Stepping Up Your Game on Third Party Vendor Review
Shumaker Williams, P.C. Financial Services Practice Group
By Paul A. Adams*
The Office of the Comptroller of the Currency (“OCC”) has recently published two bulletins, OCC 2013-33 and OCC 2013-39 on risk management of third party vendors. The first is generalized guidance for assessing and managing risks associated with third party relationships which replaces its former guidance issued in 2001 while the second bulletin covers third party consultants hired by financial depository institutions that have been designated as being in “troubled condition.” The Board of Governors of the Federal Reserve (“FED”) also released new Guidance SR 13-19 on December 5, 2013 applicable to state member banks.
The OCC broad based guidance follows a general regulatory theme of supervised financial depository institutions being required to identify risk and effectively manage risk by the adoption of written policies which must include a robust monitoring component through the life cycle of that relationship. This process starts with a written policy that layers the review and monitoring procedures commensurate with the level of risk and complexity of each third party relationship. This Bulletin has a special notice that this applies to Community Banks with third party relationships. The Bulletin also has a three page appendix that outlines previous publications on the requirements for specific types of third party vendors such as outsourced internal auditors or sales of non-deposit investment products.
We have seen written policies that categorize risks for each third party vendor as low, moderate and high. The Bulletin identifies payment, clearing settlements, custody or significant shared services such as informative technology as critical activities. In addition, any activity that could cause the bank to face significant risk if the vendor fails to perform; involves significant customer impact; required significant investment; or could have a major impact on bank operations if the bank fails to have an effective alternative will cause the relationship to be critical and in the high risk category. This initial determination will set the types of procedures necessary to manage that relationship.
We have seen some third party vendors offer contracts that would allow it to terminate the relationship for far too many reasons, and some, with little or no notice. If the services provided are critical to supporting essential bank services or products, these provisions must be negotiated to provide for continuing services until an alternative service provider is served. A corollary to that managing that risk is obtaining meaningful economic damage provisions so that a vendor can’t walk away with de minimis economic consequences for breaching its obligations to continue providing the service.
Another issue that needs to be addressed occurs when the third party vendor has access to your customer’s Non-public Personal Information. This can occur through a hosted website or the vendor has access to that information by supporting your computer systems. There needs to be meaningful review of the third party vendor’s security systems for protecting the privacy of that information. This should be accomplished at no cost to you through obtaining and reviewing an SSAE SOC 2 report designed to test privacy controls.
The Guidance from the FED takes a similar approach to the OCC by emphasizing the risk management approach over the life of the relationship. Like the OCC’s Guidance, the FED’s Guidance specifically states it applies to community banks. One surprising aspect of the FED statement was the specific reference to wanting to see a negligence standard in an indemnification clause when a third party would sue a financial institution for a situation caused by the third party vendor. Too many times we have seen gross negligence, or worse, as the standard on the draft contract offered. In other instances the standards of performance in some contracts are so amorphous it’s almost “we will try our best, but there are no promises as to how we will do.” It will be interesting to see how this new Guidance may change those negotiations or whether the regulators will step-up to the plate and tell a third party vendor, we won’t allow our financial institutions to enter into those types of contacts.
In summary, these newly published Guidance bulletins emphasize the identification and effective management of risks associated with third party vendors. This may require your institutions to step-up its game.