By Jennifer Monty Rieker, Ulmer & Berne LLP
Cyber threats, data security, the emergence of Fintech, and increased scrutiny of service providers remain at the top of the list of concerns for banks and financial institutions. While internal processes and procedures provide risk management for companies, the use of third party service providers continues to present a risk in the face of new technology and emerging businesses.
Outside Service Providers
US Financial institutions are subject to strict regulations. Whether regulated by the Office of the Comptroller of the Currency (“OCC”), Consumer Financial Protection Bureau (“CFPB”), or the Federal Deposit Insurance Corporation (“FDIC”), third-party relationships are subject to scrutiny.
Third-party service relationships are business arrangements between financial institutions and another entity. These relationships can be codified through contract or through course of business. The emergence of relationships with financial technology (Fintech) companies is subject to third-party servicer scrutiny. Fintech originated as companies that assisted financial institutions with the back end of operations. Now, Fintech has become a critical component to financial institutions, offering services from mobile payment applications to money transfers.
As these services affect critical operations of financial institution the risk involved with using them can be high. The OCC, CFPB, and FDIC have all authored guidance on managing the risk of third-party service providers. Earlier this year, the OCC updated its prior third-party servicer guidance to address issues related to Fintech and cybersecurity.
Financial institutions are tasked with developing appropriate risk management processes that are commensurate with the risk level and complexity of their third-party relationships. The OCC initially developed guidance using a cyclical approach to due diligence. As part of the process, a company using a third-party service provider should engage in a five-step inquiry:
Planning – Before engaging a third-party service provider, a company should have a clear plan which details how to manage the relationship. When a third-party provides a critical service, more detailed planning is necessary.
Due Diligence and Selection— Due diligence is required before selecting a third-party service provider. As part of the due diligence process, a company’s strategies and goals should be reviewed to ensure that they are in line with the company’s strategies and goals. The service provider should also be evaluated for the strength of their legal and regulatory compliance programs. Assessing the financial condition will help evaluate the risk related to financial stability. Information security and management of information systems are vital components that must be reviewed, as well as the use of subcontractors. Other items to consider are insurance coverage and other business relationships or commitments which may impact service.
Contract Negotiation—Included in contract negotiations should be clear expectations of the service that will be provided, along with benchmarks for such performance. Delineating responsibility for maintaining records, permitting audits, and defining that the parties will comply with applicable laws and regulations are all part of the negotiation process. In light of recent natural disasters, companies should include disaster readiness and business resumption and contingency plans. The parties should also agree as to the terms of default and the ability to terminate the relationship. If a service provider is outside the United States, choice-of-law and jurisdictional provisions should be reviewed.
Ongoing Monitoring—Throughout the course of the relationship, the parties should be continually evaluating performance. As part of the monitoring, there should be on-site visits, routine audits, and review of ongoing litigation.
Termination—Relationships can terminate upon expiration of a contract, brining an activity in house, or breach of a contract. Relationships should be terminated pursuant to the contractual requirements and prior to termination, the planning process of the critical activity should have already begun.
While this approach provides general guidance, the intricacies of working with Fintech and addressing cyber security warranted further review, resulting in updated guidance released earlier this year.
As the risk of cyber-attacks increases, the OCC provided additional guidance to financial institutions to address cyber threats. The OCC recommends that US financial institutions participate in information-sharing organizations to help them understand cyber threats, internally, as well as threats to third-party service providers they use. Suggested forums included Financial Services Information Sharing and Analysis Center (FS-ISAC), the U.S. Computer Emergency Readiness Team (US-CERT), and InfraGard. Further, US financial institutions were encouraged to share information related to cyber threats.
Cyber-attacks on a third-party service provider create a unique issue in vendor management. Depending on the information provided to a third-party service provider, appropriate due diligence must take place prior to sharing customer information. Further, as part of the contract negotiation there must be terms addressing appropriate measures taken by the third party to prevent attacks/breaches, notification of attacks/breaches, and indemnification.
What a financial institution engages a Fintech company to provide affects the risk management process. Fintech companies that provide critical services warrant higher review. Previously, the OCC defined critical services as those that involve payments, clearing, settlements and information technology. Essentially, any activity that could have a significant customer impact, requires significant investment to implement, or could have a major impact on operations if the third-party fails to meet expectations, are all critical services.
As part of the due diligence process, US federal guidance recommends a review of the financial stability of a third-party servicer. Included in such a review, a financial institution should review the company’s financial information. However, as Fintech companies emerge, these companies often have limited financial histories. Instead, as part of the due diligence process, a review of access to funds, funding sources, earnings, net cash flow, and expected growth can be analyzed. As part of the cyclical process of vendor management review, there should be ongoing monitoring and auditing. As the life cycle of vendor management continues, increased information may become available, and continual auditing of a Fintech’s financial health can help to minimize risk.
While risk cannot be completely avoided, following a risk management process can help reduce the level of risk. Adhering to one of the guideline programs can assist companies, particularly as they navigate third-party relationships.