Federal Bank Regulators Identify Best Practices for Managing Third Party Service Provider Risk

To operate in a safe and sound manner and in compliance with applicable law, banks must carefully assess risks associated with third party vendors to whom they outsource client services.   

A trio of federal agencies, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) has issued a joint statement (the “Joint Statement”) relating to banks’ contracts with intermediate platform providers, processors, middleware providers, aggregation layers and/or program managers (collectively, “Third Party Service Providers”). 

In the ordinary course of business, banks rely on such Third Party Service Providers to perform a variety of functions:

• maintain the deposit and transaction system of record; 
• process payments (sometimes with the ability to directly submit payment instructions to payment networks); 
• perform regulatory compliance functions; 
• provide end-user facing technology applications; 
• service accounts; 
• perform customer service; and 
• perform complaint and dispute resolution functions.

The Joint Statement does not contest the right of banks to contract with Third Party Service Providers.   At the same time, their utilization by a bank “does not diminish its responsibility to comply with all applicable laws and regulations.”

The Joint Statement identified a number of effective risk management practices for banks’ utilization of Third Party Service Providers:

• developing and maintaining appropriate policies and procedures that detail organizational structures, lines of reporting and authorities, expertise and staffing, internal controls, and audit functions to ensure that risks are understood and mitigated; 
• developing appropriate risk assessments that identify and analyze risks specific to features of each arrangement;
• conducting and documenting due diligence that is of sufficient scope and depth to determine whether the bank can rely on third parties to perform the various necessary roles to deliver deposit products and services on the bank’s behalf; 
• entering into contracts and agreements that clearly define roles and responsibilities of banks and third parties and enable banks to manage the risks of the arrangements effectively;
• assessing potential risks when the bank does not have a direct contractual relationship with all parties with significant roles to determine whether and how such risks can be sufficiently mitigated and remain consistent with the bank’s risk appetite;
• establishing effective ongoing monitoring processes, commensurate with the risk of each activity and relationship, and sufficient to detect any issues so they can be addressed in a timely manner;
• maintaining a clear understanding of any management information system that will be used to support the activity, including any obligations and contractual reporting requirements when the deposit and transaction system of record is managed through the third party or through a subcontractor to another party;
• developing and maintaining risk-based contingency plans, which address potential operational disruption or business failure at the third party that may disrupt end users’ access to funds, including contractual provisions that facilitate the bank’s contingency plans;
• implementing internal controls to mitigate risks inherent in deposit functions;
• establishing adequate policies, procedures, oversight, and controls to help ensure the bank complies with applicable laws and regulations, including consumer protection requirements;
• having adequate policies, procedures, oversight, and controls to help ensure the bank complies with applicable AML/CFT requirements;
• establishing appropriate concentration limits, diversification strategies, liquidity risk management strategies, and exit strategies, as well as maintaining capital adequacy;
• performing appropriate analysis to determine whether parties involved in the placement of deposits meet the definition of a deposit broker under [applicable law] and appropriately reporting any such deposits as brokered deposits in the Call Report;
• establishing policies and procedures and developing prudent risk management practices for certain deposit-related arrangements to ensure compliance with [applicable law]; and
• ensuring such policies and procedures include, as appropriate, provisions related to monitoring and evaluating activities of persons that facilitate access to the bank’s deposit-related services or products to other parties, as required under applicable law.

The Joint Statement does not set forth specific requirements for provisions  set forth in legal agreements between banks, on the one hand, and Third Party Service Providers, on the other. At the same time, the risks discussed therein shed light on the issues such contracts should address and how such matters might be handled. For example, a Third Party Service Provider would be required to disclose to its bank clients any records relating to such Third Party Service Provider’s interactions with the bank’s customers. Similarly, a Third Party Service Provider might be required to cooperate and support the client bank’s efforts to comply with its regulatory-related obligations.

Do you have questions about the risks that banks take on when they hire Third Party Service Providers to support their business operations? Have you considered whether your banking services agreements appropriately address the risks discussed in the Joint Statement? If you have a question about such matters, contact Castle Garden Law for an introductory consultation.