10 Questions for Third-Party Compliance

The board of directors and senior management are responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution. Financial Institutions are expected to have clearly defined systems of risk management controls built into the management system including controls over activities conducted by affiliates and third-parties. The more significant the third-party service relationship (i.e. performs critical functions, material impact on revenues, large number of consumers, etc.), the more important it is that the institution conduct regular reviews of the adequacy of its oversight and controls over third-party relationships. Examiners will evaluate all applicable third-party relationships as though the activities were performed by the institution itself.

Want to learn how TRUPOINT Partners can help reduce your CRA compliance risk?

Get a guided walk-through of CRA software with a compliance expert today!

Appropriately managed third-party relationships can enhance competitiveness, provide diversification, and strengthen the safety and soundness of the institution. However, third-party relationships also present risks if not properly managed. Specifically, failure to manage these risks can expose an institution to supervisory action, financial loss, litigation, and reputational damage. Risks from third-parties include compliance risk (i.e. violation of laws or regulations), reputation risk (i.e. negative public opinion), operational risk (i.e. inadequate or failed internal processes), transaction risk (i.e. problems with product or service delivery), and credit risk (i.e. unable to meet contractual relationships). To that end, the decision about whether to use a third party should be fully analyzed by management. In addition, a comprehensive risk management process, which includes management of any third-party relationships, will enable management to ensure that the third-party is operating in a manner consistent with federal and state laws, rules and regulations (including those to protect consumers).

In the past couple of weeks, there has been a lot of industry buzz about third-party relationships. In particular, there has been a large amount of discussion regarding Automobile Dealers. The American Banker reported that the Consumer Financial Protection Bureau (CFPB) is preparing to “crack down” on interest rate markups (typically 2.0 to 2.5 percentage points) that automobile dealers add onto the cost of car loans. In February, Bloomberg reported that the CFPB told “at least four banks that it may sue them over vehicle loans and interest-rate markups by auto dealers that appear discriminatory…”

Regardless of the type of third-party relationship (i.e. mortgage brokers, auto dealers, credit card providers, debt collection, loss mitigation, disclosure preparation software, audit functions, etc.), there are four common elements to an effective third-party risk compliance management process for all significant relationships:

1. Conduct a Regular Risk Assessment – Assess risks and options for controlling third-party relationships.

• Q1: Prior to entering the relationship, did management: confirm alignment with business strategy; analyze strategic risk; perform risk/reward analysis; and review its ability to provide adequate oversight and management on an ongoing basis?
• Q2: Can the third-party’s activities be viewed as predatory, discriminatory, abusive, unfair or deceptive to consumers?
• Q3: Does the institution’s Compliance Management System include: policies and procedures to help manage third-party relationships; proper internal controls; training; monitoring; and auditing procedures to ensure consistent and ongoing compliance? 

• Q4: Was adequate due diligence conducted that included a review of all available information about the third-party (e.g. financial condition, reputation, knowledge of laws, complaints, operations and controls, insurance coverage, marketing materials, UDAP review, etc.)?

3. Review Contract Structuring – Ensure that the specific expectations and obligations of both the institution and the third-party are outlined in a written contract (which defines the structure)

• Q5: Are expectations and obligations of both the financial institution and the third-party outlined in a written contract prior to entering the relationship?
• Q6: Does the board of directors review and approve any material third-party relationships?
• Q7: Does the contract outline fees to be paid, management information reports, audit rights, limit use of consumer information, exclusivity language, complaint management process, specifies circumstances that constitute default, dispute resolution process, and provides indemnification provisions?

4. Review Oversight Process – Reviewing the operational and financial performance of third-party activities on an ongoing basis to ensure they meet the terms of the contractual agreement

• Q8: Did the board initially approve the third-party relationship and does it review each significant third-party relationships on at least an annual basis?
• Q9: Is there a process to verify the third-party’s operations are consistent with the written agreement and that risks are being controlled (pay particular attention to consumer protection laws as well as internal policies and procedures)?
• Q10: Does management allocate sufficient qualified staff to monitor significant third-party relationships and provide necessary oversight (and are these activities reported to the board of directors or designated committee)? What is the frequency of exceptions and how are they analyzed/documented/reported to management? When applicable, are you comparing and analyzing the third-party’s lending patterns in order to compare pricing disparities and underwriting disparities?

Read also: Compliance: Cost Saver or Cost Center

Bottom Line: A financial institution’s use of third-parties can be a powerful and effective way to achieve its strategic goals. With that said, the regulators expect financial institutions to oversee third-party relationships as they would any other division of their own institution. Therefore, financial institutions should regularly review its third-party service providers and assess risks and evaluate internal policies and procedures to ensure compliance.

TRUPOINT Partners can help your institution conduct a comprehensive compliance management risk assessment. If you are working with third-parties in the lending process, we can also help you compare and analyze your lending data to determine if there is any disparate impact risk.

A complementary risk review with one of our senior consultants can give you a head start in analyzing and understanding your risk.

Related: What Is A Compliance Management System And Why Your FI Needs One