![[BISA Logo]](http://bisa.site-ym.com/resource/resmgr/A_Singer_BISM_2009/bism-logo.jpg){kind=logo}
|
Risky Business From Washington - Summer 2011 | By Kathleen W. Collins ASSUMING THAT readers are as tired of reading articles about the Dodd-Frank Act as we are of writing them, this column will take a summer vacation from Dodd-Frank and focus on a seemingly mundane compliance issue — managing third-party risk. If mounting examination criticism focused on the failure of banks to properly oversee their vendors wasn’t enough, the banking agencies have recently cited the failure to effectively manage third-party vendors in several high profile enforcement actions taken against banks as to their foreclosure processing activities. This was not the first, nor will it be the last, time that third-party vendor management issues form the basis for serious regulatory charges. The regulatory guidance giving rise to these charges has been in place for years, and regulators began examining for compliance with it several years ago. Given the prevalence of third-party vendor relationships in the securities and insurance sales arena, BISA has long focused on the topic at its Legal, Regulatory and Compliance Conferences, as well as in its comments on proposed regulations.
Establishing standards for third parties As early as 1994, in the Interagency Statement on Retail Sales of Nondeposit Investment Products, the federal banking agencies warned depository institutions to observe certain standards before and during arrangements with third parties that might sell or recommend nondeposit investment products on the premises of the institution, or in sales resulting from a referral of retail customers by the institution to a third party when the depository institution receives a benefit for the referral. The Interagency Statement warns banks to (1) conduct an appropriate review of the third party prior to entering into the arrangement; (2) have a written agreement with the third party that is approved by the bank’s board of directors; (3) include provisions addressing topics like access to records and indemnification in the written agreement; and (4) periodically monitor compliance by the third party with the written agreement. Three federal banking agencies issued guidance this past decade on managing risks associated with a bank’s use of third parties to perform functions on the bank’s behalf. In 2000, when the federal agencies adopted final regulations addressing Consumer Protections for Bank Sales of Insurance as mandated by the Gramm-Leach-Bliley Act, they included certain third parties as “covered persons” obliged to observe the regulations (“Any other person only when the person sells, solicits, advertises or offers an insurance product or annuity to a consumer at an office of a bank or on behalf of a bank”). Over time, the banking agencies have refined and broadened the scope of their third-party guidance. Three federal banking agencies issued guidance this past decade on managing risks associated with a bank’s use of third parties to perform functions on the bank’s behalf, to provide products and services that the bank did not originate, or to “franchise” the bank’s attributes. The Office of the Comptroller of the Currency (OCC), the primary regulator for national banks, has issued OCC Bulletin 2001-47; the Office of Thrift Supervision (OTS), the primary regulator for federal thrifts until July 21, 2011, when its responsibilities as to federal thrifts will be assumed by the OCC, has issued Thrift Bulletin 82a; and the Federal Deposit Insurance Corporation (FDIC), the primary federal regulator of state, non-Federal Reserve member banks, and soon-to-be regulator of state savings banks, has issued Financial Institution Letter 44-2008. Four phases As an example of what a bank regulator expects in this regard, here is the OCC’s guidance as to the proper oversight of third-party relationships: As an example of what a bank regulator expects in this regard, here is the OCC’s guidance as to the proper oversight of third-party relationships: The OCC expects that a bank’s policies and procedures should incorporate its regulator’s expectations as to the appropriate oversight of all of its third-party relationships. The OCC expects a dynamic risk management process over third-party arrangements at the banks it supervises, with the board of directors actively involved in the entire process. Its examiners have been instructed to review business plans for significant new products using third parties, the results of due diligence reviews, material contracts with third parties, management information systems of third parties, and information provided to the board of directors reflecting the results of management’s ongoing monitoring activities. Examiners are instructed to criticize banks whose third-party activities pose undue risk or whose risk management systems over such activities are inadequate or ineffective. The OCC has used its third-party guidance as a partial basis of a Consent Order as early as January 2005 when a national bank’s board of directors was ordered to ensure that third-party consultants would be subject to oversight and coordination by bank management and would be subject to appropriate contractual arrangements and OCC guidance related to third-party relationships. The FDIC has entered an Order to Cease and Desist against a bank for failing to appropriately monitor and/or manage third-party risk, and for operating in contravention of its third-party risk guidance (April 2009). A Consent Order obligated a bank to develop and maintain effective monitoring, training, and audit procedures to ensure proper management of third-party risk in accordance with its risk guidance (November 2009). In the recent mortgage foreclosure formal enforcement actions, the Federal Reserve, the OCC, and the OTS focused on third-party vendor management, and in an Interagency Review of Foreclosure Policies and Practices found that “Failure to effectively manage third-party vendors resulted in increased reputational, legal, and financial risks to the servicers.” The upshot of these continuing issues with third-party relationships will eventually be the dreaded onset of yet another set of regulations, a set not precipitated by Dodd-Frank, but rather inattention to a building drum beat of concern by bank regulators. Kathleen W. Collins is a partner in Morgan, Lewis & Bockius, and Washington Counsel of the Bank Insurance & Securities Association. She and Richard Starr write the "From Washington" column in alternate issues. |
