Richard Raysman and Peter Brown (ljh)
Though outsourcing risks have always been present, in recent years and even months, the damage a company can incur as a result of poor outsourcing decisions has become even more apparent. For example, according to a 2013 global security report, poor outsourcing decisions caused 63 percent of data breaches. A recent survey from an Internet security company estimated that the average cost of a data breach exceeded $7 million.
Well-publicized examples have recently created a vivid picture of the myriad issues arising from faulty or poorly managed third-party outsourcing relationships. For instance, the recent high-profile data breach at a large retailer has been at least in part attributed to the ability of hackers to access the retailer data via a third-party provider.
In recent months, various regulatory bodies, from the Office of the Comptroller of the Currency (OCC) to the Federal Reserve, have promulgated sets of guidelines that give advice and enumerate best practices for regulated entities that form outsourcing relationships with third-party vendors. In the same vein, the Consumer Financial Protection Bureau (CFPB), an entity created as a result of the Dodd-Frank Act, has issued a memo to regulated institutions stating that it will monitor closely these relationships with third-party vendors and service providers. The CFPB monitors on behalf of consumers, as consumers often have little to no control over the third-party relationships entered into between regulated entities and service providers. Nor do consumers possess the ability to force regulated entities to suffer recourse in the event of a data breach or other mistake by a third-party service provider.
Though these guidelines are specifically geared towards financial institutions, the advice therein can be extrapolated to become pertinent to businesses in numerous industries. As a result, analysis of these guidelines is the focal point of this column. Specifically, this column will focus on: the recent OCC and Federal Reserve advice for banks and other financial institutions; the intent of the CFPB to monitor service provider relationships; and, a case illustrating the need for compliance with OCC administrative guidance.
OCC ‘Risk Management Guidance’ Associated with Third-Party Relationships. In late October 2013, the OCC promulgated a new set of guidelines (OCC Guidelines) designed to instruct national banks and federal saving associations (collectively, the banks) on optimum practices when forming outsourcing relationships with third parties. This iteration of the OCC Guidelines rescinded a separate OCC bulletin and advisory letter, each of which dealt with managing risk in relationships with third parties. In propounding the OCC Guidelines, the impetus seems to be that the regulator is “concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.”
As the OCC Guidelines note in the section labeled “Background,” “[b]anks continue to increase the number and complexity of relationships with both foreign and domestic third parties.” These relationships often entail banks outsourcing to third parties: (1) entire bank functions, including tax, legal, audit and IT; (2) lines of business or products; (3) the responsibility to engage directly with customers; and (4) the responsibility to address deficiencies in bank operations or compliance with laws or regulations.
In such a climate, the OCC Guidelines thereafter propose a number of solutions to ensure that the complexity and prevalence of outsourcing relationships between banks and third parties does not engender financial, reputational or legal problems. Interestingly, as a highlight the OCC Guidelines state that a bank should adopt “risk management processes commensurate with the level of risk and complexity of its third-party relationships.” This sliding scale of risk management seems to reflect a post-financial crisis mentality insofar as it recognizes that some entities possess a systemic risk to the national economy were they to encounter significant problems while others of a more parochial nature do not. Moreover, the OCC Guidelines are stating that a one-size-fits-all approach is no longer practical given that its regulated entities run the gamut, from “systemically important” investment banks to savings association in rural Kansas.
The OCC Guidelines provide that banks should ensure that their risk management processes are comprehensive when dealing with “critical activities.” “Critical activities” is defined as “significant bank functions,” a characterization that specifically includes payments, clearing, settlements and custody” or other activities that could have significant customer impacts or expose the bank to face significant risk if the third party fails to meet expectations.
To manage and oversee the critical activities, as well as other interactions with third parties, the OCC Guidelines promotes an eight step continuing “life cycle.” These steps include, in a specific order: planning, due diligence, contract negotiation, ongoing monitoring, termination, oversight and accountability, documentation and reporting, and independent reviews. The OCC Guidelines stipulate that each step of the life cycle should be commensurate with the level of risk and complexity. Failure to institute an effective process commensurate with the level of risk may be “an unsafe and unsound banking practice” (emphasis in original).
One decision from a federal court in New Jersey illustrates how courts will defer to internal governance procedures established by the OCC. In Bancorp v. F.D.I.C., No. CIV A 99-3799(JCL), 1999 WL 1332312 (D.N.J. Nov. 10, 1999), a corporation that was a controlling stockholder (controlling corporation) in an insolvent bank wished to subpoena an OCC National Bank Examiner who was employed during the time the bank was declared insolvent, closed, and sent into receivership. The court quashed the subpoena, even though the examiner had previously testified about the insolvent bank in a criminal trial, and he no longer worked for the OCC. Nonetheless, the court forced the controlling corporation in the insolvent bank to adhere to OCC administrative guidelines governing employee dissemination of non-public information prior to requesting any judicial relief. This illustrates both the deference of courts to administrative agency guidelines, but also the willingness of the OCC to seek judicial remedy to enforce the content of its guidelines.
The OCC Guidelines were only one instance of recent attempts to provide direction to entities involved in outsourcing relationships. As discussed in the next section, the Federal Reserve followed the OCC by issuing its own guidelines later in 2013.
Federal Reserve Guidance on Managing Outsourcing Risk. A little over a month subsequent to the issuance of the OCC Guidelines, the Federal Reserve disseminated its version of best practices for managing third-party outsourcing risks entitled “Guidance Managing Outsourcing Risk” (the Guidance). The Guidance applies to “service provider relationships where business functions or activities are outsourced” and focuses on the conduct of financial institutions (collectively, banks).
The Guidance begins by enumerating six separate risks inherent to business relationships with third-party outsourcing providers. These risks are: compliance, concentration, reputational, country risks, operational and legal. Most of these risks are self-evident, although the focus on concentration and country risks appears to be unique to this particular Guidance. Country risks arise when engaging with a foreign-based service provider, as the bank is thus exposed to potential economic, social and political conditions in that country, which could jeopardize the effectiveness of the outsourcing relationship. Concentration risks arise when outsourced services are limited to a number of providers or concentrated into a specific geographical region. The inclusion of this pair of risks into the Guidance exemplifies the panoramic view of outsourcing risk held by the Federal Reserve.
However, in large part, the Guidance functionally mirrors the OCC Guidelines. The Guidance also features extensive advice on conducting due diligence and negotiating the outsourcing agreement. Similarly, each offer extensive recommendations on which factors a bank should take into account when determining whether a third-party service provider is capable of handing a particular responsibility.
Nonetheless, there are a number of differences between the two. Unlike the OCC Guidelines, the Guidance contains a section on the optimal way to manage Suspicious Activity Report (SAR) reporting functions. These functions are designed to facilitate a way for banks to report certain types of suspicious activity. However, in doing so, the banks must adhere to the strictures of the Bank Secrecy Act. When dealing with a third-party service provider, one that could potentially be situated in a foreign country, the complexity of adhering to SAR functions in compliance with the Bank Secrecy Act increases significantly. Accordingly, the Guidance explicitly advises banks to ensure they understand the risks associated with these requirements.
These two sets of guidelines focus on comprehensive advice for banks in managing outsourcing relationships. In 2012 an additional document authored by a federal regulator emerged that clarified the relationship of banks to third-party service providers, only this one advised banks on the responsibility to protect consumers.
Consumer Financial Protection Bureau Advisory Letter Concerning Financial Entity Relationships With Service Providers. The Consumer Financial Protection Bureau (CFPB), an agency created and vested with authority by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), issued a bulletin relatively recently that is designed to ensure that supervised banks and nonbanks (collectively, financial entities) are both cognizant of their obligations to consumers, and that the CFPB will monitor them to ensure compliance with said obligations.
Specifically, this bulletin, which it titled “Service Providers,” reiterates that it “expects [financial entities] to oversee their business relationships with service providers that ensures compliance with Federal consumer financial law, which is designed to protect the interests of the consumers and avoid consumer harm.” Unlike the previous two discussed sets of guidance, the CFPB bulletin explicitly connects the relationship between financial entities and third-party services providers as one that could produce material harm to consumers. Thus, in keeping with its mission, the CFPB serves as a proxy for the public at large, a public comprised of individuals unlikely to have the financial resources, wherewithal or time to mount a lengthy fight to redress injury suffered as a result of a relationship between a financial entity and a third-party service provider gone awry.
Despite noting that “the use of service providers is often an appropriate business decision” in the context of outsourcing, the CFPB bulletin states unequivocally that “the mere fact” that regulated financial entities enter into a relationship with a service provider “does not absolve the [financial entities] of responsibility for complying with Federal consumer financial law.” To that end, the bulletin notes that, pursuant to Title X of Dodd-Frank, the CFPB is authorized to examine and obtain reports from financial entities and to thereafter exercise enforcement authority when violations are identified. For service providers, Dodd-Frank authorized the CFPB to examine compliance with statutory prohibitions on unfair, deceptive, or abusive acts or practices. A quick reading of the CFPB website devoted to enforcement action will see that the bureau has not hesitated to utilize these powers.
Conclusion. Though the guidance and bulletin largely focus on entities in the financial services sector, its ideas can be extrapolated and applied to most businesses that engage in any sort of outsourcing. These guidelines can teach businesses, among others, to: (1) create ex ante a comprehensive plan to manage each stage of an outsourcing relationship, from due diligence in the beginning to renegotiations or renewal towards the end; (2) realize that procedures to manage outsourcing risk should be tailored to the amount of complexity and risk of the outsourcing endeavors; and (3) understand the variety of risks intrinsic to any outsourcing relationship.
Businesses would be wise to heed these guidelines, if only because the OCC has asserted that its authority, which presumably includes actions pursuant to its guidelines, pre-empts certain state banking laws. See Cuomo v. Clearing House Ass’n, 557 U.S. 519 (2009) (information request issued under state fair-lending law violated provision of National Bank Act; OCC had initiated the action to enjoin the information request). Likewise, in a post-financial crisis world, all businesses should be aware, as the guidelines and bulletins make unequivocally clear, that regulators are keeping a close watch over any sort out of outsourcing agreement with third-party service providers.
Richard Raysman is a partner at Holland & Knight and Peter Brown is the principal at Peter Brown & Associates. They are co-authors of “Computer Law: Drafting and Negotiating Forms and Agreements” (Law Journal Press).