Community banks increasingly provide products and services through arrangements with third parties. Appropriately managed third-party relationships can enhance competitiveness, provide diversification, and ultimately strengthen the safety and soundness of insured institutions. Third-party arrangements can also help institutions attain key strategic objectives. But third-party arrangements also present risks. Failure to manage these risks can expose a financial institution to regulatory action, financial loss, litigation, and reputational damage, and may even impair the institution’s ability to establish new or service existing customer relationships. Successful third-party relationships, therefore, start with financial institutions recognizing those risks and implementing an effective risk management strategy.
The FDIC routinely assesses third-party arrangements. The FDIC is concerned when an arrangement unduly heightens the risk to an insured depository institution or has potential adverse effects for consumers. The risks cross all examination disciplines and necessitate close communication among examination teams to thoroughly understand the risk presented by a bank’s particular third-party arrangements. For example, compliance examiners may find legal problems with how a third party is managing a credit card operation. Those legal problems could result in substantial liability for the bank that could, in turn, affect its capital position. Conversely, risk management examiners reviewing suspicious activity reports filed by the institution about third-party mortgage brokers may find information about potentially unfair or deceptive practices that compliance examiners should review. Information technology examiners who review the operation of a third-party service provider may find security breakdowns that present both compliance and safety and soundness issues.
The purpose of this article is to heighten banker and examiner awareness of third-party risks and the effect these risks can have on financial institutions and the consumers they serve. Through examples drawn from actual examiner experiences, the authors provide some insights on identifying and managing third-party risk and how examiners assess third-party arrangements. The authors also provide a list of additional resources for further information.
“Third Party” Defined
For purposes of this article, “third party” is broadly defined to include any entity that has entered into a business relationship with an insured depository institution. Often, these third parties are deeply involved in the delivery of financial services to the consumer. The third party may be positioned, directly or indirectly, between the financial institution and its customers or otherwise have unfettered access to the institution’s customers. Consequently, the quality of that third party’s performance is critically important to the financial institution’s long term success. A third party can be a bank or a nonbank, affiliated or not affiliated, regulated or nonregulated, domestic or foreign.
The scope of the definition of third party is expansive by necessity. Within the banking industry, third-party relationships are pervasive. Financial institutions use third parties to
Perform functions on their behalf;
Facilitate customer access to the products and services of third-party providers; and
Increase revenue by allowing third parties to conduct business on behalf of the financial institution by using the institution’s name on the third parties’ products and services.
The Risks Are Familiar . . . Sometimes
Third-party risk is not a simple, easily identifiable risk attribute, but rather a combination of risks ranging from the familiar to the highly complex. Third-party risk can vary greatly, depending on each individual third-party arrangement. The risks are more widely recognized in certain arrangements, such as information technology and merchant processing. However, in many other arrangements, the risks can seem more innocuous—sometimes leading to critical gaps in bank management’s planning and oversight of third-party arrangements.
Some of the risks are associated with the underlying activity itself—similar to the risks faced by an institution directly conducting the activity. Other potential risks arise from or are heightened by the involvement of a third party. Significant or more complex third-party arrangements will have identifiable risk attributes falling into the following broad categories.
Strategic risk includes the risk arising from ill-advised business decisions or the failure to implement appropriate business decisions in a manner consistent with an institution’s strategic planning objectives. The use of a third party to perform banking functions or offer products or services that do not help the financial institution achieve corporate strategic goals presents an obvious strategic risk. Third-party arrangements that do not provide a return commensurate with the level of risk assumed expose the financial institution to strategic risk.
Reputation risk is the risk arising from negative public opinion. Dissatisfied customers, breaches of an institution’s policies or standards, and violations of law can potentially harm the reputation of a financial institution in the community it serves. Negative publicity involving the third party, even if it is not related to the specific third-party arrangement, presents reputation risk to a financial institution.
Transaction risk is the risk arising from problems with customer service or product delivery. A third party’s failure to perform as expected by the financial institution or by customers—because of inadequate capacity, technological failure, human error, or fraud—exposes the institution to transaction risk. Inadequate business resumption or other appropriate contingency plans also increase transaction risk. Weak control over information technology could result in the inability to transact business as expected, unauthorized transactions, or breaches of data security.
Credit risk is the risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual arrangements with the financial institution or to otherwise financially perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Some contracts with third parties provide assurance of some measure of performance relating to the underlying obligations arising from the relationship, such as loan origination programs. Whenever indemnification or any type of guarantee is involved, the financial condition of the third party is a factor in assessing credit risk. Credit risk to the institution can also arise from arrangements where third parties market or originate loans, solicit and refer customers, or analyze credit. Appropriate monitoring of third-party activities is necessary to ensure that credit risk is understood and remains within established limits.
Compliance risk is the risk arising from violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or with the institution’s business standards. Activities of a third party that are not consistent with law, policies, or ethical standards expose financial institutions to compliance risk. This risk is exacerbated by inadequate oversight or a weak audit function. A third party’s failure to appropriately maintain the privacy of customer records will also create undue risk.
Other risks. Third-party relationships may also subject financial institutions to a variety of unique risks: liquidity, interest rate, price, foreign currency translation, and country risks, among others. A comprehensive list of other types of risk that arise from an institution’s decision to enter into a third-party relationship is not possible without a complete understanding of the arrangement.
Don’t Neglect the Basics
A simple participation loan is a very common third-party arrangement and provides a good introduction to our examples of third-party risk. The participating financial institution (or purchaser) does not underwrite the loan, and the borrower does not directly interact with the institution. A third party, perhaps not even an insured financial institution, assumes many critical functions in the underwriting and servicing processes. In the vast majority of participation loans, the outcome is as expected: the borrower pays as agreed and the arrangement is profitable for the bank. However, the myriad things that can go wrong highlight the basics of third-party risk.
Examiners sometimes find that a participation loan does not meet the financial institution’s established underwriting standards, too often with predictable results. Institutions often “buy” the types of loans they cannot originate in their normal trade area; however, those institutions may lack lenders with sufficient expertise to analyze the participation loan. At other times, a financial institution’s management may wish, in hindsight, that they had known more—not only about the borrowers, but also about the third party with whom they did business. Purchased loans, especially those from outside a financial institution’s lending area, present the opportunity for misrepresentation or fraud. In addition to strategic and due-diligence issues, there are a multitude of risks specific to any given transaction.
Addressing the Risks. Institutions entering into participation arrangements can avoid common pitfalls and mitigate third-party risks by
Conducting a thorough risk assessment. Ensure that the proposed relationship is consistent with the institution’s strategic plan and overall business strategy;
Conducting a thorough due diligence. Focus on the third party’s financial condition, relevant experience, reputation, and the scope and effectiveness of its operations and controls;
Reviewing all contracts. Ensure that the specific expectations and obligations of both the bank and the third party are outlined and formalized;
Reviewing applicable accounting guidance. Determine if the participation agreement meets the criteria for a loan sale or a secured borrowing. Key issues to consider include rights to repurchase and recourse arrangements. In some cases, participation loans meet applicable sales criteria, but warrant consideration under risk-based capital standards; and
Developing a comprehensive monitoring program. Periodically verify that the third party is abiding by the terms of the contractual agreement and that identified risks are appropriately controlled.
As demonstrated in the examples discussed below, these key steps—risk assessment, due diligence, contract review, and oversight—are the basic elements of an effective third-party risk management process, regardless of the type of activity carried out by the third party.
Beyond Credit Risk
Financial institutions sometimes focus almost exclusively on credit risk and overlook the potential for other risks. In one case, an institution decided to enter the credit card market by partnering with an entity that purported to specialize in marketing and processing credit cards. These credit cards, which were promoted as a product that provided customers with “benefits” and “satisfaction,” were also marketed as a means of building or rebuilding a consumer’s credit rating.
According to the agreement with the third party, the financial institution would underwrite and originate credit cards under its own name and immediately sell any related receivables to the third party. In return, the institution would receive a small amount every month for each outstanding card. If an individual cardholder was able to make the required payments in a timely manner, he or she could earn a refund of some, or all, of the origination fee. However, the program was structured so that only a small percentage of cardholders would ever use the card in a traditional manner. More often than not, the small credit line was completely consumed by fees at origination, leaving the cardholder with no available credit upon receipt of the card.
Examiners took exception to the product being marketed as a credit-building instrument because the institution was unable to provide substantive evidence that consumers’ credit profiles actually improved by using the credit card. Examiners were also concerned that the card had minimal usefulness from the outset because of the high initial fees. Despite the claims of “satisfaction,” a significant portion of cardholders canceled their credit cards within three to six months of issuance. The institution was found to be in violation of Section 5 of the Federal Trade Commission Act (relating to unfair and deceptive acts or practices),1 was required to make customer reimbursements, and suffered damage to its reputation.
The Importance of Effective Risk Identification. There are numerous risks that may arise from an institution’s use of third parties. In this case, the institution was focused on credit risk rather than on compliance and reputation risk. As part of the risk assessment process, management should analyze the potential risks associated with the third party and the proposed activity. In retrospect, the financial institution could have mitigated many of the risks resulting from this arrangement by
Conducting a thorough risk assessment;
Making certain promotional materials were well-supported and not misleading;
Reviewing the third party’s previous experience with the product as well as monitoring results of the third-party arrangement, including records of those customers who canceled their cards within a few months of issuance; and
Reviewing the product for compliance with governing laws and regulations.
Costly Lessons from Unsupervised Outsourcing
Institutions often use third parties, such as mortgage brokers, to generate mortgage loans. In such cases, financial institutions are expected to ensure that the risk management processes for loans purchased from or originated through third parties are consistent with applicable supervisory policies.
An examination of an institution well versed in mortgage lending revealed substantial problems related to its mortgage broker network. Product offerings by both the institution and its third-party mortgage brokers had rapidly evolved and expanded. To meet growing demand, the institution shifted its product and delivery channel strategies. In only a brief period of time, the institution’s broker network expanded significantly.
At the same time, the institution’s due diligence process for brokers was relaxed. The institution’s financial standards for the third-party mortgage brokers it used quickly became more liberal than the institution’s lending standards. Simple background checks, costing only a few dollars, were foregone for the sake of expediency. Monitoring processes were lax. The lending-volume threshold to trigger closer reviews of loan quality was set so high that practically no brokers were ever subject to the reviews. Underwriting standards were also relaxed. In effect, the institution became reliant on the brokers to protect its financial interest and reputation. Further, management reporting was cumbersome and incomplete. While the institution used a watch list, essentially brokers were placed on the list only if suspicious activity (i.e., fraud) was actually reported to federal authorities or if specific misconduct was identified. Even when a watch designation was assigned, the institution’s systems allowed for continued funding without further review. Unfortunately, but not surprisingly, the institution recognized these inadequacies only after credit losses increased substantially.
No Substitute for Due Diligence and Oversight. Problems arise not from the absolute volume of relationships, but from the quality of the risk management processes employed. In this example, controls over the network were perfunctory at best. The institution appeared to have a process but, in practice, the process controlled very little. The institution could have mitigated the risks discussed as well as the resulting impact on the institution by
Exercising appropriate due diligence prior to entering into a third-party relationship and providing ongoing, effective oversight and controls;
Conforming to supervisory standards, including those reiterated in the September 2006 Interagency Guidance on Nontraditional Mortgage Product Risks;2 and
Monitoring loan originations to ensure that loans met the institution’s lending standards and were in compliance with applicable laws and regulations.
Hitting the Bottom Line
One financial institution outsourced much of the development and administration of a new credit product for its customers. However, the third party was not fully aware of the various required disclosures or the annual percentage rate (APR) and finance charge calculations necessary for compliance with the Truth in Lending Act. As a result, customers received disclosure statements that significantly understated the finance charges related to the product.
The institution had already been cautioned by examiners to review new products carefully, as a result of due diligence inadequacies identified in past examinations. Despite these cautions, bank management did not invest sufficient resources to ensure a successful new product offered through the third party. Examiners discovered the inaccurate disclosure shortly after product launch. The institution suspended the product but not until numerous loans with faulty disclosures had been originated. The amount of reimbursements to customers was significant, along with the expense and embarrassment that came with rectifying the mistake. Had the problem not been identified early, the reimbursements required could have easily reached an amount large enough to jeopardize the capital accounts of the financial institution.
Unidentified Risks Can Be Costly. Following an assessment of risks and a decision to proceed with a new product line developed and administered by a third party, the institution’s management must carefully select a qualified entity to implement the program. Due diligence should be performed not only prior to selecting a third party, but also periodically during the course of the relationship. In this example, the institution could have mitigated the risks discussed as well as the resulting impact on the institution by
Conducting a comprehensive due diligence that involved a review of all available information, including the third party’s qualifications and experience with the product; and
Monitoring the third party’s activities to make sure the products produced were in compliance with existing laws, rules, and regulations, as well as the institution’s internal policies, procedures, and business standards.
A Supervisory Perspective
Before engaging in any third-party arrangement, a financial institution should ensure that the proposed activities are consistent with the institution’s overall business strategy and risk tolerances, and that all involved parties have properly acknowledged and addressed critical business risk issues. These issues include the costs associated with attracting and retaining qualified personnel, investments in the technology potentially needed to monitor and manage the intended activities, and the establishment of appropriate feedback and control systems. If the activity involves consumer products and services, the board and management should establish a clear solicitation and origination strategy that allows for after-the-fact assessment of performance, as well as mid-course corrections.
Proper due diligence should be performed prior to contracting with a third-party vendor and on an ongoing basis thereafter. Management should ensure that exposures from third-party practices or financial instability are minimized. Negotiated contracts should provide the institution with the ability to control and monitor third-party activities (e.g., growth restrictions, underwriting guidelines, outside audits) and discontinue relationships that do not meet high quality standards.
Reputation, compliance, and legal risks are dependent, in part, upon the intended activities as well as the public perception of both the financial institution’s and the third party’s practices. Therefore, careful review is warranted, and an adequate compliance management program is critical. In some cases, an institution may need processes in place to handle potential legal action. In any case, management should establish systems to monitor consumer complaints and ensure appropriate action is taken to resolve legitimate disputes.
Finally, an institution’s audit scope should provide for comprehensive, independent reviews of third-party arrangements as well as the underlying activities. Findings should be provided to the financial institution’s board of directors and exceptions should be immediately addressed.3
A financial institution’s board of directors and senior management are ultimately responsible for identifying and controlling risks arising from third-party relationships. The financial institution’s responsibility is no different than if the activity was handled directly by the institution. In fact, as the examples in this article illustrate, greater care may be necessary depending on the risks inherent in the third-party arrangement.
FDIC examiners assess how financial institutions manage their significant third-party relationships. Trust, consumer protection, information technology, and safety and soundness examinations all include reviews of third-party arrangements. Examiners review bank management’s record of and process for assessing, measuring, monitoring, and controlling risks associated with significant third-party relationships. The depth of the examination review depends on the scope of activity conducted through or by the third party and the degree of risk associated with the activity and the relationship. The FDIC considers the results of the review in its overall evaluation of management and its ability to effectively control risk. The use of third parties can have a significant effect on other key aspects of performance, such as earnings, asset quality, liquidity, rate sensitivity, and the institution’s ability to comply with laws and regulations.
FDIC examiners address findings and recommendations relating to an institution’s third-party relationships in the Report of Examination and within the ongoing supervisory process. Appropriate corrective actions, including enforcement actions, may be pursued for deficiencies related to a third-party relationship that pose significant safety and soundness concerns or result in violations of applicable federal or state laws or regulations.
Bankers and examiners alike deal with third-party arrangements on a regular basis. Third-party arrangements can help financial institutions attain strategic objectives by increasing revenue or reducing costs and can facilitate access to needed expertise or efficiencies relating to a particular activity. However, inadequate management and control of third-party risks can result in a significant financial impact on an institution, including legal costs, credit losses, increased operating costs, and loss of business.
As illustrated in the preceding examples, the risks inherent in third-party arrangements are not significantly different from other risks financial institutions face. In fact, the risks are often the same—the difference is where to look for them. Likewise, the framework for risk management is very similar. Risks should be identified, activities managed and controlled, information monitored, and processes periodically audited. Identified weaknesses should be documented and promptly addressed. As with any other undertaking by a financial institution, poor strategic planning, inadequate due diligence, insufficient management oversight, and a weak internal control environment are common elements in problem situations. Similarly, the primary element for success is effective management.
Kevin W. Hodson Field Supervisor (Risk Management), Des Moines, IA
Todd L. Hendrickson Field Supervisor (Compliance), Fargo, ND
Acknowledgments: The authors wish to acknowledge the assistance of Field Supervisors Brent J. Klanderud (Risk Management), Omaha, NE, and Randy S. Rock (Risk Management), Sioux Falls, SD, in developing this article. Messrs. Klanderud and Rock, along with the authors, recently led an Examiner Forum, an internal seminar for FDIC examiners in the FDIC’s Risk Analysis Center, on the topic of third-party risk. The authors are also grateful for the encouragement and assistance provided by Mira Marshall, Senior Policy Analyst, Compliance Policy Section, Washington Office; Kenyon Kilber, Senior Examination Specialist, and Suzy Gardner, Examination Specialist, Planning and Program Development Section, Washington Office; and the talented examiners who identified the situations cited as examples in this article.