Financial Services organizations face increasing pressure to demonstrate oversight and transparency into their third-party supplier relationships. Following the global financial crisis of 2008, regulatory agencies have introduced strict new requirements and significantly tightened enforcement of existing standards. At the same time, banks have steadily expanded the number, type and complexity of third-party relationships in efforts to control operating expenses and add new sources of revenue.
As a result, banks today find themselves out on a precarious limb – they face increasingly rigorous scrutiny of their third-party relationships, precisely at a time when they are more reliant than ever on complex third-party relationships. Banks must demonstrate effective and consistent compliance processes and ensure ongoing compliance monitoring that includes clear documentation and evidence capture. Ultimately, if a breach occurs at any point in the service delivery chain, the bank is liable.
Providers who can demonstrate the ability to implement and manage compliant solutions stand to gain a significant competitive edge. The trouble is, while both offshore and nearshore providers are typically able to tick off the table stakes boxes of “compliance readiness,” they generally fall short at effectively managing all the information associated with performing due diligence at the outset of an agreement and on an ongoing basis through the life of the contract.
The ability to demonstrate and articulate efficient processes and methodologies for responding to increased due diligence demands from Financial Services clients can represent a significant competitive edge. For providers with LATAM operations, advanced compliance capabilities, along with established linguistic, geographic and time-zone advantages, could be a key differentiator.
The Regulatory Landscape
As recently as a year ago, banks were still struggling to understand what was required of them – regulations were constantly evolving and it simply wasn’t clear what was expected. Today, significant progress is being made in terms of understanding the specifics of the regulatory requirements. Based on this understanding, banks have been able to define clear policies around how service delivery needs to be structured, areas of responsibility and what compliance information has to be collected and managed.
The next step – and current challenge – is to convert that understanding of policies into rigorous and sustainable processes that operate seamlessly and consistently across a number of functional entities. From the client’s perspective, the compliance oversight of any given third-party provider involves sourcing, procurement, legal, finance, contracting, IT, vendor and risk management and often multiple business units – groups with widely varying priorities and areas of responsibility.
Ensuring collaboration across these myriad entities requires putting communication frameworks and governance mechanisms in place to clearly define areas of responsibility and ownership, specify what needs to get done (when and by whom), ensure the right people are in place within each function, and then establish and maintain the necessary flows within and across the disparate parties involved.
In addition to establishing and maintaining communication across multiple business units within the client organization, the compliance function must coordinate activity and ensure collaboration among the multiple service providers across the delivery chain that are involved in managing business processes, handling data and engaging with each other across a variety of touch points.
Increasingly, top-performing enterprises are establishing a Vendor Management Office (VMO) to facilitate communication and transparency among the myriad buy- and sell-side entities involved in compliance oversight. Uniquely positioned to operate across organizational and functional boundaries, the VMO can help establish a sound compliance framework as well as manage multiple touch points and ensure coordination across disparate teams as well as process discipline over the long term.
The Provider Perspective
In this context, a service provider that can work effectively with the client organization, VMO and other entities to ensure compliance oversight stands to gain a significant competitive edge. In general, a service provider’s ability to be a “team player” can be an important differentiator given the increasing importance of complex multi-vendor service delivery models. That advantage is particularly important given the high stakes of regulatory compliance in the financial services sector.
More specifically, providers can take steps to help client organizations address the detailed action items laid out in each phase of the Office of the Comptroller of the Currency’s (OCC) guidelines on regulatory compliance. The OCC standard describes requirements for managing third-party relationships from the time they are contemplated to the time they are dissolved. The phases are defined as follows:
- Due Diligence
- Contract Negotiation
- Ongoing Monitoring
Each phase involves specific requirements and presents unique challenges. During the planning phase, for example, the OCC requires that firms evaluate each third party’s depth of resources and previous experience in providing the specific activity being contracted. The evaluation should include the length of time the third party has been in business and its market share for the activities, specifically within the business model being contracted for. Reputation, including history of customer complaints or litigation, are to be included as well.
Banks are also required to independently review the third party’s legal and regulatory compliance program, as well as evaluate each law and regulation that applies to the new relationship and ensure each one is mapped prior to contract execution.
Additional details include conducting reference checks with external organizations and agencies, review of the third party’s websites and other marketing materials, and an assessment of how the third party plans to use the bank’s name and reputation in marketing efforts.
Requirements for the due diligence phase are equally rigorous. For example, if the service provider has access to or maintains sensitive client data, the client must ensure that the provider’s information security standards are at least at the same level as the client’s (which, in turn, must meet regulatory compliance standards). Potentially high-risk providers may require regular (annual) on-site assessments.
For the ongoing monitoring phase, banks are encouraged to pay regular on-site visits to third-party providers to fully understand their operations and ongoing ability to meet contract requirements. Key criteria are quality and sustainability of the third party’s controls and ability to meet service level agreements, performance metrics and other contractual terms, and to comply with legal and regulatory requirements.
While ultimate responsibility for adhering to OCC and other standards for regulatory compliance lies with the client organization, service providers can differentiate themselves by demonstrating the ability to meet requirements and to collaborate effectively with the client organization as well as with other providers. Put simply, if a provider can make the client’s job of regulatory compliance a bit easier, the client will notice.