Reliance on third-party service providers has become a necessity in the rapidly changing business landscape. It is not uncommon for a financial institution to underestimate their third-party compliance risks. When we conduct compliance reviews and audits, we often find that compliance officers are over reliant upon their organization’s third-party service provider/vendor management process and manager to assess compliance risk associated with third-party service providers used.
Underestimating your compliance risk associated with third-party service providers can result in additional regulatory scrutiny, increased fair lending risk, or increased UDAAP risk, just to name a few. Now is a good time to assess if you have any regulatory compliance risk associated with using third-party service providers and if your processes are adequate to mitigate regulatory compliance risk. Taking a few simple steps now will allow you to make necessary changes to your compliance management system (CMS) especially as you begin to plan for 2019. Below are a few areas to assess and action steps you can take now to help you evaluate potential gaps in your overall CMS as it pertains to the compliance risk posed by third-party service providers.
Identify your third-party service providers. Work with the person responsible for vendor management within your organization and take an inventory of all the third parties used by your organization which might pose consumer compliance risk. To determine if a vendor poses a risk, look at what the vendor is engaged to perform on your behalf and whether they are customer facing. If you are struggling to determine if the third-party service provider performs customer-facing activities on your behalf, just ask yourself “Does my customer know that this is not coming from our organization?” The answer to this simple question should help you determine if they are customer facing on your behalf. Typical third-party providers include:
- Consumer reporting agencies (credit reporting agencies) providing you with credit reports and sending Fair Credit Reporting Act (FCRA) disclosures to consumers on your behalf
- Insurance tracking companies that track insurance documents, and send force-placed letter notifications on your behalf
- Other companies that service a loan portfolio on your behalf (such as a credit card, mortgage, etc.)
- Companies that generate and mail statements on your behalf (such as deposit or loan statements)
- Third-party debt collectors used by your organization to help with collections
Once identified, document which third parties engage in consumer-facing activities and track. If not already, ask the person responsible for vender management within your organization to include you in the evaluation process of any new third-party service providers. Getting involved early will help you track and assess your compliance risk before it is too late.
Once you identify third-party service providers that engage in consumer-facing activities, take a look at the contracts for each. It is common to find that contracts are silent on your ability to get results from compliance audits or request a compliance audit. Review your contracts and verify that contracts include provisions such as:
- Clearly define compliance responsibilities between your organization and theirs
- Ability to request compliance audits or request a copy of their compliance audit reports (or summary)
- Request copies of complaints from your customers against the third-party service providers
If you identify contracts that are silent on these issues, work with your third- party service provider manager, legal counsel and service provider to get something added.
Having clearly defined compliance responsibilities will minimize the risk of confusion regarding who is responsible for what activities. Having the ability to request compliance audits or the results of compliance audits will enhance your oversight of the third-party service provider by allowing you to assess their overall CMS. Getting copies of complaints received by the third-party service provider related to your customer will also give you further insight into how well the CMS of the third-party service provider is working.
Monitoring and audits
Monitor your third-party service provider. Ongoing monitoring is one of the most common areas overlooked by compliance officers and the person responsible for third-party risk management. Often we find that the compliance officer is relying upon the third-party risk manager (and vice versa) to monitor the third-party service provider for compliance with applicable requirements. We also find that there is no monitoring for consumer compliance requirements.
Monitoring can be as simple as periodically reviewing disclosures or statements sent on your behalf. For higher risk areas such as outsourced loan servicing activities, transaction-level testing on activities the third-party service providers have prepared for your customers might be more appropriate. Performing some level of monitoring will allow you to evaluate if your third-party service providers are compliant with applicable regulations.
Evaluate your complaint management process and ensure you are capturing complaints received about third-party service providers. Complaints are often one of the best tools for identifying potential compliance issue related to a third party. Evaluate how complaints are categorized and ensure that you have a way to identify complaints received from customers that are related to third-party service providers. If you do not capture complaints related to these providers or do not have a means to identify such complaints in your current process, adjust accordingly. Likewise, make sure you have access to complaints received directly by your third-party service provider and evaluate their responses to the complaints to assess the risk and whether they were handled appropriately.
Taking time and assessing the four areas above will give you a quick picture into potential blind spots for managing your third-party service provider compliance risk. Once you identify potential blind spots associated with using these providers, you can plan and make necessary changes to your compliance program, including monitoring and audits, to mitigate compliance risk associated with third-party service providers.