Regulatory Guidance on Third-Party Relationship Management— More Than a Restatement

Copyright 2014 by Ballard Spahr LLP

January 9, 2014

Glen P. Trudel Consumer Financial Services 302.252.4464 trudelg@ballardspahr.com

Christopher J. Willis Consumer Financial Services 678.420.9436 willisc@ballardspahr.com

Alan S. Kaplinsky, Practice Leader Consumer Financial Services 215.864.8544 kaplinsky@ballardspahr.com

Keith R. Fisher Consumer Financial Services 202.661.2284 fisherk@ballardspahr.com

John L. Culhane, Jr. Consumer Financial Services 215.864.8535 culhane@ballardspahr.com

2

Resources

CFPB Monitor

Subscribe to Ballard Spahr’s ABA award-winning blog at www.CFPBMonitor.com.

E-Alerts

Subscribe at www.ballardspahr.com (click “subscribe” and indicate your areas of interest)

Mortgage Banking Update

Subscribe at www.ballardspahr.com (click “subscribe” and choose Mortgage Banking as your area of interest)

Questions? E-mail questions@ballardspahr.com.

3

Upcoming Webinars

ICANN's Expansion of Web Suffixes May Create .Concern: Strategies for Protecting Brands and Enhancing Data Security

January 13

OCC Bulletin: Use and Review of Independent Consultants in Enforcement Actions—Guidance for Bankers

January 15

Understanding the CFPB’s Defense Strategy on Military Lending February 6

Reputational Risk: What it Means to the OCC, FDIC and Fed and What Banks Need to do About It

February 11

CFPB Credit Card Report February 13

Dos and Don’ts of Advertising Prepaid Cards and Deposits February 18

AML Update March 4

CFPB and Financial Literacy March 11

Register for upcoming webinars at www.ballardspahr.com or by e-mailing questions@ballardspahr.com. Request materials from past webinars by e-mailing questions@ballardspahr.com.

4

Your Presenters

Alan S. Kaplinsky John L. Culhane, Jr. Keith R. Fisher

Glen P. Trudel Christopher J. Willis

5

Managing Third-Party Risk The Bank Regulators Focus on Third-Party Relationships (“3PRs”)

6

Potential Risks from 3PRs

• Strategic Risk

• Reputational Risk

• Operational Risk

• Transaction Risk

• Credit Risk

• Compliance Risk

• Others (depends on the nature of the 3PR)

7

Risk Management Process (RMP)

• Risk Assessment

• Due Diligence in Selecting the 3P

• Contractual Terms and Review - Especially important with foreign 3PRs

• Ongoing Performance Monitoring - Contingency plans for termination of the 3PR

• Regulatory Oversight

• Documentation and Reporting

• Periodic independent review/audit of the 3PR RMP

8

Core Tenets of 3PR Risk Management

• Ultimate responsibility for risk management lies with the board of directors and senior management - Use of indemnity agreements with 3PRs to mitigate risk

inadequate to insulate the board and management from that responsibility

• 3PRs only a part of IDI’s overall risk management program

• Defining what constitutes a 3PR - Includes all entities – affiliated or unaffiliated, bank or nonbank,

domestic or foreign -- that have entered into a business relationship with the IDI

- Significant 3PRs: new products, critical activities, shared services

9

OCC’s New Program of “Heightened Expectations”

Comptroller Curry’s 9/23/13 Speech at American Banker Regulatory Symposium & Bull. 2013-29

10

Comptroller Curry’s Speech

• Announces new program of “heightened expectations” for large banks - Strong internal controls and audit functions (“satisfactory”

ratings will no longer be acceptable!)

- “Significant engagement” by the directors, including the knowledge and focus to present a “credible challenge” to management

• Expectation that large institutions will have a “rigorous process” in place to attract and retain the kind of talent needed to manage the business in a safe and sound manner

• “Heightened expectations” program will be formalized in Part 30 regulations

11

Bulletin 2013-29

• Stresses integration of 3PR risk management into an IDI’s strategic goals and risk appetite

• Expectations for IDIs in connection with each 3PR

• 3PRs involving “critical activities”

• Expectation that 3Ps will, by virtue of doing business with the IDI, be subject to OCC examination and oversight

12

Trickle-Down Regulation

• Recall that Comptroller Curry’s Speech Envisioned “heightened expectations” only for large banks

• Bulletin 2013-29 applies to ALL national banks and federal thrifts

• Bulletin 2013-29 conspicuously notes its applicability to community banks!

• Potential competitive consequences vis-à-vis state nonmember banks?

13

New Federal Reserve Guidance Managing Outsourcing Risk

14

Highlights • Applies to all Fed-supervised entities of all sizes

• Builds upon prior guidance, recognizes the same stages of managing 3PRs and agrees that 3PR risk management should be commensurate with the significance and/or the complexity of the 3PR (“service provider” in Fed terminology)

• Less onerous than OCC approach - Recognizes the appropriateness of a “Fed Lite” approach for

community banks that have relatively few 3PRs and the service providers in question are highly reputable

- Does not expressly contemplate Fed oversight or supervision of the service providers themselves

15

Special Considerations for Certain 3PRs

16

Requirements for Critical Activities

• “Critical Activities” require heightened action and diligence

• Determination comes down to level of dependency and potential customer impact

• Management Plan--seen as “necessary” vs. a “should” have

• Due Diligence-- “more extensive” due diligence deemed necessary but no detail on what qualifies as “more extensive”

• Financial Condition--Assessment of third party’s financial condition likely will be as if extending credit to them

• Contract Negotiation—Board approval of contracts needed before execution; periodic review encouraged, to ensure pertinent risk controls and legal protections addressed

17

Requirements for Critical Activities

• Ongoing Monitoring—More comprehensive standard of monitoring is expected for critical activity 3PRs, as well as for those existing 3PR relationships later deemed as critical activity relationships

• Oversight—Board is required to be more directly engaged

• Suggested that for critical 3PRs, a senior officer be appointed

• Documentation and Reporting—calls for maintaining an inventory of all 3PRs, but clearly identifying critical activity 3PRs

• Independent Reviews—emphasis on conducting periodic independent reviews of the risk management process for critical 3PRs, using an internal auditor/independent third party

18

Foreign-Based Service Providers

• Additional guidance on managing risks of foreign based service providers (“FSP”) available

• “Country risk”

• Due diligence should evaluate potential impact of foreign law, legal environment, local practices, accounting standards, and likely affects of adverse foreign economic change

• Have appropriate contingency plans/exit strategies; access to critical information, service continuity/resumption often the key concerns

• Use of a FSP cannot inhibit an FI’s ability to comply with US law—accessibility/retention of information and regulator access

19

Foreign-Based Service Providers

• Agreements should provide that all information shared by an FI with the FSP remains the sole property of the FI, regardless of how or where stored, processed, copied, etc.

• Choice of Law/Jurisdictional Covenants

• Enforceability may be an issue if foreign law is determined as governing

• National sanctions and embargos, and restrictions on commercial exportation of encryption

• Undisclosed FSP subcontracting arrangements

20

So What’s New And What Do These Changes Portend?

21

Comparison with Prior OCC Guidance

• Defines 3PR broadly, to include affiliates, subsidiaries and other banks (plus consultants)

• Makes clear that management of 4PR (subcontractors) is also required (but does not address 5PR, etc.)

• Requires appropriate action throughout the risk management “life cycle”

• Identifies the “critical activities” that call for heightened scrutiny

• Seems to hold community banks to the same standards as all other banks

22

Comparison with Prior FRB Guidance • Defines 3PR broadly, to include affiliates, other banks,

and foreign entities (plus consultants)

• Extends requirements beyond the technology services realm

• Emphasizes responsibility for activities performed by service providers

• Greater focus on risks from incentive compensation arrangements

• More specific direction as to handling and reporting of complaints

23

Implications of the Guidance

• The federal banking regulators continue to have service provider oversight and management very clearly in their sights

• All significant third party relationships must be assessed for risks of all kinds, both at the outset and throughout the relationship

• Auditing, monitoring and reporting structures need to be in place for all significant third parties

24

Implications (continued)

• Contract terms should be structured around these regulatory requirements.

• All oversight and monitoring activities should be documented

• Specific inquiries should be made into the highest risk areas of a service provider’s operations

• For those areas, in-depth review of policies, procedures, training materials, process flows and the like may be warranted

25

Thank you for joining us!

Glen P. Trudel Consumer Financial Services 302.252.4464 trudelg@ballardspahr.com

Christopher J. Willis Consumer Financial Services 678.420.9436 willisc@ballardspahr.com

Alan S. Kaplinsky, Practice Leader Consumer Financial Services 215.864.8544 kaplinsky@ballardspahr.com

Keith R. Fisher Consumer Financial Services 202.661.2284 fisherk@ballardspahr.com hr.com

John L. Culhane, Jr. Consumer Financial Services 215.864.8535 culhane@ballardspahr.com

26

Moderator – Alan S. Kaplinsky

• Practice Leader of the Consumer Financial Services Group at Ballard Spahr

• Devotes his practice to counseling financial institutions with respect to bank regulatory and transactional matters and defending them in individual and class action lawsuits (including CFPB investigations and government enforcement matters)

• First President of the American College of Consumer Financial Services Lawyers

• Former Chair of the American Bar Association Committee on Consumer Financial Services of the Business Law Section

• Co-Chair of the Practising Law Institute's Annual Consumer Financial Services Institute, now on its 18th year

• Has been named as a tier one banking and consumer financial services lawyer in the 2006 through 2013 editions of Chambers USA

• Has been named in The Best Lawyers in America under financial services regulation law and banking and finance litigation from 2007 to 2013

• Named the 2012 Philadelphia Lawyer of the Year for Litigation-Banking & Finance

27

Panelist – John L. Culhane, Jr.

• Partner at Ballard Spahr and a member of the firm’s Consumer Financial Services, Higher Education, Mortgage Banking, and Bank Regulation and Supervision Groups as well as the firm’s Fair Lending Task Force

• Compliance practice emphasizes counseling clients on the development and implementation of innovative loan, leasing, and payment programs, and includes counseling on fair lending, servicing and collection issues

• Regulatory practice includes preparing clients for banking agency and CFPB targeted and full spectrum compliance examinations as well as assisting in the defense of consumer class actions, attorney general investigations, and agency enforcement actions

• Charter member of the American College of Consumer Financial Services Lawyers

• Former Chair of the Subcommittee on Fair Lending of the ABA Committee on Consumer Financial Services

28

Panelist – Keith R. Fisher

• Of Counsel in the Business and Finance Department and a member of the Consumer Financial Services, Bank Regulatory and Supervision, and Mortgage Banking Groups

• Practice focuses on financial regulatory work, mergers and acquisitions, and appellate work, especially Supreme Court practice

• Recently worked as a consultant advising on a variety of ethics, business, and regulatory projects, including federal banking law compliance

• He has taught law school courses in banking law, payment systems, anti-money laundering, international banking and finance, and legal ethics

• Has substantial experience in U.S. Supreme Court practice arising from his work with former colleagues E. Barrett Prettyman, Jr., and John Roberts, now Chief Justice

29

Panelist – Glen P. Trudel

• Partner at Ballard Spahr and a member of the firm's Consumer Financial Services, Bank Regulation and Supervision, and Transactional Finance Groups

• Counsels financial institutions on both regulatory and transactional matters • Has significant experience in the acquisition and divestiture of credit card and other

financial portfolios, and charged-off debt sales agreements • Advises state and federal banking entities on operational and outsourcing matters, and

on formation and licensing issues in Delaware • Handles affinity/co-brand/joint marketing agreements, assists clients in the structure

and documentation of new credit products, and handles traditional corporate and contractual matters, including Delaware law opinions

• Formerly a Senior Vice President and Counsel with MBNA America Bank, N.A. (now part of Bank of America), where he advised on an extensive variety of general purpose and private label credit card/unsecured lending, deposit, and other bank regulatory matters

30

Panelist – Christopher J. Willis

• Partner at Ballard Spahr and a member of the firm’s Consumer Financial Services and Mortgage Banking Groups

• Counsels financial institutions on regulatory matters, advises them on compliance with consumer financial services laws, and defends them in both individual and class action lawsuits, as well as governmental enforcement actions (including CFPB investigations)

• Chairs the firm’s Fair Lending Task Force and Collection Documentation Task Force

• Named in The Best Lawyers in America for banking and finance litigation and commercial litigation for 2013

• Frequent author and speaker on issues relating to consumer financial services regulation and litigation