DeZube, Dona, Independent Banker
Guidance is available when buttoning down technology provider risks
Managing risks that arise from third-party relationships with technology service providers and others is a recurring process that must be adapted anew each time it's undertaken, according to FDIC guidance. To make that process go more smoothly and effectively, the agency last year provided a roadmap in a Financial Institution Letter, Guidance for Managing Third Party Risk (FIL 44-2008).
"The risks inherent in third-party arrangements are not significantly different from other risks financial institutions face," says FDIC Senior Examination Specialist Kenyon Kilber. "Poor strategic planning, inadequate due diligence, insufficient management oversight and a weak internal control environment are common elements in problem situations. Similarly, the primary element for success is effective management."
Four basic elements compose an effective third-party risk management program, Kilber explains. Those elements are risk assessment, due diligence in selecting a third party, contract structuring and review, and oversight.
Defining a Third Party
Who is a third party? Technically, every one of your community bank's business partners is, but risk managers need to focus only on significant third-party providers, says Cathy Judge, a consultant for Plante & Moran in Southfield, Mich.
To determine which third-party technology services providers are significant, use seven criteria outlined in the FDIC guidance:
1 Is the relationship or activity new?
2 Does the activity have a material effect on revenue or expenses?
3 Does the third party perform a critical function?
4 Will the third party store, access, transmit or perform actions on customer information?
5 Will the third party market bank products or services?
6 Does the product or service involve subprime lending or credit card payment transactions?
7 Can the activity or party pose risks that could significantly affect earnings or capital?
Judge advises community banks to analyze potential risks for each significant relationship before entering into a contract. "You want to know as much as you can during the process," she says. "That's when companies are most open to you."
Sources of Information
There are many sources of information about potential partners, including audits or the user control considerations section of the company's Statement on Auditing Standards 70 (SAS70). Some core processing application providers and ATM-debit card partners have put audits online where bank clients can view them, Judge says.
Don't overlook in-house expertise. The product-line experts in your own community bank should have a direct hand in assessing third-party technology risk, says Ryan Stinneford, a partner in the retail financial services group at Pierce Atwood LLP in Portland, Maine.
Community banks can seek outside consulting assistance as well, Stinneford adds. "There are vendors who manage this process, and compliance companies can do audits and make recommendations."
Internet-based Software as a Service (SaaS) platforms are used by many financial services firms to manage risk and compliance. Some two dozen companies have such products focused on banks. These platforms help banks share contract information, policies, procedures and controls and can also be used to make third-party partners perform self-assessments, says Michael Rasmussen, president of Corporate Integrity LLC, a Waterford, Wis., compliance consulting firm. They create for auditors an ongoing record of which actions were taken when and who provided assurances, he says.
The platforms start around $60,000, although the price can rise to more than $1 million for a large bank with a great number of relationships to manage, explains Rasmussen. …