April 7, 2014
Authored by: Bryan Cave Leighton Paisner
Both Banks and Their Vendors Must Pay Attention
First there was the bulletin about third-party vendors issued by the Consumer Financial Protection Bureau (CFPB) in April 2012. Then it was the FFIEC’s guidance on IT service providers in October 2012. Next came the FDIC’s September 2013 Financial Institution Letter about payment-processing relationships with high-risk merchants. Then there was the news on October 30, 2013 about the OCC’s guidance on third-party relationships, followed shortly by the Federal Reserve Board’s guidance on managing outsourcing risks in December 2013.
Let’s face it. There has always been guidance and concern about banks and their relationships with third-party service providers. But in recent years it has become quite obvious that the bar has been raised on how banks relate to their third-party processors, program managers, and other service providers. These changes have occurred over time, by a matter of degrees. But it is increasingly plain that we are seeing a significant sea change in how regulators approach the relationships between banks and their third-party vendors. Examiners are digging deeper — especially into the content of bank contracts — and the scope of review is extending to more and more vendors.
In recent months, public commentary from some of the regulators has revealed even more clearly how this recent guidance will impact banks and their vendors. In this article we will describe the regulatory developments and provide some practical guidance as to what this will mean — not only for banks, but for their processors and other service providers. (A print-friendly version is also available.)
Recent Regulatory Developments
Banks and other financial institutions have always been expected to choose their vendors carefully and to monitor the performance of those vendors. Most institutions have done a reasonably good job in this regard. However, recent regulatory publications and the focus of recent regulatory examinations and enforcement actions indicate that the standards and expectations are now much higher.
The CFPB issued a bulletin on April 13, 2012 regarding the use of service providers, accompanied by a press release stating, “CFPB to Hold Financial Institutions and their Service Providers Accountable.” This bulletin, CFPB Bulletin 2012-03 (the CFPB Bulletin), states that the CFPB “expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law.” (emphasis added).
A Financial Institution Letter issued by the FDIC on September 27, 2013 focused on banks that facilitate payment-processing services, either directly OR through a third party, for merchant customers engaged in “higher-risk activities.” Again the regulators indicated that banks are expected not only to perform proper risk assessments and conduct due diligence, but they are expected to determine whether the “merchant customers are operating in accordance with applicable law.” That’s a significant responsibility, difficult to achieve, especially when there is a third party involved.
On October 30, 2013, the Office of the Comptroller of the Currency (OCC) published Risk Management Guidance regarding third-party relationships, OCC Bulletin 2013-29 (the OCC Bulletin). The OCC Bulletin is broader in scope than the CFPB Bulletin in that it does not focus only on consumer protection but instead refers to all “third-party relationships involving critical activities,” a concept we address further below. Following suit, the Federal Reserve (FRB) issued its guidance in December 2013 that almost echoed the OCC Bulletin point-for-point.
The CFPB Bulletin applies to “supervised banks and nonbanks.” CFPB-supervised banks are all banking institutions and their affiliates with total assets exceeding $10 billion. CFPB-supervised nonbanks are certain nonbank businesses, regardless of size, that do business in the following markets: mortgage companies (originators, brokers, and servicers, and loan modification or foreclosure-relief services); payday lenders; and private education lenders. The CFPB also supervises all nonbanks that are “larger participants” with respect to other consumer financial products or services as determined by the CFPB. The “service providers” of concern are those that provide a material service to a covered institution in connection with the offering or providing of a consumer financial product or service.
According to the CFPB Bulletin, the CFPB expects all of its supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships. It is very important to note that the CFPB intends to apply these standards even if the supervised bank or nonbank does not have a direct relationship with the service provider. This would seem to mean that a bank or nonbank is responsible for its vendor’s service providers if those service providers perform a material service relating to the bank’s or nonbank’s consumer products or services. Similarly, the OCC and FRB expect a bank’s contract with its third-party vendors to address the third party’s use of subcontractors and the responsibilities for and monitoring of those subcontractors.
Other than the fact that the CFPB focuses on consumer products and services and the OCC and FRB approach vendor risk management more broadly, the Bulletins issued by the three regulators show some similar regulatory expectations, including:
- Thorough due diligence of the service provider, which the OCC notes could call for on-site visits depending on the risks of the relationship;
- Clear contractual expectations for the service provider, including enforceable consequences for violating contractual requirements (see more below); and
- Establishment and maintenance of internal controls and ongoing monitoring of the service provider.
Bank Board and Management Requirements
The OCC and FRB Bulletins are quite detailed and include significantly more strongly stated expectations of the bank’s board and management. In fact, the OCC stated that “a bank’s failure to have an effective third-party risk management process…may be an unsafe and unsound banking practice.” For example, under the OCC’s guidance, a supervised bank’s board of directors has the following specific responsibilities:
- Ensure an effective process is in place to manage risks related to third-party relationships in a manner consistent with the bank’s strategic goals, organizational objectives, and risk appetite.
- Approve the bank’s risk-based policies that govern the third-party risk management process and identify critical activities.
- Review and approve management’s plans for using third parties that involve critical activities.
- Review summary of due diligence results and management’s recommendations to use third parties that involve critical activities.
- Approve contracts with third parties that involve critical activities.
- Review the results of management’s ongoing monitoring of third-party relationships involving critical activities.
- Ensure management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring.
- Review results of periodic independent reviews of the bank’s third-party risk management process.
The OCC Bulletin also includes a comprehensive list of issues that the OCC will expect to be addressed in each institution’s contracts with its third-party vendors. If your company provides services to a bank, you should not be surprised when the bank demands these contractual provisions, even if it was never required before. Matters that the OCC will expect banks to include in their contracts include:
Nature and Scope of Arrangement
Contracts for complicated or highly technical services have not always included the detail that is now expected. Future contracts would need to be more clear on such issues as the specific nature and scope of the arrangement; the frequency, content, and format of the service, product or function to be provided; where the services are to be performed; and the use of the bank’s information, facilities, personnel, systems and equipment, as well as access to and use of the bank’s or customers’ information.
Performance Measures or Benchmarks
Contracts should specify clear and verifiable performance measures. The Bulletin notes that such measures can be used to motivate the third party’s performance, penalize poor performance, or reward outstanding performance.
Responsibilities for Providing, Receiving, and Retaining Information
Ensure that the contract requires the third party to provide and retain timely, accurate, and comprehensive information such as records and reports that allow bank management to monitor performance, service levels, and risks. The contract also should stipulate the frequency and type of reports required, including, for example, performance reports, control audits, financial statements, security reports, BSA/AML and Office of Foreign Asset Control (OFAC) compliance responsibilities and reports for monitoring potential suspicious activity, reports for monitoring customer complaint activity, and business resumption testing reports.
In addition, the contract should address the responsibilities and reports regarding such matters as catastrophic events, data loss, service or systems interruptions, significant changes to the vendor’s systems or key personnel, and significant business changes such as result from changes in ownership, among other things.
The Right to Audit and Require Remediation
The contract should ensure that the bank has a right to audit, monitor performance, and require remediation when issues are identified. For certain types of services, such as technology services, the audits should specifically address applicable technology and security standards. Audit reports also should include a review of the third party’s risk management and internal control environment as it relates to the activities involved and of the third party’s information security program and disaster recovery and business continuity plans.
Responsibility for Compliance with Applicable Laws and Regulations
Ensure the contract addresses compliance with the specific laws, regulations, guidance, and self-regulatory standards applicable to the activities involved and clearly specifies the parties’ respective obligations for such compliance.
Costs and Compensation
Be very clear on all aspects of costs and compensation, including which party is responsible for costs of systems changes necessitated by changes in laws or other circumstances and costs for audits and similar requirements.
Ownership and License
Be sure to clearly address each party’s rights to use the information, technology, and intellectual property of the other, and include appropriate warranties on the part of the third party related to its acquisition of licenses for use of any intellectual property developed by other third parties. If the bank purchases software, establish escrow agreements to provide for the bank’s access to source codes and programs under certain conditions (e.g., insolvency of the third party).
Confidentiality and Integrity
Prohibit the third party and its subcontractors from using or disclosing the bank’s information, except as necessary to provide the contracted activities or comply with legal requirements. If the third party receives bank customers’ personally identifiable information, the contract should ensure that the third party implements and maintains appropriate security measures to comply with privacy regulations and regulatory guidelines.
Business Resumption and Contingency Plans
Ensure the contract provides for continuation of the business function in the event of problems affecting the third party’s operations, including degradations or interruptions resulting from natural disasters, human error, or intentional attacks. The contract also should require the third party to provide the bank with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. Include specific time frames for business resumption and recovery that meet the bank’s requirements and, when appropriate, regulatory requirements.
Carefully assess indemnification clauses that require the bank to hold the third party harmless from liability.
Require the third party to maintain adequate insurance, notify the bank of material changes to coverage, and provide evidence of coverage where appropriate.
Consider whether the contract should establish a dispute resolution process (arbitration, mediation, or other means) to resolve problems between the bank and the third party in an expeditious manner, and whether the third party should continue to provide activities to the bank during the dispute resolution period.
Limits on Liability
Determine whether the contract limits the third party’s liability and whether the proposed limit is in proportion to the amount of loss the bank might experience due to the third party’s failure to perform or to comply with applicable laws. While not specifically stated in the OCC Bulletin, we suggest caution in agreeing to terms that cap liability based on the amount of fees paid.
Default and Termination
Of course, every contract should be clear on what constitutes an event of default, the remedies for such default, and the consequences of termination of the contract. The OCC Bulletin also states that the bank should determine whether the contract includes a provision that enables the bank to terminate the contract, upon reasonable notice and without penalty, in the event that the OCC formally directs the bank to terminate the relationship.
Specify whether the bank or third party is responsible for responding to customer complaints, how complaints are handled, and how complaint information is provided to the bank.
If the vendor will be allowed to use subcontractors, specify the activities that can or cannot be subcontracted, address the third party’s liability for activities or actions by its subcontractors, and which party is responsible for the costs and resources required for any additional monitoring and management of the subcontractors. Reserve the right to terminate the contract without penalty if the third party’s subcontracting arrangements do not comply with the terms of the contract.
Foreign-Based Third Parties
If your vendor is based in a foreign country, be sure to address choice-of-law and jurisdictional matters.
If your bank is not very familiar with the laws of the foreign country, seek appropriate legal guidance before entering into the contract.
All contracts with service providers should provide for federal bank regulator access to the service provider, including access to all work papers, drafts, and other materials. The OCC generally has the authority to examine and to regulate the functions or operations performed or provided by third parties to the same extent as if they were performed by the bank itself on its own premises.
Practical Advice and Next Steps
We have had the opportunity to share concerns with and ask questions of OCC staff in Washington, D.C., on a number of occasions. In those conversations, the OCC staff repeatedly suggested that regulatory expectations of banks have not actually changed from the past. However, at the same time the staff acknowledged that their focus will be on contractual relationships between banks and their third-party vendors, including contracts entered into prior to the OCC Bulletin. If the concerns stated are not dealt with in such contracts to the standards expressed in the recent OCC and FRB Bulletins, some institutions might be facing harsh examinations when these existing arrangements are reviewed.
In that regard, the OCC noted that each bank should do the following:
- First, prioritize its review of existing third-party relationships, focusing on those involving critical activities.
- Second, review each contract to ensure that the critical terms described above are addressed, including:
- clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities;
- rights to audit the vendor, at reasonable times and with reasonable frequency, for compliance with the contract and compliance-related responsibilities; and
- rights to terminate such contract for material violations.
- Third, amend or update any contracts that fall short of these standards.
- Finally, for those contracts that cannot be re-negotiated or amended, a bank will need to “step up its risk management game internally” — that is to say, until such time that necessary contractual protections can be added, the bank will need to increase monitoring and other oversight activities to address the higher risk.
As noted above, the OCC Bulletin purports to focus on third-party relationships involving “critical activities.” What this might mean in practice is anybody’s guess and the OCC’s judgment will ultimately control, but the OCC Bulletin itself states that critical activities include:
“significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that
- could cause a bank to face significant risk if the third party fails to meet expectations.
- could have significant customer impacts.
- require significant investment in resources to implement the third-party relationship and manage the risk.
- could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.”
With this broad definition, if a bank is ultimately embarrassed or criticized by customers or the media for activities performed by a third party, virtually any activity that previously seemed non-critical could, in hindsight, later be deemed to have been “critical.” In the meantime, banks have few options but to comply with these extraordinarily high standards with respect to third-party processors, service providers, and vendors.