Vendor Risk Management — Compliance Considerations
On May 2, 2012, the Federal Reserve System hosted an Outlook Live webinar titled Vendor Risk Management — Compliance Considerations.1 The speakers addressed a number of compliance-related risks associated with using third-party service providers. This article reinforces the best practices discussed during the webinar and reviews the risks of using third-party vendors.
QUESTIONS ABOUT THIRD PARTIES
What Are Common Types of Third-Party Relationships?
Some common third-party relationships include:
- Third-party product providers such as mortgage brokers, auto dealers, and credit card providers;
- Loan servicing providers such as providers of flood insurance monitoring, debt collection, and loss mitigation/foreclosure activities;
- Disclosure preparers, such as disclosure preparation software and third-party documentation preparers;
- Technology providers such as software vendors and website developers; and
- Providers of outsourced bank compliance functions such as companies that provide compliance audits, fair lending reviews, and compliance monitoring activities.
What Are the Risks of Using Vendors?
Third parties present a broad range of risks, including:
- Compliance risks such as violations of laws, rules, or regulations or noncompliance with policies or procedures;
- Reputation risks such as dissatisfied customers or violations of laws or regulations that lead to public enforcement actions;
- Operational risks such as losses from failed processes or systems or losses of data that result in privacy issues;
- Transaction risks such as problems with service or delivery; and
- Credit risks such as the inability of a third party to meet its contractual obligations.
These risks are heightened when a vendor operates directly between the bank and its customers. Vendors may be heavily involved in delivering products and services to an institution’s customers, but their actions or activities may not be adequately monitored. These risks have been manifested most significantly through deceptive vendor marketing, credit discrimination, data loss leading to privacy issues, and unfair or deceptive acts or practices (UDAP).
While vendors often provide value through their expertise and experience, the bank’s board and senior management are ultimately responsible for all aspects of the bank’s operations, including products and services provided by vendors. Accordingly, effective risk management is required to mitigate the risks associated with the loss of control and close oversight that often occurs with a vendor relationship. A good rule of thumb is to oversee vendors as you would any other department in your bank, regardless of the vendor’s reputation or apparent ability to comply with consumer protection laws and regulations.
PRACTICES THAT INCREASE THE RISK OF VIOLATIONS
Vendor risk management problems often involve one or more of the following issues:
- Overreliance on third-party vendors. A common root cause of vendor problems is the overreliance, and sometimes complete reliance, on a third-party vendor. Third parties can provide staffing and expertise but do not assume ultimate responsibility for compliance violations involving products or services offered by an institution.
- Failure to train new staff or retain knowledgeable staff. Institutions may believe they can avoid hiring, retaining, or training staff because of a vendor’s expertise. Although an institution may be leveraging a third party’s expertise, staff at the institution must be knowledgeable about vendor activities and the compliance requirements for that activity to facilitate monitoring. Specifically, proper staffing or specialized training for existing personnel may be required. Similarly, banks should consider evaluating activity at the vendor’s location to ensure that risks are understood and that staff has sufficient knowledge of vendor processes and controls.
- Failure to adequately monitor the vendor. Ongoing monitoring is necessary to ensure compliance and to prevent potentially costly regulatory violations.
- Failure to set clear expectations. An institution must ensure that the information provided to third-party vendors is complete and accurate and that expectations for vendor performance are communicated clearly and included in the contract with the vendor. Vendor contracts should also include detailed consumer protection requirements to ensure that the vendor is aware of the applicable requirements.
EXAMPLES OF VENDOR RISK MANAGEMENT COMPLIANCE ISSUES
An institution’s failure to maintain a strong vendor management program presents significant risks. Here are some examples noted during recent examinations.
Flood Insurance Monitoring
Banks often use vendors to ensure that all loans secured by properties located in special flood hazard areas have adequate flood insurance, that all insurance amounts are correct for the specific property covered, and that appropriate insurance coverage remains in effect during the life of such loans. A vendor’s error in calculating the amount of insurance required can result in significant flood insurance violations involving multiple properties and civil money penalties (CMPs). Under the Biggert-Waters Flood Insurance Reform Act of 2012 (Biggert-Waters Act),2 which was signed into law on July 6, 2012, CMPs against regulated lending institutions with a “pattern or practice” of violating certain flood insurance requirements were increased from $385 to $2,000 for each violation. In addition, the Biggert-Waters Act removed the $135,000 statutory cap on the amount of CMPs that may be assessed against an individual financial institution in a single calendar year. This change was effective on July 6, 2012.3
Loan Modifications
Given the complexity of loan modifications, vendors are often used to process loan modification requests under the Home Affordable Modification Program (HAMP). Vendors sometimes fail to process HAMP requests in accordance with their agreements with the bank. In other cases, vendors delay the processing of loan modifications by sending borrowers duplicate document requests, causing hardships for the borrowers. If bank management is not monitoring a vendor’s activity, it will not be aware of problems that may be occurring with the vendor.
The failure to monitor vendors has resulted in significant examination findings, including concerns that borrowers were treated unfairly by the vendor. In one case, bank management was required to conduct a file search and offer borrowers whose request had been incorrectly handled by the vendor the option of re-applying for a loan modification. The bank had to absorb the costs associated with the new application and make significant changes to its compliance program.
Credit Card Administration
Some banks hire vendors to administer and market credit card programs. In one case, a vendor was marketing a balance transfer credit card program as a way for bank customers to obtain a new credit card while paying down the balance on an existing one. However, the vendor did not properly disclose all of the fees connected to the product. Bank management was not monitoring or reviewing the vendor’s activities and did not identify the errors.
This action by the vendor ultimately resulted in a finding of deceptive marketing practices based, in part, on the vendor’s failure to correctly disclose fees. Violations of Regulation Z’s credit card requirements were also identified. In short, customers did not have all the information they needed about the product to make an informed decision and did not learn about certain features until after they had been assessed nonrefundable fees. Bank management assumed that the vendor was responsible for compliance because the vendor made the credit decisions and owned the credit card receivables. However, the bank’s name was on the credit cards, and under the agreement between the parties, the bank was deemed a creditor in the transaction. The bank was therefore accountable for the compliance violations, not to mention the reputation risk of having its name associated with a deceptive practice. It is also noteworthy that the Consumer Financial Protection Bureau undertook three enforcement actions against three major credit card issuers this year, all of which involved compliance issues with vendors hired by the card issuers. The enforcement orders contained specific provisions requiring the issuers to change their compliance management systems concerning oversight of vendors.4
Disclosure Software
Many banks use vendor software to generate consumer disclosures for various loan and deposit products. After amendments to disclosure regulations in the last several years, some vendors failed to update their software, resulting in various errors on disclosure forms. Problems of this nature occur when bank management relies solely on the vendor without conducting its own independent review of disclosure requirements to ensure that the required changes are implemented.
Revenue Enhancements
Examiners are increasingly seeing cases in which third parties offer “revenue enhancement” services. While these services may appear desirable, bank management should always conduct due diligence with every vendor prior to entering into a third-party relationship, develop a risk assessment of the proposed vendor processes, and understand the vendor activities. Bank management must fully consider the compliance implications associated with these new products and services. In addition to complying with the technical requirements of existing rules, bankers should be particularly mindful of the possibility of UDAP issues related to vendor products. Generally speaking, management should ensure that marketing materials and disclosures are accurate and provide information necessary for the customer to make an informed decision about the product or service and that there are viable options available to the consumer.
BEST PRACTICES
Several best practices can reduce the risk of violations from vendor relationships. These include:
- Due diligence. Before selecting a vendor, bankers should conduct due diligence, which includes obtaining references, particularly from other financial institutions. In addition, the vendor’s audited financial statements should be reviewed. Also, ensuring that the vendor has data back-up systems, continuity and contingency plans, and proper management information systems is also an important step. Finally, researching the background, qualifications, and reputations of the vendor’s principals and the vendor’s overall reputation, including lawsuits filed against it, should be part of the due diligence.
- Risk assessment. A detailed risk assessment should be developed based on the initial due diligence review. It should be provided to senior management and the board of directors prior to engaging in a new activity. The risk assessment should identify all categories of potential risk faced by a vendor’s activity, including compliance, reputational, operational, credit, and transaction risks. It should also identify all applicable consumer laws and regulations to ensure compliance.
- Clear contractual expectations. Contract provisions should be based on identified risks, contain expectations for complying with applicable consumer protection laws and regulations, and contain the right to request information that demonstrates compliance, such as audit and monitoring reports. Important provisions that a vendor contract should address include but are not limited to:
- the scope of outsourced services;
- the procedures the vendor must follow;
- the bank’s service-level expectations;
- the bank’s approval of a vendor’s use of subcontractors;
- the bank’s right to conduct audits or request third-party reviews;
- the confidentiality of data;
- the vendor’s warranties, liability, and disclaimers;
- dispute resolution mechanisms;
- default and termination provisions; and
- customer complaints and responsibility for responses.
- Comprehensive monitoring program. Risk-based monitoring derived from the risk assessment developed during due diligence is very important. The frequency and type of monitoring should be documented for each vendor. To conduct proper monitoring, staff must be trained and familiar with the vendor to ensure that they fully understand the risks and can conduct thorough monitoring. Monitoring of vendor performance should incorporate a review and tracking of consumer complaints related to the vendor’s activities. Complaints are an excellent indicator of problems with a vendor. Finally, the risk assessment should be periodically updated based on the results of the vendor monitoring.
- Board oversight. Keeping the board of directors properly informed about the vendor management program is key to ensuring that they can provide proper oversight and that the bank’s management process addresses the risks inherent in third-party relationships. The board should review the vendor management policy, due diligence reports, risk assessments, and monitoring results.
CONCLUSION
Vendors provide value in the expertise and experience they offer; however, financial institutions must still maintain active oversight. It is important to remember that when a vendor performs a service or function, the institution bears ultimate responsibility for compliance. Because varying levels of risk remain with the institution that offers the product or service, a strong vendor risk management program is key to maintaining compliance and avoiding claims of improper treatment of bank customers. With good vendor management, banks can minimize the risk of less direct oversight or control and maximize the benefits gained through a well-managed vendor relationship. Specific issues about vendor risk management should be raised with your primary regulator.
- 1 The webinar has been archived and is available for replay.
- 2 Pub. L. 112-141, Div. F, Tit. II, Subtit. A.
- 3 Outlook summarized the Biggert-Waters Act in the Third Quarter 2012 issue. The act was also discussed during the December 4, 2012 Outlook Live webinar “Consumer Compliance Hot Topics — 2012 Year in Review.”
- 4 http://tinyurl.com/cfpb-EO1, pp. 22-23; http://tinyurl.com/cfpb-EO2, pp. 17-19; http://tinyurl.com/CFPB-Enf3, pp. 13-14.