Several months ago I had the pleasure of co-presenting on a webinar with Jack Holzknecht, who is the CEO of Compliance Resources, LLC , discussing lessons learned from Federal Reserve Board’s issuance of a consent order against Community Trust Bank, Inc. located in Pikeville, KY, which required the bank to pay approximately $4.75 million in restitution to approximately 11,000 affected consumer.
Since the webinar, I still get questions from peers in the industry on how to effective monitor vendor relationships in which the vendor is providing direct or indirect services to bank customers.
The following is a brief summary of actions to reduce the likelihood of problems related to offering third party products.
A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
An effective risk management process throughout the life cycle of the relationship includes
plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party;
proper due diligence in selecting a third party;
written contracts that outline the rights and responsibilities of all parties;
ongoing monitoring of the third party’s activities and performance;
contingency plans for terminating the relationship in an effective manner;
clear roles and responsibilities for overseeing and managing the relationship and risk management process;
Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management; and
Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
These may differ from bank to bank, vendor to vendor, yet you have a road map to more effectively manage the risk of a third party relationship.