Third-Party Compliance Risks Loom Large

By Julie Knudson

As banks seek to drive better business results, resources are being focused on core competencies and vendors are increasingly tapped to provide services outside those areas. But regulators with the Consumer Financial Protection Bureau and other agencies have made it known that shifting activities to a third party doesn’t move compliance risk away from the bank. To ensure these third-party partners comply with consumer protection requirements, banks need to develop a well-crafted strategy and exercise ongoing diligence.

With high touch comes high risk

The growing popularity of third-party lending and similar services has created new customer touch points, in turn giving rise to new compliance risks. “If there is direct contact with customers, it opens up a whole spectrum of consumer protection laws and regulations that might not be in play otherwise,” says Gayle Woodbury, a managing director at Crowe Horwath LLP, which ABA endorses for risk management consulting. Any customer contact conducted on behalf of the bank changes the game, and it’s incumbent upon banks to be mindful of the associated risks.

“The potential for abusive or deceptive practices is there, because it may not be entirely clear to the customer that they’re talking to an employee of a technology company or outside financial company,” explains Brad Smith, managing director at Cornerstone Advisors. “They may think they’re talking to someone in the back office of their own bank.” This possible lack of transparency sets the stage for risk on the bank’s part as their control over customer interactions diminishes.

Ensuring third-party compliance

To mitigate compliance risks, Smith stresses the importance of staying plugged into the process. “The bank should get copies of every mailer or solicitation that goes out to customers on their behalf,” he says. If a couple of bank employees qualify as customers of the product being sold, it might even be wise to sign them up so there’s full exposure to every call and contact being made. “You’ll see if they’re dialing for dollars on Thursday nights,” Smith explains. Not only is it a potential compliance issue, it could represent a reputational risk if the vendor’s touch points are undesirable to the bank. The institution can then immediately address any unwanted or inappropriate activity.

Clarifying expectations is also critical. “Banks sometimes don’t spend enough time hammering out how the relationship is going to work,” Woodbury says. She suggests being explicit when defining the standards for conduct and how the third-party provider is expected to comply with them. Once an agreement is in place, ongoing oversight is crucial to success. “Much like when an activity is performed internally, banks need to monitor compliance and verify how activities are being conducted,” Woodbury says. The higher risk the activity, the more frequent and in-depth the monitoring should be.

A learning curve on both sides

The third-party risk environment is seeing some improvement, in part because recent regulatory enforcement actions have affected the vendors directly. “It starts to become a reputational issue with some real dollars behind it,” Woodbury says. “It’s one large ecosystem, and third parties are figuring out they play a different role today than they did in the past.” As a result, a number of providers have developed programs that more closely align with banking mandates.

“Most banks already have good vendor management programs in place,” Smith says. But despite tight contractual language and robust due diligence efforts, compliance concerns persist. He says third-party lending and other activities are squarely on the map for regulators. “If you have vendors that are materially communicating with, promoting or selling things to your customers, you’re responsible for making sure they adhere to laws around consumer protections.”