Have you outsourced or are you thinking of outsourcing any banking services? If so, here are some things to consider.
The federal regulators actually have an act called The Bank Service Company Act (the “Act”), which was first introduced in 1962.
The Bank Service Company Act
Within the Act, Section 7 deals with outsourcing of services and provides for examination requirements of such service providers. Section 3 of the Act provides permissible activities that may be performed for depository institutions by bank service companies. These activities include “check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.”
The term “bank service company” means any corporation that is organized to perform services authorized by the Act and all of the capital stock of which is owned by one or more insured depository institutions. The term “bank service company” also means any limited liability company that is organized to perform services authorized by the Act and all of the members of which are one or more insured depository institutions.
The Act requires that whenever a depository institution that is regularly examined, or any subsidiary or affiliate of such a depository institution that is subject to examination, causes such services authorized under the Act to be performed by any bank service company, such performance of services is subject to regulation and examination by such agency to the same extent as if such services were being performed by the depository institution itself on its own premises. This is true whether the services have been authorized to be performed by contract or otherwise and is true whether or not the services are performed on or off the depository institution’s premises. When determining which provider to use, you may want to consider whether or not the provider is already regulated and examined.
Only the FDIC requires that the depository institution notify the agency of the existence of such a service relationship within thirty days after the making of such a service contract or the performance of the service, whichever occurs first. For reporting such a contract or such performance to the agency, there is a special form OMB Number 3064-0029, Notification of Performance of Bank Services, which has a current expiration date of January 31, 2020, and is available as a PDF at https://www.fdic.gov/formsdocuments/6120-06.pdf.
The complete Act can be found at https://www.fdic.gov/regulations/laws/rules/8000-500.html.
Plenty of other guidance is also available, including the following:
- The Federal Deposit Insurance Corporation issued FIL-44-2008: Guidance For Managing Third- Party Risk in 2008, FIL-81-2000: Risk Management of Technology Outsourcing in 2000, and FIL-13-2014: Informational Tools for Community Bankers in 2014.
- The Federal Reserve Board (FRB) issued guidance in 2000 including SR 00-4 (SUP): Outsourcing of Information and Transaction Processing and SR 00-17 (SPE): Guidance on the Risk Management of Outsourced Technology Services.
- The Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2002-16: Bank Use of Foreign-Based Third-Party Service Providers and OCC Bulletin 2013-29: Third-Party Relationships, Risk Management Guidance, and the most recently issued Bulletin 2017-21, which includes FAQs to supplement Bulletin 2013-29.
- The National Credit Union Association (NCUA) also issued NCUA Letter to Credit Unions No. 02-CU-17: E-Commerce Guide for Credit Unions in 2002, NCUA Letter to Credit Unions No. 01-CU-20: Due Diligence Over Third Party Service Providers in 2001, and Supervisory Letter 07-01: Evaluating Third Party Relationships in 2007.
Overall guidance provides information on assessing risk prior to outsourcing third-party services, using due diligence in selecting vendors, performing ongoing monitoring and due diligence, reviewing contract provisions, and performing board and management oversight.
In conclusion, a financial institution should consider all options before entering into a third-party service arrangement, review the Bank Service Company Act to ensure these provisions are a part of the vendor management program, make sure upfront planning and due diligence is thoroughly conducted, and ensure a robust ongoing monitoring plan can be achieved. Failing to follow these steps could constitute unsafe and unsound practices and could lead to strategic, reputation, interest rate, liquidity, compliance, credit, cyber, and transaction risks.