I think we get the message! And if
we haven’t, the pain of our brethren
institutions, subject to enforcement actions resulting from their third-party
risk management weaknesses, serves as a
reality check.
Quite frankly, driven by this guidance,
bank enforcement actions essentially
harm the institutions responsible for
incurring, for instance, third-party security breaches. We are seeing the management of these relationships ramp up,
and the realization from institutions that
this will be ongoing, given risk trends.
As third-party (i.e. vendor) activities are more closely scrutinized, it is
becoming increasingly apparent that
sometimes banks may need a third party
(forgive the pun), to help ensure corrective action is taken. Who is that third
party? It may be a regulator or enforcement agency.
Why? We all know the challenge, either
through our own experience or that of
other institutions, where a third-party
related service issue has been cited as a
violation, internally or in conjunction
with an examination. While banking in-
stitutions understand they are responsible
for actions executed on their behalf, get-
ting vendors to take the corrective action
needed can be difficult and costly. This
is the case particularly when the vendor
service’s mission-critical functions are the
only (or the major) game in town.
Agency guidance encourages institu-
tions to utilize controls such as contracts
and service level agreements (SLAs),
to ensure corrective actions are taken.
These controls can provide for endgame
solutions, such as contract termination,
in the event of noncompliance with the
provisions. However, in practice, the
endgame solution may be problematic.
Industry feedback suggests that in such
cases, banks feel like hostages, caught be-
tween the regulators desiring an end or
modification to the activity that is violat-
ing law, and the vendor who is reluctant
to implement the action needed.
Can Regulators Help Banks
Ensure Third-Party Service
Provides Take Corrective Action?
Generally, a federal banking agency’s
ability to influence the actions of a
third-party service provider can be direct or indirect. We have referenced the
indirect approach above but let’s recap.
Indirect Approach
The indirect approach essentially pro-
motes third-party compliance with laws
that govern the service they provide
to banks, through the enforcement of
those laws at the client institutions. The
approach can pose challenges for insti-
tutions as noted above, however, recent
agency actions reinforce the use of the
approach with evidence of third parties
being held accountable for their role in
noncompliant activities.
A recent example is the 2013 Department of Justice consent order and
settlement with Union Auto Sales d/b/a
Union Mitsubishi, an auto dealer cited
along with Nara Bank (California),
for discriminatory pricing patterns.
Moreover, the 2014 joint release of the
NADA Fair Credit Compliance Policy
& Program template for auto dealers, is
an unprecedented fair lending initiative
on the part of the National Automobile
Dealers Association, American International Automobile Dealers Association
and the National Association of Minority Automobile Dealers. The association’s actions respond to other similar
allegations involving dealers, such as the
recent DOJ auto lending settlement with
Ally Financial, as well as banking agency
policy communiques regarding auto
lending disparities. Finally, agency policy
updates, such as OCC Bulletin 2013-29,
emphasize expectations that banks:
■ ■ ■ Expressly communicate the responsibilities of all parties when entering
into third-party relationships, to
ensure that third parties comply with
the rules;
■ ■ ■ Monitor performance against those
expectations, and ensure any issues
identified are addressed; and
■ ■ ■ Hold the providers accountable, for
instance, terminating the contract
with third parties that do not meet
expectations.
The guidance also indicates that when
circumstances warrant, the OCC may use
its authority to examine the functions
or operations performed on the bank’s
behalf by a third party, and will pursue
appropriate corrective measures, includ-
Third-Party Risk Management—
Can the Banking Agencies Help?
REGULATORY INSIDER | BY BONITA G. JONES
THE RISK associated with the use of third-party service providers has not only been increasing, but regulator risk management expectations have applied a “full court press”. Over the last year, the federal banking agencies have issued new or updated guidance including the OCC’s
“Third-Party Relationships: Risk Management Guidance” (OCC Bulletin
2013-29) and Federal Reserve’s “Guidance on Managing Outsourcing Risk”
(Supervisory Letter SR 13-19). In addition, in February of this year, the FDIC
released a revised compliance examination manual that, among other things,
includes procedures expressly dedicated to identifying unfair, deceptive or
abusive practices in third-party relationships ( www.fdic.gov/regulations/
compliance/manual/pdf/VII- 4. 1.pdf).
