Third-party risk management continues to receive a heightened degree of attention from the regulatory community, especially the enforcement apparatus. It seems that almost every third-party relationship is subject to increased examiner scrutiny and liability concerns, which is unlikely to abate in 2017. Because financial institutions will continue to be liable for the actions of their vendors, they cannot risk a bare-bones third-party risk management program.

That said, a financial institution can reap clear benefits from outsourcing certain functions and engaging with third-party service providers, including FinTech companies. Third-party arrangements can help management to achieve its strategic objectives, including lower costs, increased revenues, and expansion of a customer base or product capabilities. It is critical for financial institutions to use third-party service providers in a number of areas, including information technology, where the benefits outweigh the costs. But, as the FDIC is quick to point out, “you can outsource a task, but you cannot outsource the responsibility.”

Since the 2008 financial crisis banking regulators and the Consumer Financial Protection Bureau and have issued new or updated guidance with respect to third-party risk management. For example, the Federal Reserve released SR 13-19,Guidance on Managing Outsourcing Risk; the Office of the Comptroller of the Currency released Bulletin 2013-29, Risk Management Guidance on Third-Party Relationships; the Consumer Financial Protection Bureau issued Bulletin 2012-03, Service Providers; and the Federal Deposit Insurance Corporation issued Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk.

The guidance from these agencies contains similar themes. The most significant theme is straightforward: the board of directors and senior management are ultimately responsible for managing the activities conducted through third-party relationships as if the activity were handled directly by the financial institution. Agency guidance also outlines expectations for robust risk management processes, due diligence for onboarding vendors, specific contract considerations, internal controls, and prompt action (including ending a relationship) when institutions identify compliance deficiencies or other problems.

For example, the OCC’s robust guidance walks through institutions’ expected risk management process in helpful detail. While the process should be commensurate with the financial institution’s complexity, the OCC indicates that “[a]n effective third-party risk management process follows a continuous life cycle for all relationships and incorporates” the following:

• Planning

• Due diligence and third-party selection

• Contract negotiation

• Ongoing monitoring

• Termination

Additionally, the OCC expects that the banks it regulates will oversee, document, report on, and perform independent reviews of the third-party relationship throughout the life cycle of the relationship.

The CFPB expects the bank and non-bank financial institutions it supervises to take certain steps to ensure that third-party relationships “do not present unwarranted risks to consumers.” Like the prudential regulators, the CFPB suggests institutions minimize risk through the following:

• Internal controls

• Comprehensive due diligence on service providers

• Specific contract terms that set clear expectations and consequences of noncompliance for the relationship

• Ongoing monitoring throughout the relationship

• Termination of the relationship, where necessary

So what are the key takeaways here? Strategy and accountability. Financial institutions of all shapes and sizes use third-party service providers. Financial institution leaders should craft a strategy for engaging in these relationships, including due diligence, contract drafting and negotiation, and ongoing monitoring. This strategy is also extremely helpful for financial institution leaders facing numerous other issues. Moreover, regulators expect that their regulated institutions will maintain constant oversight of their service providers’ activities conducted on the institution’s behalf, and will hold the financial institution accountable for compliance deficiencies of its third-party service providers.

Financial institutions must develop a process and strategy that includes expectations outlined in contractual arrangements. Engaging with third parties can reduce costs and generate revenue, but a financial institution should view these relationships as if it were providing the services.

Top 10 Issues Facing Financial Institutions in 2017

Top 10 Issues Facing Financial Institutions in 2017: #1 Securities Compliance (for publicly traded and privately held banks)

Top 10 Issues Facing Financial Institution in 2017: #2 Mergers & Acquisitions

BSA/AML and OFAC Compliance: Top 10 Issues Facing Financial Institutions in 2017: #3

Top 10 Issues Facing Financial Institutions in 2017: #4 Cybersecurity

Top 10 Issues Facing Financial Institutions in 2017: #5 – FinTech

Corporate Governance and the Culture of Compliance: Top 10 Issues Facing Financial Institutions in 2017 #7

Top 10 Issues Facing Financial Institutions: #8 – Capital Planning

#9: Customers’ Nonpublic Personal Information Protection - Top 10 Issues Facing Financial Institutions in 2017

Top 10 Issues Facing Financial Institutions in 2017: #10 – Compliance with Consumer Laws