In today’s competitive and highly regulated banking environment, many community banks are entering into more complex relationships with a wide range of different types of third-party vendors. These include vendors that provide tax, legal, audit and IT resources for community banks.
Bank regulators have been growing increasingly concerned about the level of risk management and due diligence practiced by banks over these third-party vendors. They expect banks to implement the same risk management practices with third-party vendors that they do when performing these activities internally.
Perhaps most importantly, banks can be held liable for regulatory violations committed by third-party vendors they work with. This includes violations by third-party vendors of fair lending laws, including unfair, deceptive or abusive acts and practices (or UDAAPs).
Guidance From the Regulators
The Office of the Comptroller of the Currency (OCC) has issued guidance to help community banks assess and manage the risks associated with their third-party vendor relationships. The OCC instructs banks to adopt risk management processes that are “commensurate with the level of risk and complexity of its third-party relationships.”
The guidance stresses that comprehensive risk management and oversight are especially important for vendors that perform critical outsourced activities for the bank. These include significant bank functions like payments, clearing settlements and custody as well as significant shared services like information technology. Critical activities include any activity that could have significant customer impacts or cause the bank significant risk.
A Continuous Life Cycle
The OCC identifies what it calls a “continuous life cycle” that community banks should follow with regard to effective third-party risk management. This life cycle includes the following five phases:
- Planning — You should first develop a plan to manage the vendor relationship.
- Due diligence and third-party vendor selection — Next, perform thorough due diligence on all potential third-party vendors before signing contracts with them. Any risk posed by working with the vendor should be consistent with your bank’s risk appetite.
- Contract negotiation — The contract should clearly define the expectations and responsibilities of the vendor. This will help ensure the contract’s enforceability, limit the bank’s liability, and mitigate any possible disputes about performance.
- Ongoing performance monitoring — This step is essential to managing the risk of the third-party vendor relationship.
- Termination — Finally, you should develop a contingency plan to ensure that you can transition the vendor’s activities to another third party, bring them in-house or discontinue them when the contract expires or its terms have been satisfied.
Due Diligence is Critical
In short, your bank’s use of third-party vendors to perform activities does not diminish your responsibility to make sure these activities are performed safely and in compliance with applicable laws. This makes performing thorough vendor due diligence critical for community banks that use outsourced vendors. Please contact us if you would like more details on vendor risk management and due diligence 417-881-0145.