While the debate about global warming and atmospheric climate change continues to rage, there is little doubt that the “climate” around banking risk and risk assurance is changing rapidly, driven primarily by national and state regulators, federal and state attorney generals, and a public that is tired and angry reading headlines about the latest banking misbehavior. The scope of these misdeeds is as important as the frequency with which they are reported. The issues range from serious, high value impact misconduct to consumer transactions of smaller individual impact repeated time and time again as standard operating practice. Said another way by example, the abuses have ranged from Libor currency fixing, mortgage backed security valuation falsifications and blatant credit default swap trading irregularities on one hand to deceptive marketing tactics meant to pressure or mislead consumers into paying for add-on products of questionable value, unfair and abusive debt collection practices, and insensitive and legally questionable foreclosure proceedings. Make no mistake – although behaviors with standalone national and international economic consequences and more local consumer level issues may seem unrelated, in today’s increasingly chilly regulatory environment, they are increasingly viewed with holistic lenses by the community at large.
What’s particularly interesting about many of the consumer related headlines we’ve seen is that questionable practices are often not housed within the bank itself but rather driven by third parties working under contract on behalf of a financial institution. FI’s increased use of third party service providers is one of the areas on which regulators have focused in this increasingly chilly regulatory environment, but this attention is not new – agency guidance in this area goes back to at least 1994. ((INTERAGENCY STATEMENT ON RETAIL SALES OF NONDEPOSIT INVESTMENT PRODUCTS (February, 1994): Arrangements with Third Parties. If a depository institution directly or indirectly, including through a subsidiary or service corporation, engages in activities as described above under which a third party sells or recommends nondeposit investment products, the institution should, prior to entering into the arrangement, conduct an appropriate review of the third party. The institution should have a written agreement with the third party that is approved by the institution’s board of directors. Compliance with the agreement should be periodically monitored by the institution’s senior management. At a minimum, the written agreement should: (a) describe the duties and responsibilities of each party, including a description of permissible activities by the third party on the institution’s premises, terms as to the use of the institution’s space, personnel, and equipment, and compensation arrangements for personnel of the institution and the third party; (b) specify that the third party will comply with all applicable laws and regulations, and will act consistently with the provisions of this Statement and, in particular, with the provisions relating to customer disclosures; (c) authorize the institution to monitor the third party and periodically review and verify that the third party and its sales representatives are complying with its agreement with the institution; (d) authorize the institution and the appropriate banking agency to have access to such records of the third party as are necessary or appropriate to evaluate such compliance; (e) require the third party to indemnify the institution for potential liability resulting from actions of the third party with regard to the investment product sales program; (f) provide for written employment contracts, satisfactory to the institution, for personnel who are employees of both the institution and the third party.)) Two regulatory organizations have sway. The Consumer Financial Protection Bureau (CFPB) has been leading the charge recently, and has focused primarily on unfair, deceptive, and abusive acts or practices (also known as UDAAP issues). But the OCC (Office of the Comptroller of the Currency), with wide ranging third party guidance on the books for well over a decade, made a splash of its own with the release OCC Bulletin 2013-29 on Third Party Relationships, which replaces the OCC’s earlier guidance (OCC Bulletin 2001-47), originally released in April of 2001.
Let’s take a look at where both regulatory organizations are headed and the likely consequences for financial institutions and service providers. Third party service provider issues were an early focus of the CFPB, and in April of last year the agency issued guidance, making it clear that financial institutions are responsible for:
- Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law;
- Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
- Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; and
- Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
The CFBP by its charter has a natural focus on compliance with federal consumer protection law, and this agency’s guidance reflects that. The OCC’s concerns are broader, and extend to ensuring fundamental safety and soundness in an era where technology outsourcing is the rule and the threat environment is increasingly complex and menacing. How big is the OCC’s climate change around operational risk? In May of 2012, in a speech before the Exchequer Club in Washington, D.C., Comptroller Thomas Curry dimensioned the shift:
“Given the complexity of today’s banking markets and the sophistication of technology that underpins it, it is no surprise that the OCC deems operational risk to be high and increasing. Indeed, it is currently at the top of the list of safety and soundness issues for the institutions we supervise.
This is an extraordinary thing. Some of our most seasoned supervisors, people with 30 or more years of experience in some cases, tell me that this is the first time they have seen operational risk eclipse credit risk as a safety and soundness challenge. Rising operational risk concerns them, it concerns me, and it should concern you.”
The OCC’s concentration on what it perceives as changes in the major elements of operational risk underlie its motivation to update its Third Party guidance. One of the OCC’s primary areas of focus in its upcoming guidance will be ongoing process – in other words to ensure that FIs properly manage third party risk throughout the full term of an outsourcing relationship. And when banks undertake outsourcing initiatives that are strategically important the OCC thinks even more is required. In an interview last August, the OCC’s deputy comptroller for operational risk said that in such circumstances, “Some level of independent review is necessary to assess on an ongoing basis whether [the FI] is doing this in a prudent way, in a sound way… We’re going to expect to see the right level of oversight and accountability, the right level of documentation and reporting.”
Although the underlying principles in the OCC’s forthcoming guidance are not new, the agency’s performance expectations are. Comptroller Curry raised the stakes even higher for larger FIs. As the American Banker reported on September 27th, as part of its “Heightened Expectations” program, large banks must maintain their internal controls and audit at a “strong’”, not a “satisfactory” level, and the OCC plans to formalize that standard.
Finally, as if to underscore that the industry should focus less on compliance as a check list and more on true risk mitigation process, the industry’s own Payments Card Industry (PCI) Council issued a new set of standards in November that are driven in part by ongoing third party security challenges and significant inconsistencies in PCI assessments. In the organization’s own words, “Changes planned for Version 3.0 are designed to help organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.”
There are short term and longer term climate changes of course, but this regulatory shift seems to be settling in as a sustained effort to push the financial services industry toward a significantly higher level of risk mitigation effectiveness. That means more focus on risk related process, both inside firms and with third parties, and an ongoing ability to monitor effectiveness. There can be no doubt – it’s time to fundamentally up the industry’s risk assurance game, and soon.
For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.