Pub. 6 2011-2012 Issue 1

May/June 2011 15 Extraordinary Service for Extraordinary Members. Banks must exercise due diligence throughout the vendor- selection process, and should be mindful that signing a contract with a vendor is not the end of the process but rather the point at which risk mitigation begins. complying vendor. Thus, this indemnification should not be restricted by such limitations of liability or the caps on such limitation should be set at an amountmore appropriate for the risk. Banks should engage experienced counsel to ensure that their interests are protected and potential contingencies are considered, such as the potential effect of regulatory changes on the vendor’s obligations and performance. • Vendor Management & Monitoring After the vendor has been selected and the agreement is negotiated and executed, managing and monitoring the relationship becomes paramount. Senior management of the bank should be involved in approving policies and procedures to monitor the vendor’s performance and activities. Such policies and procedures should include: confirming that the vendor is complying with applicable consumer protection laws, monitoring the vendor’s financial condition, assessing compliance with the terms of the contract, reviewing any customer complaints relating to the vendor’s services, and periodically meeting with the vendor to review all issues relating to the services. • Contingency Planning While outsourcing can be beneficial, it creates the risk that a disruption of the vendor’s operations will affect the bank for the services the vendor provides. To mitigate this risk, banks must verify that the vendor has a prudent business recovery plan in place that is reviewed during the vendor selection due diligence process and on an ongoing basis. More important than the vendor’s business recovery plan, the bank must establish a contingency plan to address the risk that the vendor does not perform satisfactorily: “In the face of unsatisfactory responsiveness, an institution’s options include changing service providers, returning the activity to the institution, or sometimes even exiting the business,” states the Fed in “Outsourcing Financial Ser- vices Activities.” These contingency options are costly and problematic, and are typically taken only as a last measure after the bank has first made reasonable efforts to resolve the issues with the vendor. Another measure to mitigate the risk of unsatisfactory performance is to start the vendor with a small contract to test its performance before outsourcing the entire function. If the vendor performs satisfactorily during the test period, the contract can be expanded to outsource the entire function. What This Means to You Outsourcing is a valuable strategic tool that enables banks to focus on core competencies by shifting direct op- erational responsibilities to the vendor. However, when a bank outsources a function subject to consumer compliance requirements, the ultimate responsibility for compliance cannot be delegated and remains with the bank. Whether outsourcing results in an increase or decrease in the overall risk profile of an institution will depend on the significance of the outsourced activity, the effectiveness of controls over out- sourcing risk, and the strength of the vendor. If not properly managed, outsourcing can increase an institution’s overall operational, legal, and reputational risk, and ultimately lead to unintended credit exposures and business expenses, or other types of losses. The financial institution successfully monitoring its con- sumer compliance should specifically tailor its approach to the third party with which it has a relationship (this includes actively managing the relationship during the termof the en- gagement). This process begins with selecting a good vendor whose skills and competencies match up well with the bank’s needs. Banks must exercise due diligence throughout the vendor-selection process, and should be mindful that sign- ing a contract with a vendor is not the end of the process but rather the point at which risk mitigation begins. Z 1 The FDIC recently examined how banks have used third-party vendors to roll out new and innovative products and services during the current economic challenges. In the Supervisory Insights Winter 2010 newsletter, the FDIC released its findings revealing that financial institutions are increasingly relying on third-party vendors. Specifically, more than 60 percent of credit card programs that financial institutions offer are the assets of third parties. Additionally, of the 19 percent of financial institutions surveyed that offered stored-value cards, 94 percent involved a third-party service provider. For more information, contact Joyce Dixon or Jeff Makovicka at Husch Blackwell LLP at (402) 964- 5000 or joyce.dixon@huschblackwell.com / jeff. makovicka@huschblackwell.com. Both Dixon and Makovicka assist banks with regulatory compliance matters and the creation and implementation of new products.