Risk assessment

Before anything is outsourced, the bank should first determine whether the outsourcing is consistent with its strategic direction and then conduct a cost/benefit assessment. This assessment should include all risks of the outsourcing, starting with: whether there are qualified and experienced vendors to perform the service on an ongoing basis; if the bank will be able to provide the appropriate oversight and monitoring of the vendor going forward;  and what resources are required and what safeguards are in place for disruptive events.

Once these preliminary issues are addressed, additional key risks from outsourcing functions to external vendors should be considered:

• Operational/transactional risk

The ability of the service provider to perform the expected function should be one of the first risks considered. When evaluating this risk, consider the vendor’s infrastructure, resources, training program, employee onboarding, expertise, equipment, facilities, employees and corporate governance. Make sure the vendor can perform the tasks expected without subjecting the bank to undue risks.

• Reputational risk

The  adage “birds of a feather flock together” is not only good advice for people (and birds) but also for a bank choosing its associates. Be mindful that the choice of vendors can reflect directly on how the public and the regulators view the bank. Evaluate how the vendor runs its operations and how those operations could (not will) impact customers. Assess the vendor’s legal and compliance history and its overall reputation. By choosing any given vendor, its reputation becomes part of the bank’s reputation.

• Compliance risk     

Very few people outside the banking industry understand the length, breadth and complexity of the regulatory structure that banks must follow. With any outsourcing, the bank must evaluate the compliance risk in the relationship. In some cases, a vendor may have a direct impact on a bank’s ability to comply with legal and regulatory requirements. For instance, outsourcings involving consumer privacy, consumer protection, information security, record retention, and/or Bank Secrecy Act and Office of Foreign Assets Control should be thoroughly vetted. 

However, in some relationships, the regulatory implications may not be so obvious. Always consider the indirect effect that a relationship could have on compliance. For example, a vendor may not have a direct impact on regulatory compliance (like a vendor that provides disclosures); however,  the vendor may be responsible for providing tools that enable a bank to meet its regulatory obligations. 

• Concentration risk

One noted frequent weakness in vendor management is an over-reliance by some banks on a single vendor for too many operational functions. Without appropriate risk identification and mitigation, certain operations, and possibly even the bank itself, could be jeopardized or impaired by over-reliance on a single service provider, a limited number of service providers or those concentrated in the same geographic location. Always consider what would happen if that vendor or the vendor’s geographic location suffered a catastrophe and how that would affect the bank.

• Strategic risk

Before embarking on any outsourcing, senior management should determine how that outsourcing fits into the bank’s long-term and/or short-term strategy. Once that analysis is done, the outsourcing should be specifically tailored to meet the bank’s business plans. For instance, if the outsourcing is a short-term fix to an immediate problem, the risk inherent could be considerably higher than a long-term relationship with an established partner. A vendor with a limited duration is less likely to be as engaged and as responsive and may be  more willing to compromise on the things that are essential to regulatory compliance and effective vendor management.

• Legal risk

Once perhaps the most overlooked risk in an outsourcing relationship, legal risks have now been recognized as significant by banks who engage third-party service providers. Through numerous examples over the past few years, banks have learned that vendors can do things or fail to do things that get banks in legal trouble. In addition to analyzing legal risks, banks must also consider regulatory implications like data security, Reg E and Reg Z, as well as the rules of payment systems that can result in hefty fines, chargebacks and penalties when vendors fail to meet their obligations. For example, a business that uses recurring debits to a bank account, but is not appropriately capturing, storing or cancelling customer authorizations, can quickly cause a bank to incur substantial fines from NACHA (previously National Automated Clearing House Association) and chargeback demands from other financial institutions.

• Financial risk

Two aspects of financial risk should be considered:

First, evaluate the financial condition of the vendor and whether it will financially be able to perform as agreed. Balance sheets, profit and loss statements, audited financials and public filings are all tools banks can use to evaluate a vendor’s financial health.

Second, consider the financial risk of the outsourcing. How much should the bank be willing to pay and how should payments be structured? For instance, if the bank were to pay 100 percent at contract signing, the bank incurs a much greater risk that paying a vendor after performance.

• Country risk

Many banks will assume that a “country risk” analysis does not apply to them because they do not contract with vendors outside the United States. That may be true, but how many of their vendors have subcontractors located outside the U.S. that are providing part of the services or products to the bank? Many vendors that provide services and products to the banking industry have some components of their operations offshore either subcontracted to foreign companies, domestic companies with foreign operations, or foreign subsidiaries or affiliates. 

Country risk may very well be the most overlooked risk category that the regulators specifically identify. A bank should not only determine if the services or products provided involve offshore operations, affiliates, subsidiaries or contractors but also if any of the vendor’s operations are offshored in any manner. If so, then it is necessary to consider exposure to economic, social and political conditions and events in the foreign country — if those conditions could adversely affect the ability of the vendor to meet the level of service required — and any harm to the bank that may result. 

Of course, this is after a determination is made that the foreign country is not on the list of countries that are prohibited to U.S. banks. If so, then analysis ends, and the vendor should not be used.[2] If the country is not “prohibited” but is under sanctions, careful and thorough legal analysis is required before a contractual relationship is established.

• Credit risk

Finally, one of the most obvious and important risks that a bank should consider is credit risk. This may not be a risk inherent in most vendor relationships, but when the bank is contracting with a third party to originate loans on the bank’s behalf, when the third party solicits or refers customers, engages in or conducts underwriting analysis, or implements product programs for the bank, the credit risks have to be identified and mitigated. It is imperative in those situations that the bank understands the underwriting and credit standards the vendor is applying to those potential bank customers and that those meet the bank’s risk appetite.

At the end of the risk assessment, the bank should be in a position to determine the risk “value” of the outsourcing. The valuation is not just a fiscal or convenience determination but an incorporation of all aspects of the outsourcing risk and mitigation tools. If the value of the risk posed by the outsourcing is within the bank’s established risk profile, the outsourcing can proceed. 

Further, the risk assessment should be revisited and updated as appropriate. Needs change, circumstances change, operations change and as a result a vendor that was  categorized as low risk can suddenly pose a significant risk to the bank.