News & Events

Third Party Service Provider Risk Assessment

Vendor management and third party service provider oversight has become an increasingly important area for banks to closely consider and regularly monitor. Banks are responsible for the practices of third parties and may be held accountable for a third party’s violations of consumer protection laws and regulations as well as unfair, deceptive and abusive acts and practices. Regulators have increased their focus on third party contracts and activities and are requiring banks to conduct a risk assessment of each third party relationship, put policies and procedures in place for the management of these relationships and maintain documentation of all initial and ongoing due diligence and monitoring. In one of its first enforcement actions, the Consumer Financial Protection Bureau (CFPB) cited American Express Centurion Bank with violations of deceptive debt collection, deceptive marketing, excessive late fees, inadequate credit dispute reporting and lack of proper oversight of the bank’s management and board. In the Consent Order, it was noted that all but one of the cited violations resulted from “deficient management oversight of the bank’s service providers.” The Consent Order required the Bank “to develop policies to maintain effective monitoring, training, record-keeping and audit procedures to review each aspect of the Bank’s agreements with its Service Providers and the services performed for the Bank pursuant to these agreements.”

In response to the increased scrutiny on vendor management practices, all banks should conduct a risk assessment of each third party relationship. The risk assessment should be performed not only as part of the initial due diligence conducted prior to entering into a new third party relationship, but also on an ongoing basis for periodic monitoring.

We have developed a third party risk assessment for participants in the CMS Initiative. In doing so, we focused on the following subject areas: due diligence; policies, procedures, oversight and control; the contract; and products and services. A summary of considerations for each subject area is set forth below.

Due Diligence

Conducting adequate due diligence is extremely important prior to entering into a new contract with a third party, but it is equally important and necessary to conduct ongoing monitoring and to remain comfortable with each service provider’s practices throughout the relationship. In other words, due diligence should be an ongoing task. Adequate due diligence is of even greater importance when considering certain types of products and services such as those for identity theft protection and others that have been under increased scrutiny. The third party’s financial information, experience, reputation, consumer complaints, litigation, controls, security procedures, business plans, business resumption strategy, knowledge of existing laws and regulations, and many other relevant issues and documents must be reviewed and considered in order to conduct adequate due diligence.

Policies, Procedures, Oversight and Internal Control

Appropriate and adequate personnel should be included in every step of the monitoring of third party relationships. Specific employees should be assigned the duties of ongoing oversight and monitoring of third party relationships. Management should be immediately notified of any issues, modifications or other concerns involving existing relationships. Management insight and Board approval should be obtained prior to entering into a new agreement.

Any incentive for bank employees to encourage customers to sign up for a new product or service should be eliminated. The use of incentives is strongly discouraged and such practices have been the basis for serious UDAAP related enforcement actions.

Issues surrounding consumer complaints should be addressed in every contract. The parties must agree as to which party will have responsibility for responding to consumer complaints, how complaints will be forwarded to the appropriate party for response, and the development and maintenance of complaint summary reports.

Contract Review

Each contract should clearly set forth the expectations, obligations, and rights of each party. Each contract should also contain an indemnity provision. This provision should be drafted in the bank’s favor and the bank should assume no more risk than the third party. It is important to note that an indemnification provision, no matter how well drafted, should not be viewed as a way to avoid practicing safe and sound banking practices.

The contract should address authorization for continued due diligence and allow the bank or its regulators to audit the third party as necessary or to receive reports, policies, or other documents as may be necessary to evaluate the third party’s compliance. Each contract should also address the third party’s requirement to comply with all applicable laws, regulations and guidance from regulators.

Products and Services

All products and/or services offered to bank customers must provide a definite benefit to the customer, especially when there is an out- of-pocket cost for the customer. The bank should be comfortable with the details of all products and services offered, the enrollment and cancellation process for the customers, and all associated benefits. The enrollment and termination process should be easy to understand and accomplish. Terminations should occur upon the first attempt or request.

It is important for the bank to gain a true understanding of all fees associated with any products or services offered under a contract by a third party. Any fees that will be passed on to a customer must be fully disclosed. The word “free” should only be used in instances in which there is absolutely no chance that a customer could be charged a fee at any time and an account or service is truly free.

It is an important reminder that a UDAAP analysis and risk assessment should be performed prior to offering any new products or services. All marketing materials, disclosures and agreements should also be reviewed from a UDAAP perspective as well.

Other considerations

As you conduct third party risk assessments, we recommend that you consider the long- term consequences of the terms of each contract and the benefits and risks associated with each product being offered. Each product or service offered through a third party should match your bank’s strategic plan and long term goals.