Consumer Compliance Outlook: First Quarter 2011

Vendor Risk Management

By Anthony W. Ricks, Supervisory Examiner, and Timothy P. Stacy, Senior Examiner, Federal Reserve Bank of St. Louis

Financial institutions are increasingly relying on third-party vendors to perform vital functions. While beneficial in many ways, outsourcing presents various risks. This article discusses these risks and best practices to mitigate them. The article first reviews the types of services and arrangements a financial institution can obtain from a vendor and the risks presented, while the balance of the article discusses best practices for managing outsourcing arrangements.

VENDOR ARRANGEMENTS AND THE ASSOCIATED RISKS

Financial institutions frequently use third-party vendors to reduce costs, enhance performance, and obtain access to specific expertise.1 Examples include outsourcing audits, compliance reviews, disclosure preparation, data processing, and website development. Financial institutions also use third-party vendors to offer products directly to customers. It is important to emphasize, however, that while day-to-day management of a product or service can be transferred to a third party, ultimate responsibility for all compliance requirements cannot be delegated and remains with the financial institution. Thus, institutions should recognize that using vendors involves significant compliance risk.

The use of third-party vendors presents several other risks, the most prominent of which are legal, operational, and reputational.2

Legal Risk: The primary legal risk is that a vendor's operation does not comply with consumer protection laws and regulations. Because of the number of complex laws and regulations, the risk of noncompliance has increased significantly. Consequently, financial institutions should be especially vigilant in identifying, assessing, monitoring, and mitigating this risk. For example, in 2010 a regulator filed separate enforcement actions against three banks, charging them with violating the Federal Trade Commission Act by engaging in deceptive practices in connection with credit card offers for the transfer and payment of charged-off consumer debt. The banks retained third-party vendors to help administer and market the balance transfer offer programs. The enforcement actions contained specific provisions requiring close oversight of third parties. Each bank was ordered to pay restitution and/or a civil money penalty, which collectively totaled over $4 million.

Another legal risk involves legally binding contracts of a fixed duration. If business needs change because of intervening events, “there is a risk that financial institutions may be locked into agreements that reflect outdated business realities. The contractual basis of outsourcing coupled with this intrinsic business uncertainty contributes to legal risk.”3

Reputational Risk: A vendor's noncompliance with consumer laws and regulations creates reputational risk for a financial institution, including the possibility of a public enforcement action by the institution's regulators, class action lawsuits, and negative publicity.

Operational Risk: This is the risk that a vendor's operational system does not perform properly and negatively affects customers. For example, if a financial institution retains a vendor to determine if the institution's loans secured by a building or a mobile home are located in a special flood hazard area for purposes of complying with the flood insurance requirements of Regulation H, and the vendor fails to regularly update its database of special flood hazard areas, the institution could be cited by its regulator and subject to civil money penalties if this results in violations of Regulation H.

RISK MITIGATION

Financial institutions that outsource a service or product must adopt appropriate controls, policies and procedures, and oversight to mitigate outsourcing risks effectively. Institutions should focus on five key areas for effective risk mitigation: vendor selection, vendor contract, vendor management and monitoring, human resource management, and contingency planning.4

Vendor Selection

Conducting proper due diligence in selecting a vendor is a critical aspect of vendor risk management. Important due diligence steps include:

Some financial institutions prefer to use other financial institutions for outsourcing because they are already familiar with the business. Regardless, financial institutions should ensure that qualified vendors are chosen after the appropriate level of due diligence is conducted.

Vendor Contract

The contract between the financial institution and the vendor is another key factor in mitigating risk because it dictates legally binding terms and conditions. Financial institutions should engage experienced counsel to ensure that its interests are protected and potential contingencies are considered, such as the potential effect of regulatory changes on the vendor's obligations and performance. The contract should also articulate the mutual expectations of both parties. Articulating expectations in the contract is important because if expectations are not adequately communicated and problems arise, each side will typically blame the other.

Some of the issues to be addressed in the contract include: 5

Given their significance and length, outsourcing contracts must be drafted carefully. “[E]rrors or poor execution can have major implications by locking an institution into a contractual relationship that does not meet [its] needs.”6

Vendor Management and Monitoring

After the vendor has been selected and the contract signed, it is important to manage and monitor the relationship. Senior management should be involved in approving policies and procedures to monitor the vendor's performance and activities. Performance monitoring controls include:

Human Resources Management

A financial institution's decision to outsource certain functions can create operational risk because of the effect of the announcement on the institution's staff whose job functions will be affected: “These concerns impact staff in both the affected and unaffected business units and are, at the very least, a distraction that may result in errors and productivity losses. More seriously, they can wound employee morale and lead to loss of desirable or key employees. In extreme cases, institutions fear misconduct or retaliatory behavior.”7

To mitigate this risk, the Human Resources Department should be consulted early in the process to ensure that appropriate outreach is made to affected employees. In addition, the vendor contract should specifically address whether the vendor is required to hire staff whose job functions are being outsourced and if so their compensation and term of employment. Timely communications are very important so that staff are kept apprised and their concerns addressed. In addition, if the financial institution does not want to transfer staff, it has to adopt contingency plans in the event its staff members are recruited by the third-party vendor.

Contingency Planning

While outsourcing can be beneficial, it creates the risk that a vendor's operations can be disrupted and might affect the financial institution for the services the vendor provides. To mitigate this risk, financial institutions must ensure that the vendor has a prudent business recovery plan in place that is reviewed on an ongoing basis.

A contingency plan must be established to address the risk that the vendor may not perform satisfactorily: “In the face of unsatisfactory responsiveness, an institution's options include changing service providers, returning the activity to the institution, or sometimes even exiting the business.”8 These options are costly and problematic and are usually taken only as a last measure after the institution has first made reasonable efforts to resolve the issues with the vendor.

Another mitigant against the risk of unsatisfactory performance is to start the vendor with a small contract to test its performance before outsourcing the entire function. If the vendor performs satisfactorily during the test period, the contract can be expanded to outsource the entire function.

CONCLUSION

When an institution outsources a function subject to consumer compliance requirements, the ultimate responsibility for compliance cannot be delegated and remains with the institution. While vendor arrangements can provide valuable benefits to a financial institution, they require an active role to manage risk and achieve success. It starts with selecting a good vendor whose skills and competencies match up well with the bank's needs. Financial institutions must exercise due diligence throughout the vendor-selection process. Signing a contract with a vendor is not the end of the process but the point at which risk mitigation begins. Specific issues and questions about consumer compliance matters should be raised with the appropriate contact at your Reserve Bank or with your primary regulator.