Thursday, October 31, 2013

Reining in Third Party Risks

Yesterday, the Office of the Comptroller of the Currency (OCC) issued one of the most important statements of policy guidance to national bankers this year, particularly for community bankers.  And I say that knowing about all of the Dodd-Frank rulemaking and Basel III-related bank capital and liquidity management guidance recently proposed.

The OCC policy guidance relates to assessing and managing risks associated with third-party relationships.  It is contained in OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance.

What precipitated this update in the OCC's guidance on third-party relationships?  Here are the stated reasons:
"Banks continue to increase the number and complexity of relationships with both foreign and domestic third parties, such as
  • outsourcing entire bank functions to third parties, such as tax, legal, audit, or information technology operations.
  • outsourcing lines of business or products.
  • relying on a single third party to perform multiple activities, often to such an extent that the third party becomes an integral component of the bank’s operations.
  • working with third parties that engage directly with customers.
  • contracting with third parties that subcontract activities to other foreign and domestic providers.
  • contracting with third parties whose employees, facilities, and subcontractors may be geographically concentrated.
  • working with a third party to address deficiencies in bank operations or compliance with laws or regulations.
The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. The OCC has identified instances in which bank management
  • failed to properly assess and understand the risks and direct and indirect costs involved in third-party relationships.
  • failed to perform adequate due diligence and ongoing monitoring of third-party relationships.
  • entered into contracts without assessing the adequacy of a third party’s risk management practices.
  • has entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party’s revenues.
  • engaged in informal third-party relationships without contracts in place.

Possibly, one background reason for the issuance of this OCC Bulletin may be the recent concerns about "the world's largest global provider dedicated to banking and payments technologies" (2012 Annual Report for FIS).  Check out this write-up on the distinguished news site Krebs on Security.

Key Points to Keep in Mind

Every banker needs to be aware that third-parties are not just defined as transaction processing entities.  The OCC definition includes ALL third-party arrangements, including arrangements with independent consultants.  Here's the definition:
"...activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records. Affiliate relationships are also subject to sections 23A and 23B of the Federal Reserve Act (12 USC 371c and 12 USC 371c-1) as implemented in Regulation W (12 CFR 223). Third-party relationships generally do not include customer relationships."

It sets formal risk management expectations for these third-party relationships so that they are managed in a safe and sound manner.  The OCC Bulletin provides comprehensive guidance and is an excellent template for every bank to use to assess the degree of risk present in the bank's existing or contemplated third party relationships.  It is incumbent on every bank board of directors to use the guidance outlined in this Bulletin to benchmark their own bank against these standards.

Time is of the essence since examiners will be referring to this guidance during the course of their regular bank examinations going forward.

Here are the highlights:
  • A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships. 
  • A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
  • An effective risk management process throughout the life cycle of the relationship includes
    • plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
    • proper due diligence in selecting a third party.
    • written contracts that outline the rights and responsibilities of all parties.
    • ongoing monitoring of the third party’s activities and performance.
    • contingency plans for terminating the relationship in an effective manner.
    • clear roles and responsibilities for overseeing and managing the relationship and risk management process.
    • Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
    • Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.

Many community banks may already be informally doing several of these things under earlier guidance provided by the OCC, but now that guidance has been significantly expanded and clarified.  It is extremely important that the risk management process over third-party relationships be formalized so that they can be reviewed by examiners through the periodic examination process.  The guidance is very specific about the duties and responsibilities of boards of directors, senior bank management, and bank employees who directly manage these relationships.  It also sets very granular standards for required independent reviews of the bank's third-party risk management process.  

My biggest concern with the OCC guidance, typical of major policy guidance issuances from all federal bank regulatory agencies, is that no grace period (like 60/90/180 days) has been specified before examiners would begin to enforce this updated guidance and write up Matters Requiring Attention (MRAs) in their reports of examination.

The slow unbundling of the typical community bank, over the last three decades, into a amalgamation of platforms and services provided by other parties makes this bank supervision initiative by the OCC a major, vital, and welcome exercise of its prudential bank supervision authority.  Unfortunately, for many community bank boards of directors, it also comes with a lot of work involved and little time to do it.

Tuesday, October 22, 2013

Bank Examiners and Reputation Risk

There have been a series of think pieces over the summer railing about the seemingly unfettered authority of bank examiners in the field to cite reputation risk as a means to steer bank executives away from business that, at least in the mind of the examiner, presents a significant level of reputation risk to the bank.  There's one piece on Examiners' Growing Misuse of  'Reputation Risk', another titled Bankers and Processors Are Not Moral Police, an another Is FDIC Waging Stealth Crackdown on Online Lenders?

The common theme being... how far should bank examiners go, in using their assessment of reputation risk to the bank, to question bank dealings with customers engaged in legal commerce, where the bank has already complied with its legal compliance obligations?

The Framework

Bank regulatory agencies have historically held themselves out as being rather agnostic about products, services, and customer relationships that are within the orbit of the legal powers granted in their bank charters, as long as the panoply of applicable risks, including compliance risk, are adequately identified, measured, monitored, and managed.  And, frankly, it's important that they stay agnostic in a banking system that is still loosely based on market capitalism.

But both bankers and regulators would also agree that the liquidity of the bank, indeed the very existence of every bank, is predicated on the confidence that depositors, creditors, and contractual counterparties have in the integrity of the operations of the bank.  The bank's ability to earn profits, internally generate capital, attract external capital, and other funding is dependent on the willingness of others to do business with it.  Public confidence in a bank is directly linked to its reputation in the marketplace.  So a bank's ability to manage the reputation risk presented by its customer relationships is a valid bank supervisory concern for regulators.

Former Comptroller of the Currency, Eugene Ludwig, characterized the situation very well in a piece called Reputation Risk Goes Well Beyond Bad Press:
"Reputation is a misunderstood concept, too often confused with a company's advertising or PR strategy. It is something much broader: the faith that outsiders — from counterparties, to shareholders, to regulators — have in a firm's ability to conduct itself well.  It's difficult to measure, because it is related to everything a company does in the public eye."

The latest attempt to strike an appropriate balance between choice and risk can be seen in the FDIC's recent Financial Institutions Letter 43-2013FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities.:

"Facilitating payment processing for merchant customers engaged in higher-risk activities can pose risks to financial institutions; however, those that properly manage these relationships and risks are neither prohibited nor discouraged from providing payment processing services to customers operating in compliance with applicable law."

Reputation Risk

An examiner's rating of reputation risk is a tender topic precisely because the topic is fundamentally subjective.  This subjectivity is acknowledged, by the Office of the Comptroller of the Currency (OCC) at least, by the fact that its Risk Assessment System (RAS) does not ask examiners to derive conclusions regarding "Quantity of Risk" and "Quality of Risk Management" in the areas of Strategic Risk and Reputation Risk.  The examiners are simply asked to do the not so simple,... rate the aggregate reputation risk (high, moderate, low) and the direction of risk (increasing, stable, decreasing).

 As laid out in the OCC Community Bank Supervision Handbook, :
"Reputation risk is the risk to current or anticipated earnings, capital, or franchise or enterprise value arising from negative public opinion. This risk may impair a bank’s competitiveness by affecting its ability to establish new relationships or services or continue servicing existing relationships. Reputation risk is inherent in all bank activities and requires management to exercise an abundance of caution in dealing with customers, counterparties, correspondents, investors, and the community.
A bank that actively associates its name with products and services offered through outsourced arrangements or asset management affiliates is more likely to have higher reputation risk exposure. Significant threats to a bank’s reputation also may result from negative publicity regarding matters such as unethical or deceptive business practices, violations of laws or regulations, high-profile litigation, or poor financial performance. The assessment of reputation risk should take into account the bank’s culture, the effectiveness of its problem-escalation processes and rapid-response plans, and its deployment of media."

During the Examination

So where does that leave us with the hypothetical bank examiner who wrinkles her nose, or rolls his eyes, or openly opines about the unsavory nature of a customer's business?

Use the opportunity to demonstrate the extent of the bank's due diligence prior to the acquisition of the customer relationship and the risk management controls that have been installed subsequent to the establishment of the relationship.

As a big believer in the effectiveness of basic blocking and tackling, I recommend that you focus on the specific examination policy direction given to field examiners by the bank regulatory agency as it relates to reputation risk.  Use that as a tool to make your case that the reputation risk in a customer relationship is being managed appropriately at your bank.  Examiners are granted lots of scope in exercising their judgement, but they still have to follow their own rules.

So What are the Rules?

This is one area where specific guidance may vary widely among federal bank regulatory agencies, but for illustration purposes, here is the framework with which OCC examiners make their determinations of reputation risk for national banks and federal savings associations.

Those determinations are circumscribed through the use of an illustrative set of Reputation Risk Indicators.  These Reputation Risk Indicators are sorted into low/moderate/high reputation risk buckets.

The Reputation Risk Indicators can be accessed here.

Where the discussion you have with the examiner leads to at the end of the day will depend on many factors.  But just having that communications opportunity, and the ability to make your case, is an important step.   And remember, if you feel strongly that the reputation risk of your bank is being inappropriately rated, consider using the examination appeals process.  Ultimately, reasonable arguments will yield reasonable results.