> Regulation & Examinations
> Bank Examinations > Supervisory
Community banks increasingly provide products and services through arrangements with third parties. Appropriately managed third-party relationships can enhance competitiveness, provide diversification, and ultimately strengthen the safety and soundness of insured institutions. Third-party arrangements can also help institutions attain key strategic objectives. But third-party arrangements also present risks. Failure to manage these risks can expose a financial institution to regulatory action, financial loss, litigation, and reputational damage, and may even impair the institution’s ability to establish new or service existing customer relationships. Successful third-party relationships, therefore, start with financial institutions recognizing those risks and implementing an effective risk management strategy.
The FDIC routinely assesses third-party arrangements. The FDIC is concerned when an arrangement unduly heightens the risk to an insured depository institution or has potential adverse effects for consumers. The risks cross all examination disciplines and necessitate close communication among examination teams to thoroughly understand the risk presented by a bank’s particular third-party arrangements. For example, compliance examiners may find legal problems with how a third party is managing a credit card operation. Those legal problems could result in substantial liability for the bank that could, in turn, affect its capital position. Conversely, risk management examiners reviewing suspicious activity reports filed by the institution about third-party mortgage brokers may find information about potentially unfair or deceptive practices that compliance examiners should review. Information technology examiners who review the operation of a third-party service provider may find security breakdowns that present both compliance and safety and soundness issues.
The purpose of this article is to heighten banker and examiner awareness of third-party risks and the effect these risks can have on financial institutions and the consumers they serve. Through examples drawn from actual examiner experiences, the authors provide some insights on identifying and managing third-party risk and how examiners assess third-party arrangements. The authors also provide a list of additional resources for further information.
“Third Party” DefinedFor purposes of this article, “third party” is broadly defined to include any entity that has entered into a business relationship with an insured depository institution. Often, these third parties are deeply involved in the delivery of financial services to the consumer. The third party may be positioned, directly or indirectly, between the financial institution and its customers or otherwise have unfettered access to the institution’s customers. Consequently, the quality of that third party’s performance is critically important to the financial institution’s long term success. A third party can be a bank or a nonbank, affiliated or not affiliated, regulated or nonregulated, domestic or foreign.
The scope of the definition of third party is expansive by necessity. Within the banking industry, third-party relationships are pervasive. Financial institutions use third parties to
The Risks Are Familiar . . . Sometimes
Third-party risk is not a simple, easily identifiable risk attribute, but rather a combination of risks ranging from the familiar to the highly complex. Third-party risk can vary greatly, depending on each individual third-party arrangement. The risks are more widely recognized in certain arrangements, such as information technology and merchant processing. However, in many other arrangements, the risks can seem more innocuous—sometimes leading to critical gaps in bank management’s planning and oversight of third-party arrangements.
Some of the risks are associated with the underlying activity itself—similar to the risks faced by an institution directly conducting the activity. Other potential risks arise from or are heightened by the involvement of a third party. Significant or more complex third-party arrangements will have identifiable risk attributes falling into the following broad categories.
Strategic risk includes the risk arising from ill-advised business decisions or the failure to implement appropriate business decisions in a manner consistent with an institution’s strategic planning objectives. The use of a third party to perform banking functions or offer products or services that do not help the financial institution achieve corporate strategic goals presents an obvious strategic risk. Third-party arrangements that do not provide a return commensurate with the level of risk assumed expose the financial institution to strategic risk.
Reputation risk is the risk arising from negative public opinion. Dissatisfied customers, breaches of an institution’s policies or standards, and violations of law can potentially harm the reputation of a financial institution in the community it serves. Negative publicity involving the third party, even if it is not related to the specific third-party arrangement, presents reputation risk to a financial institution.
Transaction risk is the risk arising from problems with customer service or product delivery. A third party’s failure to perform as expected by the financial institution or by customers—because of inadequate capacity, technological failure, human error, or fraud—exposes the institution to transaction risk. Inadequate business resumption or other appropriate contingency plans also increase transaction risk. Weak control over information technology could result in the inability to transact business as expected, unauthorized transactions, or breaches of data security.
Credit risk is the risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual arrangements with the financial institution or to otherwise financially perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Some contracts with third parties provide assurance of some measure of performance relating to the underlying obligations arising from the relationship, such as loan origination programs. Whenever indemnification or any type of guarantee is involved, the financial condition of the third party is a factor in assessing credit risk. Credit risk to the institution can also arise from arrangements where third parties market or originate loans, solicit and refer customers, or analyze credit. Appropriate monitoring of third-party activities is necessary to ensure that credit risk is understood and remains within established limits.
Compliance risk is the risk arising from violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or with the institution’s business standards. Activities of a third party that are not consistent with law, policies, or ethical standards expose financial institutions to compliance risk. This risk is exacerbated by inadequate oversight or a weak audit function. A third party’s failure to appropriately maintain the privacy of customer records will also create undue risk.
Other risks. Third-party relationships may also subject financial institutions to a variety of unique risks: liquidity, interest rate, price, foreign currency translation, and country risks, among others. A comprehensive list of other types of risk that arise from an institution’s decision to enter into a third-party relationship is not possible without a complete understanding of the arrangement.
Don’t Neglect the Basics
A simple participation loan is a very common third-party arrangement and provides a good introduction to our examples of third-party risk. The participating financial institution (or purchaser) does not underwrite the loan, and the borrower does not directly interact with the institution. A third party, perhaps not even an insured financial institution, assumes many critical functions in the underwriting and servicing processes. In the vast majority of participation loans, the outcome is as expected: the borrower pays as agreed and the arrangement is profitable for the bank. However, the myriad things that can go wrong highlight the basics of third-party risk.
Examiners sometimes find that a participation loan does not meet the financial institution’s established underwriting standards, too often with predictable results. Institutions often “buy” the types of loans they cannot originate in their normal trade area; however, those institutions may lack lenders with sufficient expertise to analyze the participation loan. At other times, a financial institution’s management may wish, in hindsight, that they had known more—not only about the borrowers, but also about the third party with whom they did business. Purchased loans, especially those from outside a financial institution’s lending area, present the opportunity for misrepresentation or fraud. In addition to strategic and due-diligence issues, there are a multitude of risks specific to any given transaction.
Addressing the Risks. Institutions entering into participation arrangements can avoid common pitfalls and mitigate third-party risks by
As demonstrated in the examples discussed below, these key steps—risk assessment, due diligence, contract review, and oversight—are the basic elements of an effective third-party risk management process, regardless of the type of activity carried out by the third party.
Beyond Credit Risk
Financial institutions sometimes focus almost exclusively on credit risk and overlook the potential for other risks. In one case, an institution decided to enter the credit card market by partnering with an entity that purported to specialize in marketing and processing credit cards. These credit cards, which were promoted as a product that provided customers with “benefits” and “satisfaction,” were also marketed as a means of building or rebuilding a consumer’s credit rating.
According to the agreement with the third party, the financial institution would underwrite and originate credit cards under its own name and immediately sell any related receivables to the third party. In return, the institution would receive a small amount every month for each outstanding card. If an individual cardholder was able to make the required payments in a timely manner, he or she could earn a refund of some, or all, of the origination fee. However, the program was structured so that only a small percentage of cardholders would ever use the card in a traditional manner. More often than not, the small credit line was completely consumed by fees at origination, leaving the cardholder with no available credit upon receipt of the card.
Examiners took exception to the product being marketed as a credit-building instrument because the institution was unable to provide substantive evidence that consumers’ credit profiles actually improved by using the credit card. Examiners were also concerned that the card had minimal usefulness from the outset because of the high initial fees. Despite the claims of “satisfaction,” a significant portion of cardholders canceled their credit cards within three to six months of issuance. The institution was found to be in violation of Section 5 of the Federal Trade Commission Act (relating to unfair and deceptive acts or practices),1 was required to make customer reimbursements, and suffered damage to its reputation.
The Importance of Effective Risk Identification. There are numerous risks that may arise from an institution’s use of third parties. In this case, the institution was focused on credit risk rather than on compliance and reputation risk. As part of the risk assessment process, management should analyze the potential risks associated with the third party and the proposed activity. In retrospect, the financial institution could have mitigated many of the risks resulting from this arrangement by
Costly Lessons from Unsupervised Outsourcing
Institutions often use third parties, such as mortgage brokers, to generate mortgage loans. In such cases, financial institutions are expected to ensure that the risk management processes for loans purchased from or originated through third parties are consistent with applicable supervisory policies.
An examination of an institution well versed in mortgage lending revealed substantial problems related to its mortgage broker network. Product offerings by both the institution and its third-party mortgage brokers had rapidly evolved and expanded. To meet growing demand, the institution shifted its product and delivery channel strategies. In only a brief period of time, the institution’s broker network expanded significantly.
At the same time, the institution’s due diligence process for brokers was relaxed. The institution’s financial standards for the third-party mortgage brokers it used quickly became more liberal than the institution’s lending standards. Simple background checks, costing only a few dollars, were foregone for the sake of expediency. Monitoring processes were lax. The lending-volume threshold to trigger closer reviews of loan quality was set so high that practically no brokers were ever subject to the reviews. Underwriting standards were also relaxed. In effect, the institution became reliant on the brokers to protect its financial interest and reputation. Further, management reporting was cumbersome and incomplete. While the institution used a watch list, essentially brokers were placed on the list only if suspicious activity (i.e., fraud) was actually reported to federal authorities or if specific misconduct was identified. Even when a watch designation was assigned, the institution’s systems allowed for continued funding without further review. Unfortunately, but not surprisingly, the institution recognized these inadequacies only after credit losses increased substantially.
No Substitute for Due Diligence and Oversight. Problems arise not from the absolute volume of relationships, but from the quality of the risk management processes employed. In this example, controls over the network were perfunctory at best. The institution appeared to have a process but, in practice, the process controlled very little. The institution could have mitigated the risks discussed as well as the resulting impact on the institution by
Hitting the Bottom Line
One financial institution outsourced much of the development and administration of a new credit product for its customers. However, the third party was not fully aware of the various required disclosures or the annual percentage rate (APR) and finance charge calculations necessary for compliance with the Truth in Lending Act. As a result, customers received disclosure statements that significantly understated the finance charges related to the product.
The institution had already been cautioned by examiners to review new products carefully, as a result of due diligence inadequacies identified in past examinations. Despite these cautions, bank management did not invest sufficient resources to ensure a successful new product offered through the third party. Examiners discovered the inaccurate disclosure shortly after product launch. The institution suspended the product but not until numerous loans with faulty disclosures had been originated. The amount of reimbursements to customers was significant, along with the expense and embarrassment that came with rectifying the mistake. Had the problem not been identified early, the reimbursements required could have easily reached an amount large enough to jeopardize the capital accounts of the financial institution.
Unidentified Risks Can Be Costly. Following an assessment of risks and a decision to proceed with a new product line developed and administered by a third party, the institution’s management must carefully select a qualified entity to implement the program. Due diligence should be performed not only prior to selecting a third party, but also periodically during the course of the relationship. In this example, the institution could have mitigated the risks discussed as well as the resulting impact on the institution by
A Supervisory Perspective
Before engaging in any third-party arrangement, a financial institution should ensure that the proposed activities are consistent with the institution’s overall business strategy and risk tolerances, and that all involved parties have properly acknowledged and addressed critical business risk issues. These issues include the costs associated with attracting and retaining qualified personnel, investments in the technology potentially needed to monitor and manage the intended activities, and the establishment of appropriate feedback and control systems. If the activity involves consumer products and services, the board and management should establish a clear solicitation and origination strategy that allows for after-the-fact assessment of performance, as well as mid-course corrections.
Proper due diligence should be performed prior to contracting with a third-party vendor and on an ongoing basis thereafter. Management should ensure that exposures from third-party practices or financial instability are minimized. Negotiated contracts should provide the institution with the ability to control and monitor third-party activities (e.g., growth restrictions, underwriting guidelines, outside audits) and discontinue relationships that do not meet high quality standards.
Reputation, compliance, and legal risks are dependent, in part, upon the intended activities as well as the public perception of both the financial institution’s and the third party’s practices. Therefore, careful review is warranted, and an adequate compliance management program is critical. In some cases, an institution may need processes in place to handle potential legal action. In any case, management should establish systems to monitor consumer complaints and ensure appropriate action is taken to resolve legitimate disputes.
Finally, an institution’s audit scope should provide for comprehensive, independent reviews of third-party arrangements as well as the underlying activities. Findings should be provided to the financial institution’s board of directors and exceptions should be immediately addressed.3
A financial institution’s board of directors and senior management are ultimately responsible for identifying and controlling risks arising from third-party relationships. The financial institution’s responsibility is no different than if the activity was handled directly by the institution. In fact, as the examples in this article illustrate, greater care may be necessary depending on the risks inherent in the third-party arrangement.
FDIC examiners assess how financial institutions manage their significant third-party relationships. Trust, consumer protection, information technology, and safety and soundness examinations all include reviews of third-party arrangements. Examiners review bank management’s record of and process for assessing, measuring, monitoring, and controlling risks associated with significant third-party relationships. The depth of the examination review depends on the scope of activity conducted through or by the third party and the degree of risk associated with the activity and the relationship. The FDIC considers the results of the review in its overall evaluation of management and its ability to effectively control risk. The use of third parties can have a significant effect on other key aspects of performance, such as earnings, asset quality, liquidity, rate sensitivity, and the institution’s ability to comply with laws and regulations.
FDIC examiners address findings and recommendations relating to an institution’s third-party relationships in the Report of Examination and within the ongoing supervisory process. Appropriate corrective actions, including enforcement actions, may be pursued for deficiencies related to a third-party relationship that pose significant safety and soundness concerns or result in violations of applicable federal or state laws or regulations.
Bankers and examiners alike deal with third-party arrangements on a regular basis. Third-party arrangements can help financial institutions attain strategic objectives by increasing revenue or reducing costs and can facilitate access to needed expertise or efficiencies relating to a particular activity. However, inadequate management and control of third-party risks can result in a significant financial impact on an institution, including legal costs, credit losses, increased operating costs, and loss of business.
As illustrated in the preceding examples, the risks inherent in third-party arrangements are not significantly different from other risks financial institutions face. In fact, the risks are often the same—the difference is where to look for them. Likewise, the framework for risk management is very similar. Risks should be identified, activities managed and controlled, information monitored, and processes periodically audited. Identified weaknesses should be documented and promptly addressed. As with any other undertaking by a financial institution, poor strategic planning, inadequate due diligence, insufficient management oversight, and a weak internal control environment are common elements in problem situations. Similarly, the primary element for success is effective management.
Kevin W. Hodson
Todd L. Hendrickson
Acknowledgments: The authors wish to acknowledge the assistance of Field Supervisors Brent J. Klanderud (Risk Management), Omaha, NE, and Randy S. Rock (Risk Management), Sioux Falls, SD, in developing this article. Messrs. Klanderud and Rock, along with the authors, recently led an Examiner Forum, an internal seminar for FDIC examiners in the FDIC’s Risk Analysis Center, on the topic of third-party risk. The authors are also grateful for the encouragement and assistance provided by Mira Marshall, Senior Policy Analyst, Compliance Policy Section, Washington Office; Kenyon Kilber, Senior Examination Specialist, and Suzy Gardner, Examination Specialist, Planning and Program Development Section, Washington Office; and the talented examiners who identified the situations cited as examples in this article.
1The Winter 2006 issue of Supervisory Insights contains a thorough discussion of Section 5 of the Federal Trade Commission Act (unfair or deceptive practices affecting commerce) and cites situations similar to this example. See “Chasing the Asterisk: A Field Guide to Caveats, Exceptions, Material Misrepresentations, and Other Unfair or Deceptive Acts or Practices,” Supervisory Insights, Vol. 3, Issue 2, Winter 2006, www.fdic.gov/regulations/examinations/supervisory/insights/siwin06/index.html.
2FIL-89-2006, Guidance on Nontraditional Mortgage Product Risks, and Addendum to Credit Risk Management Guidance for Home Equity Lending, October 5, 2006, www.fdic.gov/news/news/financial/2006/fil06089.html.
3From the FDIC’s Risk Management Manual of Examination Policies, www.fdic.gov/regulations/
List of Resources
FDIC Risk Management Manual of Examination Policies, Related Organizations, Section 4.3, “Examination and Investigation of Unaffiliated Third Parties,” www.fdic.gov/regulations/safety/manual/section4-3.html.
FDIC Risk Management Manual of Examination Policies, Loans, Section 3.2, “Subprime Lending,” www.fdic.gov/regulations/safety/manual/section3-2.html#subprime.
FIL-89-2006, Guidance on Nontraditional Mortgage Product Risks, and Addendum to Credit Risk Management Guidance for Home Equity Lending, October 5, 2006, www.fdic.gov/news/
FDIC Compliance Examination Handbook, “Compliance Examinations,” Sections II, V, VII, and IX, www.fdic.gov/regulations/compliance/handbook/html/index.html.
FIL-52-2006, Foreign-Based Third-Party Service Providers: Guidance on Managing Risks in These Outsourcing Relationships, June 21, 2006, www.fdic.gov/news/news/financial/2006/fil06052.html.
OCC Bulletin 2001-47, Third Party Relationships: Risk Management Principles, November 1, 2001, www.occ.treas.gov/ftp/bulletin/2001-47.doc.
OCC Advisory Letter 2000-9, Third Party Risk, August 29, 2000, www.occ.treas.gov/ftp/advisory/2000-9.doc.
Thrift Bulletin 82a, Third Party Arrangements, September 1, 2004, www.ots.treas.gov/docs/8/84272.pdf.
Federal Financial Institutions Examination Council Information Security IT Examination Handbook, July 2006, Appendix A: “Examination Procedures,” www.ffiec.gov/ffiecinfobase/booklets/
|Last Updated firstname.lastname@example.org|