ABA Banking Journal - September 2008 - (Page 54)
Compliance Clinic When you face risk from actions others take in your name FDIC’s recent “FIL” on third parties underscores need for care in handling bank functions through contractors R isk management has been a banking mantra for some time. But what we mean by the term evolves constantly. There was a time when a bank risk manager handled purchasing risk and hazard insurance. Now, the term “risk manager” means something quite different—and much more complex. Risk management now means making as certain as possible that things go right—within a realistic framework. Risk management means that the institution should have an active program for assessing, predicting, measuring, and controlling risk in ways that are appropriate for the organization. An excellent case in point is the old way of managing risk with vendors and other third parties, which was to transfer the risk by contract. A contract included a clause that provided that if the vendor made a mistake, the vendor would be liable, and then the contract went into the file. Those methods will no longer work. Risks presented by third parties cannot be fully contracted away. No matter who made the error and who pays for it, the bank’s reputation is the reputation at stake. For this reason, third party risk has taken new importance. FDIC’s guidance underscores shift In June 2008, FDIC issued FIL-44-2008, “Guidance for Managing Third Party Risk.” The guidance provides a roadmap for banks that work with or through third parties for systems or products. FDIC identified four key areas that should be included in a program to manage third-party risk: risk assessment, due diligence, contract provisions, and oversight. While none of these elements are new to bankers, there are some special expectations for managing third parties. The guidance advises institutions to actively risk-manage any third party that is new to the organization; that provides or supports a product that is new to the organization; or that performs a critical core function. By Lucy Griffin, president, Compliance Resources, Inc., Reston, Va., griffin@bankersonline.com. Contributing Editor Griffin has worked in three regulatory agencies and with ABA, and has consulted on compliance matters since 1993. 54 SEPTEMBER 2008/ABA BANKING JOURNAL FDIC will look at the third-party performance as though it were performed by the institution itself. In short, contracting out doesn’t get it out from under the concerned eyes of regulators. Perhaps the most important principle for institutions to keep in mind during vendor interactions is that the institution is the customer—and the customer is always right. Don’t let the vendor tell you that what you need cannot be done. And never let the vendor tell you that none of the other system users want it! If the vendor cannot or will not provide the service that you need, take your business elsewhere. As with most of the recent regulatory guidance, this one stresses management and board involvement, stating that use of third parties “in no way diminishes the responsibility” of either. In fact, using third parties can create an additional responsibility: monitoring the performance of the third party. Proceeding with a risk focus In light of FDIC’s letter, your bank may want to rethink the way it goes about engaging and using vendors and other third parties. The first step in a risk management program assessment is to determine whether using a vendor, or offering a product that would require a vendor, is consistent with the bank’s strateSubscribe at www.ababj.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.