The Board of Governors of the Federal Reserve System’s most recent Supervisory Letter “Guidance on Managing Outsourcing Risk” (“Guidance”), released in December 5, 2013, distills the characteristics, governance, and operations required for a risk management program aimed at monitoring service providers of financial institutions. Specifically, the guidance lays on top of other regulatory guidance on third-party risk to clarify expectations around outsourcing, selection, and management of third party service providers.
Some of the of SR 13-19 requirements include:
- Development and implementation of risk management programs
- Service provider compliance with applicable laws, established by the Board
- Mandated review and update of policies and procedures for outsourced activities
Who does the Guidance apply to?
The Guidance applies to all financial institutions and U.S. operations of foreign bank organizations that are supervised by the Board, no matter the size of the institution. The Board defines any third party or service provider as any outsourced party that has entered into a contractual relationship with any financial institution in order to provide said institution a business function or activity.
A focus on risk management programs
SR 13-19 expects financial institutions to develop and implement a risk management program for all third party providers that is “commensurate with the level of risk” depending on the financial institutions outsourcing activities.
The program must be established and approved by the institution’s board of directors, executed, and reported on. In establishing the program, it is important for each financial institution to review and consider all possible risks – such as compliance, concentration, reputation, country, operational, legal, transaction, strategic, and credit risk- that may arise when partnering with each outsourcing relationship. Once partnered with the third party, it is equally, if not more, important to monitor those potential risks throughout the relationship.
Since this approach is dependent on complexity of the outsourced activities, the Guidance requires that the below elements be part of the financial institution’s risk management program for each of its outsourced relationships:
- Risk assessments: the financial institution should review the outsourced activity and potential relationship prior to engaging, to determine if it is consistent with the overall strategy. This includes reviewing the benefits and risks of outsourcing the activity, as well as the experience of the third party provider and the institutions own ability to manage and oversee the outsourcing.
- Due diligence and selection of service providers: the financial institution should conduct a review of the third party that includes background, reputation, strategy, financial performance, insurance coverage, as well as the party’s data security and contingency planning policies.
- Incentive compensation review: the financial institution should review and approve incentive compensation agreements within the outsourcing contracts to ensure the outsourced third party is not encouraged to take risks that could result in reputational damage or litigation.
- Oversight and monitoring of service providers: procedures should be in place that allow financial institutions to oversee and monitor the third party service providers on a consistent basis. Procedures should include performance metrics, risk – based reporting and monitoring at a level “commensurate with the level of risk.”
- Business continuity and contingency plans: Contingency plans should be in place for all outsourced activities. The plans should focus on the critical areas of service they are provided and provide alternatives where they are not able to perform. Disaster recovery and business continuity plans for the contracted services should align with the financial institutions and should illustrate responsibilities for maintaining and testing the plan as well as an exit strategy.
- Contract provisions and considerations: Any and all terms should be written and approved by the financial institutions legal counsel before any relationship is executed. Terms included in the service agreement contain the following elements: scope, cost and compensation, audit rights, performance standards, confidentiality and data security, intellectual property rights, indemnification, default and termination, dispute resolution, liability limits, insurance, customer complaints, business continuity planning, foreign-based services and subcontracting. Relatedly, the SR13 – 19 requirements listed above may require financial institutions to review and update any third party vendor contracts. All contract should include the approval of board of directors, even if this may not have historically been required.
With the increasing amount of regulation and guidance in the third party risk management space, it is more important than ever to understand the risk presented by the activities of vendors by developing a comprehensive and continuous risk management program.