Skip to content

A Summarization of the Key Issues Arising From Public Comments on Regulatory Guidance

Jim Freis, co-founder of CRINDATA, talks with John Maher about the recent comment period on the regulatory guidance issued on the topic of risk management with third-party relationships. Jim explains the guidance and its implications for financial institutions especially as industry reliance on third-party service providers is increasing. Then, he provides examples of ways the industry could improve its approach to risk through collaboration.

Podcast Transcript

John Maher: Hi, I’m John Maher and I’m here today with Jim Freis, co-founder of CRINDATA, a FinTech startup supporting financial institutions and their service providers. Today, our topic is a summarization of the key issues arising from the public comments on the regulatory guidance issued for consultation on the topic of risk management with third party relationships. Welcome Jim.

Jim Freis: Thank you John.

What Does the Regulatory Guidance Concern?

John: So Jim, can you give me a little bit of a summary of what the regulatory guidance was all about?

Jim: This regulatory guidance is actually an update of long standing principles from the federal banking agencies. Here we’re talking about the OCC, the Office of the Control of the Currency, the Federal Reserve System, and the Federal Deposit Insurance Corporation, FDIC. 

The guidance focuses on the theme that a banking organization and its management are responsible for all of the bank’s operational risks and a safe-and-sound approach to ensuring the continuing operation of the banks, regardless of whether a bank performs functions in-house with its own personnel or if it relies on external parties, generally, through contract for what we’ll refer to as a third party service provider. So that it’s essentially buying some of those services, which could be software, or it could be white labeling of functions.

And the industry as a whole has dramatically increased its reliance on such third parties, that has a lot to do with changes in technology and cost-benefit analysis of what can be bought versus what it makes sense for the institution to specialize on. So, as a practical matter, the regulators have updated that guidance and are looking to harmonize approaches that they had developed in the same direction, but with slightly different languages and approaches over time.

What Was the Industry Reaction to the Guidance?

John: So now, CRINDATA with your help has published comments on this proposed regulation and a lot of other organizations have as well. And you’ve reviewed a lot of those, can you tell me a little bit about what the overall industry reaction was to the regulatory guidance? Was it positive, was it negative?

Jim: Overwhelmingly positive on a couple of different levels. First, without exception, there has been a recognition from not just the regulatory community, but from banking organizations and individual banks, as well as from their service providers that indeed the factual situation has changed and it’s moving in this direction of further reliance on third-party service providers. And that’s actually a good thing in the development or the evolution of financial services and providing more cost effective, efficient, and innovative services to customers. One of the keywords that you’ll see in that regard is increased reliance on FinTech, Financial Technology companies.

A few years ago we would hear a lot about disruptors and entities that were providing new aspects of saving payments, etc, trying to take business away from banks and disintermediate traditional financial services providers that still exist and competition should help with innovation. But we see more and more that a large component of those financial technology providers are actually partnering with banks, helping banks provide their services in a better, more cost-efficient way that is more responsive to the needs and desires of their customers. So, this guidance in helping to clarify how banks deal with this trend, how service providers have responsibilities to work with their banks, helps the overall evolution, which is considered by everyone to be moving in a positive way.

What Were the Most Significant Concerns From the Commentators?

John: The reaction in the industry was overwhelmingly positive, but what were some of the biggest concerns that you noticed from the commentators?

Jim: Again, positive reaction to the principles, positive reaction to the efforts of the different banking agencies to work together, to harmonize which previously was disparate guidance. But, then we get into the notion that the devil is in the details. 

One way to think about this guidance is as a type of best practices and giving illustrations, practical examples of what some institutions have done over time. The regulators will have that view by looking across a broad swath, but within an individual bank, you might not know what some of your competitors are doing, especially in an involving environment. So, we always have this notion of best practices. 

That being said, however, another fundamental component of the regulatory direction and embedded in this guidance, is that for each and every individual bank and each and every situation of their reliance on a service provider, you need to look at it on a risk basis, meaning that it’s not a one-size fits all aspect, neither in terms of an individual bank that might say that, “I’m going to rely on an external service provider to help me offer an additional insurance product to my bank customer.”

So outside of my traditional line, but overall, that impact to my financial returns is not that much, it’s an ancillary product. I shouldn’t spend as much time on overseeing that third party relationship as I should for my core banking system provider, meaning the technology provider that is providing the IT in which I do every debit and credit, that I cannot function as a bank without that reliance. So, that’s a notion of risk based. So now, we take this aspect. 

We have essentially, a catalog of things to take into consideration in applying a risk-based focus, and a concern of the banks is that, does this become, although it’s guidance, it’s recommendations, effectively an expectation that I deal with all of the catalogs or all of the items on the catalog of best practice with respect to all of my relationships. That’s referred to as raising the bar and would be overkill rather than a best practice situation.

And another example of how this becomes difficult in practice or challenging in practice is… one of the biggest concerns or challenges for banks today is not just in dealing directly with their service provider that they’ve chosen and with whom they’re signing a contract and in day-to-day contact with, but many of the service providers increasingly rely on subcontractors to deliver their services. 

And that classic example is, if I’m working with an external IT firm that’s providing me a specific type of software, maybe in the past, I bought the license from that IT developer and I installed it on premise within my bank. But now I’m looking at cloud solutions that they’re offering. The same function that the IT is providing will involve additional parties, generally, subcontractors if I go to a cloud environment. It’s the interface with that cloud, it’s the hosting environment, where is the data from holding some of it on servers not within my own organization. So it becomes a much more complex environment.

But a bank as a fundamental principle must understand those risks, down the subcontractor chain. But if the bank doesn’t have the direct relationship, if it’s only dealing with its direct third-party service provider, it’s more challenging for it to understand, not just the existence of that chain, but to perform best practice analysis on those subcontractors with the same aspects… What is their own financial situation? What kind of business continuity practices do they have? What is their risk tolerance? What is their history and their aspect of oversight? 

So again, to be risk based, you need to have flexibility in the application for different services, for different business lines, and that’s an aspect that is a concern of the banks. And the recommendation from many of the commenters is that, not only do we benefit from and welcome these examples of best practices, these practical examples of how it would be implemented in practice. But we also want to see a clear statement that, just because you could do more doesn’t mean that you must do more in each and every circumstance. 

One of the reasons why that is so critical is, you need to understand the dynamic of the audiences who will read this guidance. It’s not just for the bank, the management, or maybe the business function that helps the business lines with their oversight of third party-service providers, whether it’s within risk management, procurement, the legal department as it’s helping in the contracting. But an aspect of the risk management life cycle is also that there should be independent audits or reviews of this by your internal audit team, by your external statutory auditor, which could be the big four [accounting companies] or others, by the examiners coming in.

If they come in and say, “Well, here’s my checklist of all possible best practices and they ask you to justify why you’re not doing them in each and every situation, that becomes counterproductive and moves away from the ability of the bank to apply something risk based, based on guidance and makes it effectively more like a rule that you must do each and every aspect of this catalog. And that’s the balance that the banks are seeking guidance from the regulators or seeking some revisions and more clear statements that, that’s not what’s expected through the changes to this guidance.

Can Changes to the Guidance Address Industry Concerns?

John: So, how could changes to the guidance address these concerns that you just mentioned?

Jim: Indeed it could leave open and more specifically, give examples that different approaches can be applied in different situations. And one of the best ways to do that is with respect to examples. 

So, to give you a couple examples in that regard: If a bank is within a banking group or if it has a bank holding company that is the 100% owner of that individual bank or potentially more banks or affiliates, it’s a quite common practice that some functions will be shared among those affiliates. That could be some of the IT services. It could be back-office functions. It could be some of the risk management or compliance services. That’s an efficient aspect within an overall related company group. It’s still an appropriate principle that the management of the bank must understand those risks, who is providing the different services and retains responsibility.

But do you really need to question some of the same background aspects of the risk in dealing with an affiliate in the same way as a third-party service provider that you have no history of dealing with? Clearly not. In some cases, the risk could be more important just based on the notion of that function. But again, it’s an aspect of one size does not fit all. 

Similarly, there are some services that are ubiquitous throughout the industry. They could be related to central bank payment services, or they could be related to data aggregators for which there really are not, a broad range of alternatives. And some of these entities, including the financial market infrastructures, financial market utilities, are overseen by the regulators themselves. So, are the banks required to do that same level of due diligence, meaning again, the full catalog of oversight with every part? It wouldn’t make sense. It wouldn’t be risk based and it could potentially misallocate resources from the overall goal of effective risk management.

So, that’s an aspect, again, to be more granular about what risk based means in practice, examples are very key aspects of where the banking regulators can provide guidance as to where they see fundamental differences in some of the service providers and the risks in dealing with them.

Principles of the Guidance Versus Detailed Provisions

John: So that’s what you mean when you’re talking about the principles versus the detailed provisions?

Jim: Exactly. So, maybe to give you just one further example in that, when you are applying an aspect of the risk management life cycle, it refers to contractual negotiations and points out some of the aspects that will define or help an institution understand what its potential exposure is in dealing with a third-party service provider, or it could be an aspect of refining, within the contractual provisions, to whom you allocate risks or losses in the event that they are able to occur. It’s a good principle that you should take that into consideration, but there are a lot of details in the guidance, helpful details overall but details that don’t make sense in each and every situation.

There needs to be an ability for the banking organization itself to decide “I have made a reasonable determination of when to apply these issues and when not to, when I can rely on my internal team and their expertise, where I need to go for an external legal opinion?” But we don’t need that in every case to meet the regulatory pronouncement that a banking institution should be aware of the risks of contracting with a third party.

What Was Missing From the Public Comments?

John: What do you feel like might have been missing from the public comments on this regulatory guidance?

Jim: A major issue that was not really prominent in most of the comments was the international component. And that can be understood when many of the commenters are looking for their own unique situation or even among the industry associations that are primarily representing US banking organizations. But, the trend that we’re seeing here toward regulatory expectations increasing, with respect to the obligations of banks to deal with third-party service providers or oversee their risk, is a global trend. 

In some ways, this revision of the guidance from the US regulators is overdue and falling behind other practices. Very clearly within the European Union already in 2019, the European Banking Authority put out revised guidelines for outsourcing and risk management oversight of third-party service providers that go into full effect by the end of 2021. The companion authority for the securities markets within the European Union, ESMA, also put out a series of guidelines, final guidelines, not in a comment period like the US regulators here.

And even the Financial Stability Board, the oversight and coordinating group for global regulators in which the US regulators play a very active part, put out a consultation guidance on the aspect of outsourcing in November 2020. So again, showing that this is a global trend. Not only is it a regulatory global trend, but the exposure is also increasingly of a cross-border nature. What do I mean by that? Many banks are involved either in their group activity or in service to their customers, of increasing aspects of cross-border transactions. That could be when a customer sends funds across borders, whether it’s remittances at the retail level or as your corporate entity. It could be the aspect of the way we use IT. Big IT companies increasingly target global markets, not just ones within a jurisdiction.

So, that means that the harmonization effort in terms of expectation, doesn’t just make sense among the three federal banking regulators. They should also bring in the NCUA. They should also bring in the State regulators. They should also make sure this is coordinated with the SCC and the CFTC, but they should also increasingly make sure that their principles and the practical examples are harmonized on a cross-border basis. That makes more sense for the regulators. It makes more sense for the banks, but it makes the most sense for some of the service providers that are effectively serving cross-border markets.

What Would Make This Initiative the Most Effective?

John: Okay. And what additional steps do you think would make this initiative be the most effective?

Jim: The key aspect for implementation is going to be shared solutions, and that’s on a number of different levels. It’s a valid welcome aspect from the changes to the regulatory guidance that they open the door and even can be said to encourage affected banking institutions to consider shared solutions, consortia, utilities, specialized service providers that do this type of risk management and then for a fee, sell the services to banks. So, the banks are not repeating in parallel or duplicating some of the same functions. They cannot outsource the responsibility, but they can gather some of the data to make more effective and timely solutions. So, focused on that higher value-added decision making, the shared solutions should apply not just with respect to due diligence, the information gathering component, which is where the regulators have invited specific comments, but throughout the whole life cycle of risk management, the ongoing monitoring and dealing with incidents when there are operational resilience challenges.

And another aspect where the banking industry would welcome increased partnership from the regulators to help them achieve this goal is that, regulators audit some of the third-party service providers and they’d like to receive more information than they do today. Usually, only when there is a concern that comes from that audit, the regulators will have a unique perspective from being able to go in and kick the tires. That will always be better off than an individual institution sending them a due diligence questionnaire and from afar, trying to make a risk-based decision as to what exposure they have dealing with this entity. 

And a further aspect of collaboration would be in further development, not just of guidance, but standards, expectations. It could be in the form of common reports, which makes it a lot easier for an institution to know what to expect from a service provider and to evaluate that, rather than how they might answer a questionnaire of shared audits.

It’s a lot for an individual institution to go in and individually assess another organization, but if they collectively send in an independent auditor and can rely on that audit report, that’s something that benefits all in a cost effective way. So, that’s really the future here, shared solutions to shared problems. And that’s also something that’s very consistent with the background principle that the individual institutions still own the risk and need to operate in a safe and sound way. But they can be more effective in focusing and prioritizing their efforts to achieve that goal rather than risk the industry concern of being caught in chess, cliffs, and administrative activities that don’t overall advance that situation if they were applying that universally to each and every different relationship that they have.

Contact CRINDATA for More Information

John: All right. Well, that’s really great information, Jim. Thanks again for speaking with me today.

Jim: My pleasure.

John: And for more information, you can visit the website at crindata.com. That’s crindata.com.