Leading Research

Paul Hyde Pat Houston Ashish Jain Kumar Kanagasabai Lisa Mitchell

Effective Third-Party Management How to Address CFPB Bulletins on Third-Party Service Providers

Executive Summary The recent bulletins by the Consumer Financial Protection Bureau (CFPB) raise the bar on effective Third-Party Management (TPM). For a variety of reasons, however, many banks are challenged to ensure compliance with these bulletins. As a result, some are proceeding cautiously, with more of a follower approach while others are adopting a big-bang, broad-based approach. In our perspective, banks that are embarking on this journey need to do four things: 1. 2. 3. 4.

Incorporate additional consumer risk metrics in the vendor segmentation approach Consistently educate vendors on the requirements and implications of CFPB’ s mandate Strike the right balance between business risk and consumer risk in structuring the supplier base Evaluate LOB policies and “ unwritten” practices to ensure compliance

In this deck, you will see our approach to ensuring CFPB compliance along these four dimensions. This approach focuses on building new capabilities that fundamentally reframes how you think about TPM. Your immediate priority should be to (1) assess your TPM governance process on each of these four dimensions, and (2) enhance your segmentation approach and identify high-risk vendors/products.

Booz & Company

1

Recent bulletins by the Consumer Financial Protection Bureau raise the bar on effective Third-Party Management (TPM) Recent CFPB Bulletins Conduct due diligence to v erify prov ider’s ability to comply w ith consumer law Request and rev iew the prov ider's policies and procedures to ensure appropriate ov ersight

 Bulletin 2012-03 expands the responsibilities of financial institutions in ensuring third parties do not present “unwarranted risks to consumer”

Bulletin 2012-03 Set clear expectations about enforceable consequences for v iolations Establish internal controls and ongoing monitoring for compliance w ith consumer law

 Bulletin 2012-06 requires financial institutions to take additional steps to ensure credit card add-on products are marketed in a manner that limits the potential for regulatory violations or consumer harm

Marketing materials for credit card add-on products are not deceptiv e

Bulletin 2012-06

Compensation does not create incentiv es to prov ide inaccurate information Scripts follow specific requirements and hav e compliance management programs

Booz & Company

2

Banks are challenged to ensure compliance with these bulletins Select CFPB Compliance Issues Seen

Source:

Banks have complete responsibility of all risk when using third-party vendors

 CFPB’s bulletins do not contain limitations based on the level of risk a third-party vendor poses to the bank  Contrast this w ith Office of Comptroller of the Currency (OCC) guidelines in w hich it is noted that a bank’s risk management system should reflect the overall level of risk involved

An added layer of risk management is required, and banks are not ready

 Banks currently do not have all the necessary capabilities to consistently include aspects of consumer risk in their current risk management processes  Banks must build processes that incorporate elements of consumer risk into performance metrics, third-party processes, and governance mechanisms

Banks are not clear on the scope of compliance requirements

 The bulletins provide limited details that banks need for guidance, requiring higher a level of due diligence on third-party vendors  It is unclear w hether these bulletins are “regulations” or “guidelines”

Banks are required to build expertise that conflicts with the business need

 Banks leverage third-party service providers because they need to rely on expertise that w ould not otherw ise be available in-house  How ever, the bulletins require banks to develop substantive expertise w ith respect to compliance obligations that might apply to an outsourced function

K& L Gates; Booz & Company Analysis

Booz & Company

3

In addition, banks are grappling with other TPM issues Typical TPM Issues Improving visibility into the full range of risk exposures with third-party relationships Gaining more influence over business partners’ management of risks and controls Standardizing risk management processes across the company Improving tools and technology available to support third-party risk management Improving risk expertise within the company Improving communication between the company and third-party companies Defining responsibility for third-party risk more clearly Overcoming resistance to risk management practices at the operational level Overcoming a lack of interest in third-party risk at the executive level of the company

Source:

Survey conducted by CFO Research Services in collaboration with Crowe Horwath LLP in Fall 2011; 58 executives in the financial services industry responded.

Booz & Company

4

To ensure compliance, banks are adopting a broad-based approach or pursuing a more targeted approach Typical Approaches

Increasing Level of Resource Requirements

Targeted and Following  Take a wait-and-see approach as actions unfold  Identify at-risk products, services, and suppliers (e.g., mortgage and cards)  Assess potential governance issues (e.g., retooling the TPM program to focus on compliance and monitoring)  Redeploy resources based on further precedents and/or CFPB guidance

Booz & Company

Broad-Based and Shaping  Updating segmentation models to identify vendors/products with high risk  Discontinuing products/suppliers as needed (e.g., identify theft, payment protection)  Hiring significant resources to review contracts (current and future)  Setting aside provisions in anticipation of penalties

5

Our perspective: Compliance expectations in the current environment requires banks to fundamentally reframe TPM 1

Assessment and Administration

2

Vendor Requirements and Education

 Segmented methodologies incorporating type and extent of consumer risk

 Vendor education and understanding of compliance requirements

 Performance measurement and transparency

 Vendor staff training  Vendor process controls and checks

 Governance and interaction models  Tools and technologies

3

Supplier Base Structure

 Vendor portfolio customer risk and exposure

Third-Party Management

4

LOB Policies and Procedures

 Product pricing and design

 Portfolio risk consolidation/diversification

 Sales, marketing, and fulfillment guidelines and processes

 Contract management

 Treatment of customer privacy

Booz & Company

6

1. Assessment and Administration

Vendor segmentation must incorporate additional consumer risk metrics Example Supplier Segmentation Matrix CoreClassification by Segmentation Strategic

High

Total Spend

Suppliers that represent a large portion of spend but have more limited valuecreation potential and limited risk

 Frequency and nature of supplier consumer interactions

Suppliers that provide products/services that are core to client’s ability to deliver value and manage risk

Transactional

Suppliers that account for a small portion of the spend and have little or no valuecreation potential

Additional Consumer Risk Metrics

 Supplier presence in customer value chain  Product susceptibility to upselling opportunities by suppliers (non-bank products/services)

Niche

 Supplier FTE compensation model (commission based)  Visibility into supplier consumer interactions (call recording and monitoring)

Suppliers that can significantly affect client’s ability to deliver value yet are small in spend

 Level of customer recourse (e.g., ease of cancellation/modification)

Low Low

Booz & Company

Business Criticality

High

 Extent of supplier autonomy in making consumer decisions

7

2. Vendor Requirements and Education

Banks must consistently educate vendors on the requirements and implications of CFPB’s mandate Education and Communication on CFPB mandates Upfront Supplier Education  Conduct regular supplier education programs on CFPB mandates and policies

Key Activities Needed

Booz & Company

 Ensure contract terms impose suppliers to regularize training programs for all client-facing personnel on CFPB regulations  Be sure supplier continues to emphasize consumer protection risk requirements in ongoing internal dialogues

Centralize and Standardize Operating Processes  Maintain a standard operating process rulebook documenting training, communication, and standardized timings for interactions w ith vendors  Maintain regular log of all trainings and communication activities w ith vendors  Ensure all client-facing personnel sign off on ability to understand the requirements and implications of CFPB’s mandate

Ongoing Com m unication  Ensure “push-based” communication on latest updates and changes from CFPB to suppliers  Conduct regular w orkshops w ith key Tier 1 vendors on CFPB updates and implications  Maintain an internal and supplier-oriented w ebsite that maintains all updated information on CFPB mandates

8

3. Supplier Base Structure

The supplier base must strike the right balance between business risk and consumer risk Supplier Base Structure

Business Risk

Consumer Risk Business Need

 Increasing supplier base helps to diversify business risk (while also increasing management costs)

 Increasing supplier base with customer contact also increases potential failure points

   

Expertise Cost Management Negotiation Leverage Scale

 The enhanced due diligence standards will significantly increase management costs and complexities as supplier base increases

Decision Points

Booz & Company



Consolidate where too many customer-facing suppliers



Diversify where high supplier concentration

9

4. LOB Policies and Procedures

Finally, LOB policies and “unwritten” practices must be evaluated to ensure compliance Typical Consumer Risk Areas  Misleading promotions and claims  Difficult to redeem product offerings  Prior consumer content “optional” for some products

Sales Incentiv es

Adv ertising & Promotions Consumer Consent

 Hidden fees  Price changes hidden in “fine print”  Misleading terms and conditions

Fulfillment

 Discriminatory prospecting practices  Incentives tied to sales w ithout consequences  Disrespectful collection practices

Product Design Pricing & Fees Consumer Priv acy Account Cancellation

 “No product return” policies  Consumer information and contact preferences taken for granted

Booz & Company

Customer Solicitation

Collections

10

Getting Started: (1) Focus on identifying high-risk vendors/products; (2) Determine gaps in the TPM processes Longer-Term Priorities

Shorter-Term Priorities 1

 Enhance segmentation framework and identify high-risk vendors/products

 Build out a longer-run, best practice TPM operating model: − Strategy − Organization

2

 Review TPM governance process against best practices and determine gaps: − Vendor assessment and administration − Vendor requirements and education

− Roles and responsibilities  Design the new operational processes required to support the new operating model

− Supplier base structure − LOB policies and procedures

Booz & Company

11

Contact Information Chicago Ashish Jain Partner +1-312-578-4753 [email protected]

New York Paul Hyde Senior Partner +1-212-551-6069 [email protected]

Lisa Mitchell Principal +1-312-578-4802 [email protected]

Kumar Kanagasabai Principal +1-212-551-6455 [email protected] Florham Park Pat Houston Partner +1-973-410-7602 [email protected]

Booz & Company

12

The most recent list of our of f ices and af f iliates, with addresses and telephone numbers, can be f ound on our website, www.booz.com

W orldwide Offices Asia Beijing Delhi Hong Kong Mumbai Seoul Shanghai Taipei Tokyo Australia, New Zealand & Southeast Asia Adelaide Auckland Bangkok Brisbane Canberra Jakarta Kuala Lumpur Melbourne Sydney

Europe Amsterdam Berlin Copenhagen Dublin Düsseldorf Frankfurt Helsinki Istanbul London Madrid Milan Moscow Munich Oslo Paris Rome Stockholm Stuttgart Vienna Warsaw Zurich

Middle East Abu Dhabi Beirut Cairo Doha Dubai Riyadh North America Atlanta Chicago Cleveland Dallas DC Detroit Florham Park Houston Los Angeles Mexico City New York City Parsippany San Francisco South America Buenos Aires Rio de Janeiro Santiago São Paulo

Booz & Company is a leading global management consulting firm focused on serving and shaping the senior agenda of the world’s leading institutions. Our founder, Edwin Booz, launched the profession when he established the first management consulting firm in Chicago in 1914. Today, we operate globally with more than 3,000 people in 58 offices around the world. We believe passionately that essential advantage lies within and that a few differentiating capabilities drive any organization’ s identity and success. We work with our clients to discover and build those capabilities that give them the right to win their chosen markets. We are a firm of practical strategists known for our functional expertise, industry foresight, and “sleeves rolled up” approach to working with our clients. To learn more about Booz & Company or to access its thought leadership, visit booz.com. Our award-winning management magazine, strategy+business, is available at strategy-busine ss. com.

©2012 Booz & Company Inc.

Booz & Company

13