Banking, it’s a Risky Business.
Compliance expert Matt Goble reviews best practices for mitigating the risks associated with third-party relationships.
Banking. It’s a risky business. Regardless of the size of your institution, or whether you have customers or members, identifying and mitigating risks is a primary function of any successful compliance management program. Risks lurk around every corner of operations within your institution, but an extra layer of risk is added to the picture once a third-party relationship becomes involved.
In today’s banking environment, we rely on third party vendors for a variety of functions. As a result, it is imperative to have the proper controls in place to mitigate the risks associated with those relationships. In this week’s article, we will identify some risky business practices along with the steps you should take to ensure those risks do not outweigh the rewards.
Certain practices will increase the risks of violations in connection with third-party relationships, including:
Overreliance on the third-party: The third-party vendor will never assume ultimate responsibility for compliance violations.
Failure to train staff or retain knowledgeable staff: Consider evaluating activity at the vendor’s location to ensure risks are understood and staff are appropriately trained.
Failure to adequately monitor the third-party: Ongoing monitoring is a key component to prevent violations.
Failure to set clear expectations: Performance expectations must be clearly communicated to the third-party vendor and specifically included in the contract agreement.
In order to keep the risks associated with your business at an acceptable level, a compliance management program should be established that clearly defines your policies and procedures. A written program will represent a source that serves as a training tool for all parties involved. A well planned, implemented, and maintained compliance program will assist in minimizing the risk of regulatory penalties due to violations of non-compliance, protect consumers by mitigating UDAAP concerns, and align business operations with strategy.
Additional considerations for an effective risk management program include:
Due diligence: An effective and ongoing due diligence program is necessary to mitigate the risks associated with all third-party relationships. An effective due diligence program includes:
- Policies that define the criteria for determining which third-party vendors your institution will accept for doing business and performing functions on your institution’s behalf
- Gaining references from other financial institutions
- A planning process to assess the risks involved with the third-party now and ongoing
- Reviewing the third-party’s financial and operational risks
- Determining the legal agreements necessary before entering into a business relationship with the third-party.
Not only should your institution have a clear policy governing the selection of vendors, but also the conditions warranting removal of the vendor from the third-party relationship resulting in termination of the agreement.
Perform a risk assessment: A detailed risk assessment that identifies and categorizes all potential risks, including all applicable consumer laws and regulations, faced by the third-party relationship should be developed based on the initial due diligence review. The results of the risk assessment should be provided to the board of directors and senior management prior to engaging in any new activity or product.
Establish clear contractual obligations: A formal written agreement should be established between your financial institution and the third-party vendor. All provisions in the contract should be based on the risks identified. Specifically, the contract should include the following components that are typical for any third-party vendor relationship:
- Detail performance expectations of the vendor, including consumer compliance expectations
- Documentation standards
- Exit clauses
- Clearly address compensation requirements
- Define the requirement for the vendor to provide ongoing financial information
- Outline your institution’s ability to perform on-site reviews of the vendor, if applicable, depending on the nature of the business relationship.
Comprehensive Audit and Monitoring Program: The monitoring function should be derived from the risk assessment developed during due diligence. The monitoring program should include both off-site and on-site visits to the vendor, as necessary. All staff performing the monitoring and auditing function should be adequately trained to ensure they fully understand the nature of the business relationship and the risks involved in order to conduct a thorough monitoring. Depending on the results of the monitoring and audit functions, the risk assessment may need to be updated periodically.
Board and Management Oversight: Management and board of director oversight of any third-party vendor relationship is critical to the success of the compliance program. The board of director should establish clear guidelines for the level of risk it will accept from any third-party vendor agreement. Management should report to the board of directors key performance indicators such as consumer complaints or exceptions made to policy. As part of a strong compliance management program, the board should review the vendor management policy, due diligence reports, risk assessments, and monitoring and audit results.
One key point I want you to remember is this – You cannot contract away your compliance responsibilities. It is incumbent upon financial institutions to manage the risks associated with all third-party vendor relationships. At the end of the day, it will be you, not the third-party vendor sitting at the table with the regulator come examination time. Make sure you have the appropriate controls in place to demonstrate a strong compliance management program through written documentation, policies, and procedures.