Pub. 6 2011-2012 Issue 1

www.nebankers.org 14 Extraordinary Service for Extraordinary Members. which time business needs and environments may change significantly and in unanticipated ways. If business needs change because of intervening events, “there is a risk that financial institutions may be locked into agreements that reflect outdated business realities. The contractual basis of outsourcing coupled with this intrinsic business uncertainty contributes to legal risk,” as stated in the Federal Reserve Bank of New York’s “Outsourcing Financial Services Activi- ties” circular. • Reputational Risk A vendor’s noncompliance with consumer laws creates reputational risk for the bank, including the possibility of a public enforcement action by the bank’s regulators, class action lawsuits, and negative publicity. Mitigating the Risk Banks that outsource a service or product must adopt ap- propriate controls, policies and procedures, and oversight to mitigate outsourcing risks effectively. According to the Fed’s “Outsourcing Financial Services Activities” circular, banks should focus on four key areas for effective risk mitigation: vendor selection, vendor agreement, vendor management and monitoring, and contingency planning. Q Outsourcing Management — continued • Vendor Selection Conducting proper due diligence in selecting a vendor is a critical aspect of vendor risk management. Banks should ensure the technical capabilities, managerial skills, financial viability, familiarity with the financial services industry, and the capacity to keep pace with innovation of each vendor it selects. Even if the vendor selected is itself a financial institu- tion, the bank should still perform appropriate due diligence on such financial institution. • Vendor Agreement The contract between the bank and the vendor is another key factor in mitigating risk as it dictates legally binding terms and conditions. Since every aspect of a contractual relationship is governed by the agreement, the expectations of both sides should be clearly expressed in a formal, ex- ecuted contract. Of great importance in these contracts are clear delineations regarding which party is responsible for regulatory compliance. In addition, banks should ensure that each vendor expressly commits to comply with the privacy and security requirements imposed on banks handling con- fidential customer data. The contracts should give the bank full indemnity for a vendor breaching its obligations. How- ever, many third-party vendors seek to limit their liability to a portion of the fees they receive. These are generally very inadequate to address a bank’s possible losses for a non-