Pub. 6 2011-2012 Issue 1

www.nebankers.org 12 Extraordinary Service for Extraordinary Members. C OSTLY LESSONS HAVE BEEN learned through recent en- forcement actions against banks that have violated certain regulatory requirements due to poor oversight of third-party ven- dors. If a bank insufficiently super- vises a third-party vendor engaging in acts that meet the standards for deception—for example, the third party knowingly uses representa- tions or omissions likely to mislead a consumer—the bank could face enforcement action. When appropriately managed, third-party relationships can enhance competitiveness and diversification of goods and services. However, as banks join forces with third-party vendors to perform vital functions, legal, operational, and reputational risks increase. 1 Outsourcing Management: Legal, Operational & Reputational Risk Joyce Dixon , Husch Blackwell LLP COUNSELOR’S CORNER This article first reviews the types of services and arrangements a financial institution may obtain from a vendor and the risks presented, while the balance of the article discusses best practices for managing outsourcing arrangements. Outsourcing & Associated Risks Outsourcing is “the transfer of direct managerial responsibility, but not accountability, to unaffiliated, third-party vendors who perform services previously delivered by internal staff and management,” ac- cording to the Federal Reserve Bank of New York in “Outsourcing Finan- cial Services Activities: Industry Practices to Mitigate Risks” (http:// www. newyork f ed . org/bank ing/ circulars_archive/outsource.pdf). Banks use third-party vendors to reduce costs, enhance performance, and obtain access to specific exper- tise. This allows banks to devote their in-house human resources to their core businesses. Examples of outsourcing include audits, compli- ance reviews, disclosure preparation, information technology, and elec- tronic funds transfer. Banks also use third-party vendors to offer products directly to customers. While day- to-day management of a product or service can be transferred to a third party, ultimate responsibility for all compliance requirements cannot be delegated and remains with the financial institution. • Operational Risk This is the risk that a vendor’s operational system fails to perform properly which negatively affects the bank’s customers. For example, if a financial institution retains a vendor to determine if the institution’s loans secured by a building are located in a special flood hazard area for purposes of complying with the flood insurance requirements of Regulation H, and the vendor fails to regularly update its database of special flood hazard areas,