Enhanced expectations by regulators for how financial firms – including debt collectors – manage their relationships with third parties and the costly consequences of failing to do so properly are prompting major changes in both the processes and business case for outsourcing.
New standards from the Office of the Comptroller of the Currency and the Federal Reserve Board for managing third-party risks are detailed and sweeping. These agencies and the Consumer Financial Protection Bureau are scrutinizing areas of concentrated third-party risk, such as securing customer data, processing payments, collecting debts and offering credit card add-on products.
The guidance from the prudential regulators breaks new ground in its scope and specificity as it sets forth a dynamic oversight model to govern the entire life cycle of a third-party relationship. The net effect is to ratchet up the expectations for processes designed to make sure these relationships do not threaten safety and soundness or consumer protection. Firms – large and small, bank and nonbank – cannot delegate that responsibility, and therefore they bear the risk of third-party errors.
Caught between operating models that depend on outsourcing and continued regulatory scrutiny of third-party risk management, agencies of all sizes must now solve the puzzle of substantially upgrading oversight while preserving the economic case for outsourcing.
New Expectations
The guidance from the OCC and Federal Reserve significantly recast expectations by enhancing the depth and intensity of oversight requirements at each stage of third-party relationships. The boldest changes expand the relationships subject to scrutiny and elevate management of their related risks to the most senior levels of supervised institutions.
Regulators will evaluate oversight of a remarkably wide range of third-party activities. The OCC guidance departs from its prior practice of providing only illustrative examples of covered relationships by specifying such relationships as “any business arrangement between a bank and another entity by contract or otherwise.” The Federal Reserve adopted a similar stance.
This change is so sweeping that the traditional term for third parties – vendors – now covers only a fraction of in-scope relationships. The regulators expect firms’ risk management infrastructure to address the full range of their operations and relationships, including those with other supervised entities, affiliates, joint ventures, brokers and advisers.
Julie Williams, Chris Lewis and Justin Guo contributed to this article.
P-R Stark assists Promontory clients with regulatory and compliance issues, focusing on consumer financial products and services. Prior to joining Promontory, she was one of the first employees at the Consumer Financial Protection Bureau. Join Ms. Stark at ARM-U (October 14-15 in Washington, DC) as she dives into the challenging – and growing – task of service provider compliance for debt collectors. It’s a presentation you won’t want to miss!