Banks and other companies in the financial services sector are increasingly delivering products and services through arrangements with 3rd party companies.
As with many industries, 3rd parties are essential to expand the range of product offerings, deliver specific products, provide a competitive advantage and manage costs and available resources. 3rd party arrangements – as in any industry sector - also present risks. Failure to manage these risks can expose a financial institution to regulatory action, financial loss, litigation, and reputational damage, and may even impair the institution’s ability to establish new or service existing customer relationships.
The financial crisis of 2007–2010 led to widespread calls for changes in the regulatory system and an environment with an expectation of zero tolerance. This increasing regulatory oversight has significantly increased requirements for the management of 3rd party compliance. While the requirements of specific regulations and regulators may differ, the message regarding 3rd party management remains consistent:
- Financial organizations cannot outsource risk or regulatory obligations;
- Board of directors and management are responsible for ensuring that all 3rd party activity is conducted in compliance with applicable laws;
- Companies need to oversee 3rd party relationships as they would any other division of their own institutions.
Hiperos Usage in the Financial Services Sector
Implemented by banks, insurance companies, credit card companies and other financial services organizations worldwide, Hiperos is the leading SaaS solution for managing 3rd parties for the financial services industry. Hiperos has developed best practice-based processes that ensure 3rd party compliance and appropriate preparedness for regulator examinations. These include proven solutions for risk, compliance, performance, training and incident management.
Hiperos 3PM is designed to help organizations in the financial services sector manage 3rd parties and 3rd party risk and compliance in general, as well as address specific regulations. Hiperos has developed a number of solutions that can be implemented separately or together to help an organization manage its 3rd parties in compliance with a number of industry-specific regulations including:
Board of Governors of the Federal Reserve System (FRB)
- Interagency Guidelines
Consumer Financial Protection Bureau (CFPB)
- CFPB Bulletin 2012-03
Dodd-Frank Wall Street Reform and Consumer Protection Act
Federal Deposit Insurance Corporation (FDIC)
- FIL-44-2008 Guidance for Managing Third-Party Risk
- FIL-49-99: Bank Service Company Act
- FIL-81-2000: Risk Management of Technology
- FIL-50-2001: Bank Technology Bulletin: Technology Outsourcing Information Documents
- FDIC FIL-23-2002: Country Risk
- FDIC FIL: “Guidance Concerning Bank Use of Foreign-Based Third-Party Service Providers.
Federal Financial Institutions Examination Council (FFIEC)
- Risk Management of Outsourced Technology Services
- FFIEC Update of “Information Technology Outsourcing Booklet.”
Federal Reserve Board
- SR 00-4 (SUP), Outsourcing of Information and Transaction Processing
- SR 00-17 (SPE) Guidance on the Risk Management of Outsourced Technology Services
- FRBNY White Paper: “Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks”
Foreign Account Tax Compliance Act (FATCA)
- SSAE 16
National Credit Union Association (NCUA)
- NCUA Letter to Credit Unions No. 02-CU-17
- NCUA Letter to Credit Unions No. 01-CU-20
- NCUA Letter to Credit Unions No. 00-CU-11
Office of the Comptroller of the Currency (OCC)
- OCC Bulletin 2002-16: Use of Foreign 3rd Party Providers
- OCC Bulletin 2002-10: Country Risk
- OCC Bulletin 2001-8: Guidelines Establishing Standards for Safeguarding Customer Information
- OCC Bulletin 2001-47: Third-Party Relationships
- OCC Bulletin 2000-21: Privacy of Consumer Financial Info
- OCC White Paper: “Cross-Border Outsourcing and Risk Management”
Office of Thrift Supervision – (THRIFT)
- Thrift Bulletin 82: Third-Party Arrangements
- CEO Letter 113: Internal
- CEO Letter 133: Risk Management of Technology
- Thrift Activities Handbook: Section 340, Internal Control Program.
- Thrift Activities Handbook: Section 341, Technology Risk Controls.