Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Compliance Laws and Regulations > Third Party Risk Guidance > Flashcards

Third Party Risk Guidance Flashcards

1
Q

Do indemnity agreements relinquish the bank from responsibility over a third party’s actions?

A

No. A bank may property seek to mitigate risks of third party relationships through the use of indemnity agreements, such agreements do not insulate the bank from its ultimate responsibility to conduct banking activities in compliance with consumer protection laws and regulations, including fair lending laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What types of third party relationships are considered significant? (11)

A

• the institution’s relationship with the third party is a new
relationship or involves implementing new institution activities;

  • the relationship has a material effect on the institution’s revenues or expenses;
  • the third party performs critical functions;
  • the third party stores, accesses, transmits, or performs transactions on sensitive customer information;
  • the third-party relationship significantly increases the institution’s geographic market;

• the third party provides a product or performs a service
involving l ending or card payment transactions;

• the third party poses risks that could materially affect the
institution’s earnings, capital, or reputation;

• the third party provides a product or performs a service that
covers or could cover a large number of consumers;

• the third party provides a product or performs a service that
implicates several or higher risk consumer protection regulations;

• the third party is involved in deposit taking arrangements
such as affinity arrangements; or

• the third party markets products or services directly to institution customers that could pose a risk of financial loss to the individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a third party?

A

All entities that have entered into a business relationship with the bank, whether the third party is a bank or non bank, affiliated or non affiliated, regulated or non regulated, a wholly or partially owned subsidiary, or a domestic or foreign institution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When reviewing for third party risk, examiners should request a list of what to ensure all appropriate relationships have been captured?

A

Examiners should request a listing of all functions and services outsourced to ensure that appropriate relationships that have third party risk are captured for review.

Some banks will use the term outsourced and third party interchangeably, even if outsourced relationships have varied degrees of risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Failure to manage third party risk can expose the bank to what? (5)

A
  • supervisory action
  • financial loss
  • litigation
  • reputational damage
  • impair a banks ability to establish new or manage existing consumer relationships
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The decision to enter into third party relationships should be considered by who within the bank? why?

A

The board of directors and management, because the Board is ultimately responsible for managing activities conducted through third party relationships and identifying and controlling the risks to the same extent as if the activity were handled within the institution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What potential risks can arise from third party relationships? (8)

A
  • compliance risk
  • reputational risk
  • strategic risk
  • operational risk
  • transaction risk
  • credit risk
  • country risk
  • other risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is compliance risk?

A

Risk arising from violations of compliance laws or regulations or from noncompliance with the bank’s internal policies, procedures, or business standards.

Compliance risk is exacerbated when the bank has inadequate oversight, monitoring, or audit functions over third party relationships.

ex: marketing practices by a third party that violate UDAP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is reputational risk?

A

Risk arising from negative public opinion. Third party relationships that result in dissatisfied customers, unexpected financial loss, interactions not consistent with bank policies, inappropriate recommendations, security breaches and violations are all examples that could harm reputation.

Any negative publicity even if unrelated to the third party could result in reputational risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is strategic risk?

A

Risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner consistent with the bank’s strategic goals.

Use of a third party to perform banking functions or to offer products/services that do not help the bank achieve strategic goals and provide an adequate return on investment exposes the bank to strategic risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is operational risk?

A

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. Third-party relationships often
integrate the internal processes of other organizations with the
institution’s processes and can increase the overall operational
complexity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is transactional risk?

A

Transaction risk is the risk arising from problems with service or product delivery. A third-party’s failure to perform as expected by customers or the institution due to reasons such as inadequate capacity, technological failure, human error, or fraud, exposes the institution to transaction risk. The lack of an effective business resumption
plan and appropriate contingency plans increase transaction
risk. Weak control over technology used in the third-party arrangement may result in threats to security and the integrity of systems and resources. These issues could result in unauthorized transactions or the inability to transact business as expected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is credit risk?

A

Risk that a third party is unable to meet the terms of the contract with the bank or otherwise financially perform as agreed.

The basic form of this risk involves the financial condition of the third party. Some contracts provide that the third party ensure some measure of performance related to obligations arising from the relationship. (ex: origination programs)

Credit risk also arises from the use of third parties that market or originate certain types of loans, solicit and refer customers, conduct underwriting analysis, or set up product programs for the bank. Appropriate monitoring of the financial activities of the third party is necessary to ensure that credit risk is understood and remains within board approved limits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is country risk?

A

Country risk is the exposure to the economic, social, and political conditions and events in a foreign country that may adversely affect the ability of the foreign based third party to meet the level of service required by the arrangement, resulting in harm to the bank.

In extreme cases this could result in loss of data, research and development efforts, or other assets.

Managing country risk requires the ability to gather and assess information regarding the foreign govt policies, including those addressing information access as well as local, political, social, economic, and legal conditions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What other risks can a third party impose?

A

Third party relationships may also subject the bank to liquidity, interest rate, price, legal and foreign currency translation risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some examples of concerns that can surface if there is a lack of appropriate oversight and monitoring of third party relationship and associated CMSs? (8)

A

• Where the institution lends its name or regulated entity status to products and services originated by others or activities predominantly conducted by others, and those vendors engage in practices that may be considered
predatory, abusive, or unfair and deceptive to consumers;

• When possible violations of fair lending and consumer protection laws and regulations occur, particularly when the
actual involvement of the institution and the third party is invisible to the customer;

  • Where the third-party relationships do not meet the expectation of the institution’s customers;
  • Where, due to the third party, the customer experiences poor service, disruption of service, financial loss resulting from not understanding product or service risks or alternatives, and inferior choices stemming from lack of disclosure(s);
  • When privacy of consumer and customer records is not adequately protected;

• Where the third party is unable to deliver products or services due to fraud, error, inadequate capacity, or
technology failure, and where there is a lack of effective business resumption and contingency planning for such situations;

• Where a problem or issue lies with a service being rendered by a third party that went undetected by the institution because an appropriate audit or monitoring program was not in place for the third-party relationship; and

• Where the third party is the auditor for the institution’s CMS and management failed to properly oversee and
manage the scope and intensity of these audits to ensure reviews were comprehensive or covered areas of significant risk.

17
Q

What is the key to the effective and successful use of a third party?

A

For the bank’s management to appropriately assess, measure, monitor, and control the risks associated with the relationship and weave that process into its CMS.

18
Q

What are the four main elements of an effective third-party risk CMS?

A
  • Risk assessments
  • Due diligence in selecting a third party
  • contract structuring and review
  • oversight
19
Q

What is third party oversight?

A

The process of reviewing the operational and financial performance of third party activities over those products and services performed through third party arrangements on an ongoing basis, to ensure that the third party meets and can continue to meet the terms of the contractual arrangement.

20
Q

What is contract structuring and review?

A

The process of ensuring that the specific expectations and obligations of both the institution and the third party are outlined in a
written contract prior to entering into the arrangement—a contract should act as a map to the relationship and define its structure.

21
Q

What procedures should examiners follow when evaluating a third party risk assessment? (8)

A
  • Determine if management, prior to entering into the relationship ensured the relationship is consistent with the strategic plan/business strategy.
  • Determine if management, prior to starting the relationship, analyzed the strategic risk the bank is willing to accept.
  • Determine if, prior to entering into the relationship, management analyzed the benefits, costs, legal aspects, and the potential risks associated with the third party.
  • Determine if management performed a risk/reward analysis, comparing the proposed third party to other methods of performing the activity or product offering. This should be performed by management and reviewed by the Board or appropriate committee.
  • Determine if bank employees have the knowledge and skills to adequately perform the risk assessment.
  • Determine if management reviewed the third party’s activities for potential predatory, discriminatory, abusive, unfair, or deceptive actions to consumers.
  • Determine if management reviewed its ability to provide adequate oversight and management of the third party on an ongoing basis.
  • Determine if management has a process in place for evaluating new or significant third party relationships and issues to the board for review and approval.
22
Q

The risk assessment of a third party should identify what? (4)

A
  • performance criteria
  • internal controls
  • reporting needs
  • contractual requirements

All would be critical to the ongoing assessment and control of identified risks.

ex: if the activity involves consumer products or services, the board and management should establish a clear solicitation and origination strategy that allows for an assessment of performance, as well as mid course corrections.

23
Q

When performing due diligence on a third party, a bank should focus on what aspects? (5)

A

The scope and due diligence should be directly related to the importance and magnitude of the third party relationship and should focus on:

  • financial condition
  • relevant experience
  • knowledge of laws and regulations
  • reputation
  • scope and effectiveness of its operations and controls
24
Q

What are some examples of things that can be included for review in the due diligence evaluation?

A

• Audited financial statements, annual reports, Securities and
Exchange Commission filings, and other available financial
information;

• Significance of the proposed contract on the third-party’s
financial condition;

• Experience and ability in implementing and monitoring the
proposed activity;

  • Business reputation, including any complaints filed;
  • Span of business operations in which the third party is engaged;
  • Qualifications and experience of the company’s principals;

• Strategies and goals, including service philosophies, quality
initiatives, efficiency improvements, and employment policies;

  • Existence of any significant complaints or litigation (past and pending), or supervisory actions against the company or its owners or principals;
  • Ability to perform the proposed functions using current systems or the need to make additional investment;
  • Use of other parties or subcontractors by the third party;
  • Scope of internal controls, systems and data security, privacy protections, and audit coverage;
  • Business resumption strategy and contingency plans;

• Knowledge of and background and experience with
consumer protection laws and regulations;

  • Underwriting criteria;
  • Adequacy of management information systems;
  • Insurance coverage;

• Marketing materials to determine how the institution’s name
will be associated with the product;

  • Websites; and
  • Vendor and institution management responsibilities.
25
Contracts should reviewed by the Board. What should examiners consider when reviewing the Boards approval of a contract? (5)
- if Board members are fully aware of the risks, issues, and responsibilities associated with the third party relationship. - if board members have close ties to or have a vested interest in the third party relationship - if the members abrogate their responsibilities during the review and approval of any relationship - if board members had access and reviewed due diligence findings, and were findings accurately presented. - is the review addressed in the board minutes.
26
What procedures should examiners follow when reviewing third party contract structuring and review? (5)
- Determine if management ensures the expectations and obligations of the bank and the third party are outlined in a written contract prior to starting the relationship. Including the prohibition, transfer, or subcontracting by the third party of its obligations. - determine if the Board approved prior to entering into the arrangement. - Determine if appropriate legal counsel reviewed the contract prior to finalization - Determine if clearly defined performance standards are identified to measure the third party's performance. Management should periodically review these standards to ensure they still meet the bank's performance objectives. They can be used as a factor in third party compensation. - Review the contract to ensure it contains all applicable elements.
27
What third party compensation agreements are prohibited?
The FDIC enforces laws and regulations that prohibit the use of compensation arrangements that encourage third-party originators to inappropriately steer borrowers into higher cost products or avoid mortgage lending in low-income neighborhoods where home prices are lower. Compensation arrangements should not create unintended incentives to engage in unfair or deceptive acts or practices, particularly with respect to product sales, loan originations, and collections; or be tailored to circumvent other applicable consumer protection laws and regulations, including fair lending laws and regulations.
28
A third party contract should contain what elements? (10)
- Outline fees, compensation, variable charges, cost and responsibility for purchasing and maintaining equipment/software. Including obligations for retaining documentation for compensation agreements, and the party responsible for payment of legal or audit expenses. - Type and frequency of management information reports to be received from the third party. (performance, audits, financial, security, complaints, business resumption testing) - the bank's right to audit the third party as needed to monitor performance under the contract. (scope of audits, and compliance risks) - prohibits the third party and agents from using or disclosing the bank's information except as necessary to perform the functions designated by the contract or as permitted by law. (ex: privacy information and disclosure of breaches) - specifies who responds to complaints received by the third party from bank customers. if the third party responds, documentation of complaints and responses as well as summary reports/trend analysis of complaints. - Responsibility for continuation of services in event of operational failure. (man made/ natural disasters). Including providing disaster recovery and contingency plans and testing. - circumstances that constitute default, identifies remedies, and allows for opportunity to cure default. Including termination rights (ex: failure to prevent violations of law) - dispute resolution process. - ownership and right to use bank property, including intellectual property (name/logo). - Indemnification provisions
29
What procedures should examiners follow when evaluating Board and management Oversight of third parties? (6)
- Determine if Board initially approved and annually reviews significant third party arrangements and what Board considered in approval. - Determine if management periodically reviews third party operations to verify consistency with contract and that risks are controlled (compliance with laws and internal policies and procedures). - Determine if management allocates sufficient qualified staff to monitor and provide necessary oversight. (extent of oversight depends on the potential risks, scope, and magnitude of the arrangement) - determine if management is following the bank's policies and procedures for terminating or probating third party relationships based on findings from audits/monitoring - determine if results of oversight activities are periodically reported to the board or committee. Weaknesses should be identified and promptly addressed. - determine if the bank maintains documents and records of all aspects of the relationship.
30
What is an institution affiliated third party? (4)
By statute, an IAP is defined as: * Any director, officer, employee, or controlling stockholder (other than a bank holding company) of, or agent for, an insured depository institution; * Any other person who has filed or is required to file a change-in-control notice with their primary Federal banking regulator; * Any shareholder (other than a bank holding company), consultant, joint venture partner, and any other person as determined by the appropriate Federal banking agency (by regulation or case-by-case) who participates in the conduct of the affairs of an insured depository institution; or • Any independent contractor (including any attorney, appraiser, or accountant) who knowingly or recklessly participates in any violation of: ° any law or regulation; ° any breach of fiduciary duty; or ° any unsafe or unsound practice, which caused or is likely to cause more than a minimal financial loss to, or a significant adverse effect on, the insured depository institution.
31
Why is the IAP designation important with regard to enforcement actions?
Because when the FDIC is considering bringing an enforcement action against a third party they are limited in jurisdiction to insured State nonmember banks, foreign institutions with an insured branch, and their IAPs.
32
What types of items can be transaction tested during a third party review?
* Advertisement and marketing documentation; * New product development documentation; * Procedural manuals, including those for servicing, collections, and safeguarding customer information; * Employee training records; * Audit/monitoring report findings; * Customer disclosures, notices, agreements, and periodic statements for each product and service reviewed; * Account statements; * Contracts with third parties; * Compensation programs; * Promotional materials; * Telemarketing scripts; and * Recorded calls for telemarketing or collections.
33
True or false: Appropriate corrective action, including enforcement action, may be pursued for deficiencies related to a third-party relationship, including IAP activities that pose compliance management concerns or result in violations of applicable consumer protection laws and regulations.
True Examiners are reminded that indemnity or other contractual provisions with third parties cannot insulate the institution from regulatory corrective action.

Compliance Laws and Regulations (35 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions