Pub. 5 2014 Issue 2
summer 2014 19 West Virginia Banker T he issue of vendor oversight is not new to the banking industry. As the business of banking grew in complex- ity, banks increasingly provided products and services through arrangements with third parties, and historically regulators responded with general guidance requiring banks to identify and appropriately man- age the risks associated with third-party relationships. Recent enforcement actions by the federal regulators and the issuance of more detailed regulatory guidance by the Office of the Comptroller of the Cur- rency (OCC) and Federal Reserve Board demonstrate that vendor management remains a paramount regulatory focus. Failure to manage these risks can expose a financial institution to regulatory action, financial loss, litigation, and reputational damage. Although this heightened scru- tiny is another example of the increased compliance burden on banks, the regulato- ry guidance may benefit banks by provid- ing the regulatory fodder needed to push back on vendors during the negotiation process. On October 30, 2013, the OCC issued published OCC Bulletin 2013-29 (the OCC Guidance) which provides guidance to national banks and federal savings asso- ciations for assessing and managing risks associated with third party relationships. The OCC Guidance requires a national bank to adopt risk management practices that are “commensurate with the level of risk and complexity of its third-party relationships” and directs the bank’s board and management to identify those third party relationships that involve “critical activities”. 1 Similarly, in December, 2013, the Federal Reserve issued its guidance (SR Letter 13-19) on outsourcing for “financial institutions” as a supplement to its existing guidance on technology service provider risk. The Federal Reserve guidance applies to all financial institu- tions supervised by the Federal Reserve. The Federal Reserve guidance differs from the OCC guidance in that it focuses more on the significance of the supplier to the bank as opposed to the importance of the activity to the bank’s business. 2 Because the OCC and the Federal Reserve expect banks to address specific topics in their outsourcing agreements and engage in ongoing monitoring, banks should have additional leverage to insist that certain provisions be included in their third party vendor agreements. The OCC and Federal Reserve guidance include a list of contract provisions that are either suggested or required to be included in third-party provider contracts. A bank that fails to adequately address any of the listed contract provisions may be required to justify the omission. Both the OCC and the Federal Reserve indicate that the risk management program should be commen- surate with the level of risk, importance, and complexity of third party relation- ships and the number of material business activities being outsourced. Importantly, both regulators recognize that the elements of a community bank’s risk management program may not be as complex as those institutions which use multiple service providers for numerous business activities. Provisions that the OCC and Federal Re- serve will expect banks to include in their third party provider contracts include: Nature and Scope of Arrangement The OCC requires that third party con- tracts specifically identify the frequency, content, and format of the service, prod- uct, or function to be provided and include such ancillary services as software or other technology support and maintenance, employee training and customer service. The contract must also describe the terms governing the use of the bank’s infor- mation facilities, personnel, systems and equipment as well as access to and use of the bank’s or customer’s information. Both the OCC and Federal Reserve guidance require provisions addressing compli- ance with applicable laws, regulations, and regulatory guidance; the training of financial institution employees; the ability to subcontract services; and insurance New Vendor Management Regulatory Guidance May Help Banks Negotiating Contracts Vendor Management — continued on page 20 Sandra M. Murphy and Amy J.Tawney, Bowles Rice LLP
Made with FlippingBook
RkJQdWJsaXNoZXIy OTM0Njg2