Federal Reserve Board Guidance on Managing Outsourcing Risks Mirrors Recent OCC Guidance

December.11.2013

On December 5, 2013, the Federal Reserve Board (FRB or the Fed) issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk (FRB Guidance). The FRB Guidance sets forth risks arising out of the use of service providers and the regulatory expectations relating to risk management programs. It is substantially similar to OCC Bulletin 2013-29, which the Office of the Comptroller of the Currency (OCC) issued on October 30, 2013.

The FRB Guidance supplements existing guidance relating to risks presented by Technology Service Providers (TSPs) to reach service providers that perform a wide range of business functions, including, among other things, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing.

While a complete roadmap of the FRB Guidance would be largely duplicative of our recent Special Alert relating to the OCC Bulletin 2013-29, key supervisory and enforcement themes emerge from a comparison of the two guidance documents. Like the OCC, the Fed signals broadly that failure to effectively manage the use of third-party service providers could “expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation.” The Fed also emphasizes the responsibility of the Board of Directors and senior management to provide for the effective management of third-party relationships and activities. It enumerates virtually the same risk categories as the OCC, including compliance, concentration, reputational, operational, country, and legal risks, though its discussion of those risks is slightly less comprehensive.

The FRB Guidance makes clear that service provider risk management programs should focus on outsourced activities that are most impactful to the institution’s financial condition, are critical to ongoing operations, involve sensitive customer information, new products or services, or pose material compliance risk. While the elements comprising the service provider risk management program will vary with the nature of the financial institution’s outsourced activities, the Fed’s view is that effective programs usually will include the following:

Risk assessments: Institutions should evaluate the implications of performing an activity in-house versus having the activity performed by a service provider and also consider whether outsourcing an activity is consistent with the strategic direction and overall business strategy of the organization. This section of the FRB Guidance closely aligns with the section titled “Planning” in OCC Bulletin 2013-29.

Due diligence and selection of service providers: Institutions should address the depth and formality of due diligence of prospective service providers consistent with the scope, complexity, and importance of the planned outsourcing arrangement. The Fed emphasizes processes designed to diligence a potential service provider’s (i) business background, reputation, and strategy; (ii) financial performance and condition; and (iii) operations and internal controls. This section is less detailed, but nonetheless consistent with the section titled “Due Diligence and Third-Party Selection” in OCC Bulletin 2013-29.

Contract provisions and considerations: Service provider contracts should cover certain topics, including, but not limited to: (i) the scope of services covered; (ii) cost and compensation; (iii) right to audit; (iv) performance standards; (v) confidentiality and security of information; (vi) indemnification; (vii) default and termination; (viii) limits on liability; (ix) customer complaints; (x) business resumption and contingency plan of the service provider; and (xi) use of subcontractors. The key provisions noted generally mirror the “Contract Negotiation” section of OCC Bulletin 2013-29.

Incentive compensation review: Institutions should establish an effective process to review and approve any incentive compensation arrangements that may be embedded in service provider contracts to avoid encouraging “imprudent” risk-taking. While OCC Bulletin 2013-29 does not break out incentive compensation as a separate program feature (it is included among factors to be considered in due diligence and selection), it does identify the need for banks to review whether fee structure and incentives would create burdensome upfront fees or result in inappropriate risk-taking by the third party or the bank.

Oversight and monitoring of service providers: Institutions should set forth the processes for measuring performance against contractually-required service levels and key the frequency of performance reviews to the risk profile of the service provider. This section of the FRB Guidance, consistent with the “Ongoing Monitoring” section of OCC Bulletin 2013-29, also recommends the creation of escalation protocols for underperforming service providers and monitoring of service provider financial condition and internal controls, which may also trigger escalation if the service provider’s financial viability or adequacy of its control environment are compromised during the course of the relationship.

Business continuity and contingency plans: Institutions should develop plans that focus on critical services and consider alternative arrangements in the event of an interruption. The Fed specifically notes that financial institutions should: (i) ensure that a disaster recovery and business continuity plan exists with regard to the contracted services and products; (ii) assess the adequacy and effectiveness of a service provider’s disaster recovery and business continuity plan and its alignment to their own plan; (iii) document the roles and responsibilities for maintaining and testing the service provider’s business continuity and contingency plans; (iv) test the service provider’s business continuity and contingency plans on a periodic basis to ensure adequacy and effectiveness; and (v) maintain an exit strategy, including a pool of comparable service providers. Notably, OCC Bulletin 2013-29 addresses business continuity and contingency plans under third-party risk management, rather than as separate program features.

Finally, the FRB Guidance notes a number of “additional risk considerations” not singled out by OCC Bulletin 2013-29, which cover: (i) confidentiality of Suspicious Activity Report (SAR) reporting functions; (ii) compliance by foreign-based service providers with U.S. laws, regulations, and regulatory guidance; (iii) prohibitions against outsourcing internal audit functions in violation of Sarbanes-Oxley; and (iv) alignment of outsourced model risk management with existing Fed Guidance on Model Risk Management (SR 11-7).

Questions regarding the matters discussed may be directed to any other Orrick attorney with whom you have consulted in the past.

Related Lawyers

Elizabeth McGinn パートナー, Financial & Fintech Advisory, Strategic Advisory and Government Enforcement

Washington DC; New York

See my bio

D:+1 202 349 7968
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory and Government Enforcement
Fintech

vCard

See full bio

Elizabeth McGinn パートナー

Washington DC; New York

In conjunction with this work, she develops policies and procedures, records retention schedules and training materials. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent such breaches from occurring, and advising clients in responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues. She also assists numerous professional sports teams comply with data privacy concerns, consumer financing laws and payment system issues.

Beth also represents financial institutions, corporations and individuals in a wide range of matters. She advises clients in investigations, examinations and litigation initiated by the Consumer Financial Protection Bureau (CFPB), the New York Department of Financial Services (NYDFS), the Department of Justice (DOJ), the Federal Trade Commission (FTC), state attorneys general and bank regulatory agencies. She has represented financial institutions in class action litigation concerning federal and state fair lending laws, mortgage fraud, unfair and deceptive trade practices statutes, consumer fraud statutes and consumer privacy laws. She has extensive experience counseling clients in response to federal and state subpoenas and handling all aspects of e-discovery.

Over the course of her career, Beth has represented clients in matters involving simultaneous criminal, civil administrative and congressional proceedings. She has defended clients in matters relating to money laundering compliance issues and investigations and litigation by the U.S. Attorney’s Office for the Southern District of New York (SDNY), the Manhattan District Attorney’s Office, the Department of Treasury, the Securities and Exchange Commission (SEC), and various congressional committees, including the U.S. Committee on Homeland Security and Government Affairs Permanent Subcommittee on Investigations, the U.S. House Financial Services Committee and the U.S. House Committee on Oversight and Government Reform.

Beth has published and spoken on a variety of topics, including privacy, cybersecurity, electronic discovery, vendor management and consumer financial services litigation. She authored the chapter on “Oversight of Compliance and Control Responsibilities” for Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers. She has been recognized for her work in Cyber Law (Data Protection and Privacy) by Legal 500 since 2013, which describes her as “outstanding on privacy and e-discovery issues,” “able to advise both on the regulatory and litigation sides of problems,” an attorney who "exceeds expectations on response and turnaround times,” “has strong industry knowledge in data security and privacy, and is able to walk the fine line between operational efficiency and regulatory compliance' when developing IT policies.” It also described her as “top notch, incredibly responsive, thoughtful, and provides advice that is both practical and efficient.”

Prior to joining Orrick, Beth was a partner at Buckley LLP where she was Co-chair of the firm’s Privacy, Cyber Risk & Data Security practice and E-discovery Committee. Previously she was an associate at Skadden, Arps, Slate, Meagher & Flom. She clerked for Federal Magistrate Judge P. Trevor Sharp of the United States District Court for the Middle District of North Carolina after law school. Beth is a Certified Information Privacy Professional (CIPP/US).

View Beth's webcasts & speaking engagements, news mentions and publications.

Christopher Witeck パートナー, Financial & Fintech Advisory, Strategic Advisory and Government Enforcement

Washington DC

See my bio

D:+1 202 349 8051
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory and Government Enforcement
Fintech

vCard

See full bio

Christopher Witeck パートナー

Washington DC

Chris has an active practice representing financial services entities in negotiating a wide variety of corporate transactions, including company M&A, asset purchases and critical vendor and other third-party relationships. His clients include banks, mortgage companies and servicers, marketplace and other lenders, fintech and emerging payments providers and other business entities in the financial services industry.

Chris’ M&A work emphasizes transactions that involve regulatory risks and concerns or novel structures at the forefront of industry trends. He also represents buyers and sellers of mortgage loans and other consumer lending assets, including interests such as mortgage servicing rights. He regularly negotiates many varieties of servicing and subservicing contracts.

He also advises clients on outsourcing, joint venture and bank partner agreements, particularly in the fintech and e-commerce arena, providing years of experience addressing “true lender” issues. He also advises clients on loan repurchase and indemnity matters as well as corporate governance and compliance matters.

His regulatory practice focuses on advising lenders and servicers on matters involving the Real Estate Settlement Procedures Act (RESPA), including affiliated business arrangements, portfolio retention transactions and vendor management issues.

Chris is recognized by Chambers USA for Fintech: Payments & Lending, which cited his capabilities “advising on regulatory compliance, commercial contracts matters and transactional work, with notable expertise handling M&A in the financial services sector.”

He was previously Co-Managing Partner and a member of the partner board at Buckley LLP. Before attending law school, he worked at the U.S. Department of State.

Jon Langlois パートナー, Financial & Fintech Advisory, Strategic Advisory and Government Enforcement

Washington DC

See my bio

D:+1 202 349 8045
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory and Government Enforcement
Fintech

vCard

See full bio

Jon Langlois パートナー

Washington DC

He represents banks, nonbanks, fintechs, private equity and other financial services companies in a variety of corporate and transactional matters, particularly those involving residential mortgage and consumer loans, mortgage servicing rights, and servicing and subservicing relationships. He combines practical strategic advice with a deep knowledge of consumer lending and servicing to provide efficient, successful results.

In addition to his transaction practice, Jon assists clients on a wide range of regulatory issues, including compliance with key consumer financial laws, such as the Truth in Lending Act (TILA), Real Estate Settlement Procedures Act (RESPA), Fair Debt Collection Practices Act (FDCPA), unfair, deceptive, or abusive acts and practices (UDAAP), and other consumer protection issues.

Prior to joining Orrick, Jon was a partner at Buckley LLP. While in law school, he was a Legislative Analyst with Wilmer Cutler Pickering Hale and Dorr LLP, and a Government Affairs Representative with the American Financial Services Association.

Jeffrey Naimon パートナー, Financial & Fintech Advisory, Strategic Advisory and Government Enforcement

Washington DC

See my bio

D:+1 202 349 8030
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory and Government Enforcement
Fintech

vCard

See full bio

Jeffrey Naimon パートナー

Washington DC

He defends financial services companies facing complex examination or enforcement matters before the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and federal and state banking regulators, with a focus on fair lending, unfair, deceptive or abusive acts and practices (UDAAP), loan servicing, privacy and credit reporting, debt collection, servicemember protections and other consumer protection issues.

He assists banks and nonbanks (including fintech entities) structure, negotiate and operate a variety of partnerships, outsourcing programs and other third-party arrangements, including performing due diligence, negotiating transactions and advising on ongoing oversight protocols to meet regulatory expectations for third-party arrangements.

Jeff also assists in negotiating acquisition, capital markets and servicing transactions, advising on how best to structure the transaction to reduce risk and expedite deal closure, performing due diligence and assisting in obtaining the necessary change of control and other regulatory approvals.

Jeff is consistently recognized as a leading lawyer in Financial Services Regulation: Consumer Finance (Compliance) in Chambers USA, which praised him for his "extremely high intellect regarding compliance matters and negotiation skills. There's none better at arguing a disputed point." He is also a Fellow of the American College of Consumer Financial Services Lawyers.

He currently serves as the Co-chair of the Professional Development Task Force and previously served as Co-chair (2011-2013) and Co-vice Chair (2008-2010) of the Truth in Lending Subcommittee of the American Bar Association’s Consumer Financial Services Committee and has authored numerous articles on consumer financial services.

Prior to joining Orrick, Jeff was a partner at Buckley LLP.