The Federal Reserve recently added to the growing body of regulatory guidance on the topic of financial institution management of service provider outsourcing relationships by issuing its Guidance on Managing Outsourcing Risk (the Guidance). The Guidance applies to financial institutions of any asset size under the supervision of the Federal Reserve, including state member banks, banks and savings and loan holding companies (and their nonbank subsidiaries), and foreign banking organizations’ U.S. operations.
On January 9, 2014, from 12 p.m.to 1 p.m. ET, Ballard Spahr will conduct a webinar regarding risk management of third-party relationships by financial institutions. The registration form is now available.
The Guidance is intended to supplement, not replace, existing guidance pertaining to the outsourcing of bank internal functions to third parties, and specifically including technology service providers. As noted in an accompanying press release, the Guidance relates to third-party service providers—including consultants. The term “service provider” is defined broadly, encompassing virtually any entity entering into a contractual relationship with a financial institution to provide business functions or activities, such as accounting, auditing, loan review, compliance, and risk management.
The guidance touches on some of the familiar risks of using service providers to perform operational functions. It also notes the responsibilities of the board of directors and senior management in establishing and overseeing the execution of appropriate risk management and related compliance structures compliant with applicable law and regulation, as well as safety and soundness considerations. In addition, it discusses elements the regulator believes to be typically associated with effective risk management programs, including:
- Pre-decision outsourcing risk assessments and assessment of internal oversight capabilities
- Due diligence and selection of service providers, based on review of business background and reputation, financial condition, and quality of operational and internal controls
- Considerations and advice regarding contractual elements and provisions, including review by legal counsel before execution
- Incentive compensation review and related considerations
- Structures for oversight, use of performance metrics, and monitoring of service providers, including with respect to adequacy of their financial condition and internal control environment
- Business continuity, disaster recovery, and contingency planning issues
- A few more specialized risk considerations, such as risks attendant to foreign-based service providers, and special considerations for outsourcing internal audit functions
The Guidance is less comprehensive than the risk management guidance for third-party relationships published by the Office of the Comptroller of the Currency (OCC) in October, although is it is thematically similar. (The OCC’s guidance was the subject of a previous alert.) This may be due partly to the fact that the Guidance supplements existing Federal Reserve guidance in this area, versus the OCC guidance, which rescinds certain longstanding OCC guidance.
Both sets of guidance agree that risk management processes should be commensurate with the risk and complexity of third-party relationships. The OCC, however, generally requires more extensive and rigorous oversight of relationships that involve critical activities. By contrast, the Federal Reserve seems to recognize that at least for community banks— if the numbers of such relationships are few and with highly reputable service providers—simpler risk management programs employing fewer considerations may be appropriate, even where critical business activities are being outsourced.
Ballard Spahr's Consumer Financial Services and Bank Regulation and Supervision Groups include attorneys who, among other things, counsel banking clients and their boards of directors and senior management on a variety of risk management issues, advise on third-party service provider relationships and draft related agreements, assist with compliance with supervisory agreements and consent orders, and prepare reports and recommendations for remediation of identified deficiencies or violations of law or regulation.
For more information, please contact CFS Group Practice Leader Alan S. Kaplinsky at 215.864.8544 or firstname.lastname@example.org, Glen P. Trudel at 302.252.4464 or email@example.com, Keith R. Fisher at 202.661.2284 or firstname.lastname@example.org, or Christopher J. Willis at 678.420.9436 or email@example.com.
Copyright © 2013 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.