short, many of the same risk management practices used for internal operations will have to be applied to vendor relationships and operations. Even if customers choose their own vendors for various services, such as real estate settlements, the CFPB says that the lender is still responsible.
CFPB Bulletin 2012-03 and OCC Bulletin 2013-29 include a number of regulations that cover every aspect of the relationship between banks and third-party vendors, including:
While the regulations don’t spell out specific requirements in each area, such as what sort of due diligence a bank should do, they make it clear that banks must oversee and control every operation that can affect a customer. To ensure that vendors comply with the regulations, we recommend that financial institutions follow these steps:
Many of these actions should be spelled out in the contract between the bank and a vendor. These guidelines can help ensure third parties are compliant with the new regulations.
First, contracts with vendors should specify the nature and scope of the business arrangement and operations; the frequency, content, and format of the service, product, or function the vendor will provide; where and how the services will be performed; and the use of the bank’s information, facilities, personnel, systems, and equipment, as well as access to and use of the bank’s or customers’ information.
Contracts should also include how the vendor will safeguard customer information, and include clear performance objectives, as well as rewards or penalties for meeting or not meeting those objectives, if applicable. Banks should have the written right to audit and monitor the vendor, and require the vendor to provide remediation when issues are identified. Audit reports also should include a review of the third party’s risk management and internal control as well as disaster recovery and business continuity plans.
One area, however, has not been settled: whether a bank is responsible if one of its vendors uses an outside firm for some of its operations. The current consensus is that these “twice removed” operations are not a bank’s responsibility, but that issue is still an open question.
Certain non-bank service providers are now experiencing a much higher level of scrutiny from both the banks they engage with and regulatory bodies, most notably the CFPB. Service providers that partner with banking organizations now fall under the CFPB regulations, either directly or indirectly because of their relationships with banks. Accordingly, these companies must be compliant with CFPB standards and guidelines and provide assurance to their bank counterparties of such compliance. The most affected service providers include:
The penalties for third-party violations of OCC and CFPB rules can be severe.
With the OCC and CFPB indicating that banks and other financial institutions will be facing increased scrutiny by auditors, the stakes have never been higher for third-party vendors and the institutions that use them.
An outside firm can provide an unbiased perspective to help banks implement guidelines for due diligence, as well as ongoing monitoring and oversight. With an understanding of compliant risk management and disaster recovery strategies, mock audits can be performed to uncover issues before an agency audit or examination.
Any third party, especially one that provides services that affect consumers, exposes a bank or other financial institution to additional regulatory risk. Just as a bank must ensure that its own operations comply with OCC, CFPB, and other regulations, it now must ensure that its vendors meet these same standards.
For more information on this topic, or to learn how Baker Tilly financial services industry specialists can help, contact our team.