Financial Institutions and Banking Archives - Page 5 of 5

Should your bank use third-party vendors?

In the uncertain economy resulting from the COVID-19 pandemic, community banks continue to streamline operations, improve efficiency and eliminate waste so that they can survive — and thrive. To help in this process, they’re increasingly turning to outside vendors to provide specialized services beyond the bank’s usual offerings. If your bank uses third-party vendors, though, you need to be aware of the ins and outs.

Evaluate liability

Outsourcing to a third party doesn’t relieve a bank from responsibility and legal liability for compliance or consumer protection issues. And as banks and vendors increasingly rely on evolving technologies to deliver products and services, their exposure to ever-changing cybersecurity risks demands constant vigilance.

Even if you have a solid vendor risk management program in place, you’ll need to review it periodically. Banking regulators expect your program to be “risk-based” — that is, the level of oversight and controls should be commensurate with the level of risk an outsourcing activity entails. But here’s an important caveat: That risk can change over time. Some vendors, such as appraisal and loan collection companies, have traditionally been viewed as relatively low risk. But in today’s increasingly cloud-based world, any vendor with access to your IT network or sensitive nonpublic customer data poses a substantial risk.

Assess risk

Here are some ways to review your vendor risk management program:

Conduct a risk assessment. Determine whether outsourcing a particular activity is consistent with your strategic plan. Evaluate the benefits and risks of outsourcing that activity as well as the service provider risk. This assessment should be updated periodically.

Generally, examiners expect a bank’s vendor management policies to be appropriate in light of the institution’s size and complexity. They also expect more rigorous oversight of critical activities, such as payments, clearing, settlements, custody, IT or other activities that could have a significant impact on customers — or could cause significant harm to the bank if the vendor fails to perform.

Thoroughly vet your service providers. Review each provider’s business background, reputation and strategy, financial performance operations, and internal controls. The depth and formality of due diligence depends on the risks associated with the outsourcing relationship and your familiarity with the vendor. If your agreement allows the provider to outsource some or all of its services to subcontractors, be sure that the provider has properly vetted each subcontractor. The same contractual provisions must apply to subcontractors and the provider should be contractually accountable for the subcontractor’s services.

Diversify vendors. Using a single vendor may provide cost savings and simplify the oversight process, but diversification of vendors can significantly reduce your outsourcing risks, particularly if a vendor has an especially long disaster recovery timeframe.

Ensure contracts clearly define the parties’ rights and responsibilities. In addition to costs, deliverables, service levels, termination, dispute resolution and other terms of the outsourcing relationship, key provisions include compliance with applicable laws, regulations and regulatory guidance; information security; cybersecurity; ability to subcontract services; right to audit; establishment and monitoring of performance standards; confidentiality (in the case of access to sensitive information); ownership of intellectual property; insurance, indemnification and business continuity; and disaster recovery.

Review vendors’ disaster recovery and business continuity plans. Be sure that these plans align with your own and are reviewed at least annually, and that vendors have the ability to implement their plans if necessary.

Monitor vendor performance. Monitor vendors to ensure they’re delivering the expected quality and quantity of services and to assess their financial strength and security controls. It’s particularly important to closely monitor and control external network connections, given the potential cybersecurity risks.

Conduct independent reviews. Banking regulators recommend periodic independent reviews of your risk management processes to help you assess whether they align with the bank’s strategy and effectively manage risks posed by third-party relationships. The frequency of these reviews depends on the vendor’s risk-level assessment, and they may be conducted by the bank’s internal auditor or an independent third party. The results should be reported to the board of directors.

Stay aware

Having a robust vendor risk management program in place at your bank is the key to benefiting from vendors’ specialized skills and abilities while avoiding legal and regulatory problems. We can help you stay on top of the latest regulations and rules pertaining to third-party vendor use.

5 Tips for Fair Lending Compliance

Community banks need to develop and follow fair lending practices; providing customers with nondiscriminatory access to credit is, of course, the right thing to do. What’s more, violations of fair lending laws and regulations can result in costly litigation and enforcement actions, hefty monetary penalties and serious reputational damage.

What are the laws?

The two primary fair lending laws are the Fair Housing Act (FHA) and the Equal Credit Opportunity Act (ECOA). The FHA prohibits discrimination in residential real estate-related transactions based on race or color, national origin, religion, sex, familial status (for example, households with one or more children under 18, pregnant women, or people in the process of adopting or otherwise gaining custody of a child), or handicap.

Similarly, the ECOA prohibits discrimination in credit transactions based on race or color, national origin, religion, sex, marital status, age (assuming the applicant has the capacity to contract), an applicant’s receipt of income from a public assistance program, or an applicant’s good faith exercise of his or her rights under the Consumer Credit Protection Act.

The Home Mortgage Disclosure Act (HMDA) requires certain lenders to report information about mortgage loan activity, including the race, ethnicity and sex of applicants. Finally, the Community Reinvestment Act (CRA) provides incentives for banks to help meet their communities’ credit needs.

How can you comply?

Here are five tips for developing an effective compliance program:

Conduct a risk assessment. Conduct a thorough assessment to identify your bank’s fair lending risks based on its size, location, customer demographics, product and service mix, and other factors. This assessment can pinpoint the bank’s most significant risks. It also can reveal weaknesses in the bank’s credit policies and procedures and other aspects of its credit operations. It’s particularly important to examine the bank’s management of risks associated with third parties, such as appraisers, aggregators, brokers and loan originators.
Develop a written policy. A comprehensive written fair lending policy is key to help minimize your bank’s risks. And by demonstrating your commitment to fair lending, this document can go a long way toward mitigating the bank’s liability in the event of a violation. The policy should cover all of the bank’s products, services and credit operations and provide details about which practices are permissible and which aren’t.
Analyze your data. Analyzing data about your lending and other credit decisions is important for two reasons: First, it’s the only way to determine whether disparities in access to credit exist for members of the various protected classes. These disparities don’t necessarily signal that unlawful discrimination is taking place — but gathering this data is the only way to make this determination.

Second, lending discrimination isn’t limited to disparate treatment of protected classes. Banks are potentially liable under the FHA and ECOA if their lending practices have a disparate impact on protected classes. For example, a policy of not making single-family mortgage loans under a specified dollar amount may disproportionately exclude certain low-income groups, even though the policy applies equally to all loan applicants. Banks can defend themselves against allegations of discrimination based on disparate impact by showing that the policy was justified by business necessity and that there was no alternative practice for achieving the same business objective without a disparate impact.

Provide compliance training. Even the most thorough, well-designed policy won’t be worth the paper it’s printed on unless you provide fair lending compliance training for bank directors, management and all other relevant employees (and evaluate its effectiveness). Indeed, lack of training is a red flag for bank examiners. (See “Discrimination risk factors” at X.)
Monitor compliance. You’ll need to monitor your bank’s compliance with fair lending laws and promptly address any violations or red flags you discover. You can do this by, among other things, performing regular data analysis, monitoring and managing consumer complaints, keeping an eye on third-party vendors, and conducting periodic independent audits of your compliance program (by your internal audit team or an outside consultant).

Reduce your risk

Fair lending laws are complex, and guidance can sometimes be ambiguous. Although a full discussion of the subject is beyond the scope of this article, the five tips outlined here are a good start in helping you evaluate the effectiveness of your fair lending compliance program.

Sidebar: Discrimination risk factors

A useful source of guidance on fair lending compliance is the Interagency Fair Lending Examination Procedures used by federal financial agencies. Among other things, the guidelines list the following compliance program discrimination risk factors:

Overall compliance record is weak,
Legally required monitoring information is nonexistent or incomplete,
Data or recordkeeping problems compromise the reliability of previous examination reviews,
Fair lending problems were previously found in one or more products or subsidiaries, and
The bank hasn’t updated compliance policies and procedures to reflect changes in law or in agency guidance.

If any of these problems are present in your institution, it’s important to rectify them as soon as possible. That way, you’ll avoid penalties and at the same time contribute to fair lending practices.