Leading Research
Paul Hyde Pat Houston Ashish Jain Kumar Kanagasabai Lisa Mitchell
Effective Third-Party Management How to Address CFPB Bulletins on Third-Party Service Providers
Executive Summary The recent bulletins by the Consumer Financial Protection Bureau (CFPB) raise the bar on effective Third-Party Management (TPM). For a variety of reasons, however, many banks are challenged to ensure compliance with these bulletins. As a result, some are proceeding cautiously, with more of a follower approach while others are adopting a big-bang, broad-based approach. In our perspective, banks that are embarking on this journey need to do four things: 1. 2. 3. 4.
Incorporate additional consumer risk metrics in the vendor segmentation approach Consistently educate vendors on the requirements and implications of CFPB’ s mandate Strike the right balance between business risk and consumer risk in structuring the supplier base Evaluate LOB policies and “ unwritten” practices to ensure compliance
In this deck, you will see our approach to ensuring CFPB compliance along these four dimensions. This approach focuses on building new capabilities that fundamentally reframes how you think about TPM. Your immediate priority should be to (1) assess your TPM governance process on each of these four dimensions, and (2) enhance your segmentation approach and identify high-risk vendors/products.
Booz & Company
1
Recent bulletins by the Consumer Financial Protection Bureau raise the bar on effective Third-Party Management (TPM) Recent CFPB Bulletins Conduct due diligence to v erify prov ider’s ability to comply w ith consumer law Request and rev iew the prov ider's policies and procedures to ensure appropriate ov ersight
Bulletin 2012-03 expands the responsibilities of financial institutions in ensuring third parties do not present “unwarranted risks to consumer”
Bulletin 2012-03 Set clear expectations about enforceable consequences for v iolations Establish internal controls and ongoing monitoring for compliance w ith consumer law
Bulletin 2012-06 requires financial institutions to take additional steps to ensure credit card add-on products are marketed in a manner that limits the potential for regulatory violations or consumer harm
Marketing materials for credit card add-on products are not deceptiv e
Bulletin 2012-06
Compensation does not create incentiv es to prov ide inaccurate information Scripts follow specific requirements and hav e compliance management programs
Booz & Company
2
Banks are challenged to ensure compliance with these bulletins Select CFPB Compliance Issues Seen
Source:
Banks have complete responsibility of all risk when using third-party vendors
CFPB’s bulletins do not contain limitations based on the level of risk a third-party vendor poses to the bank Contrast this w ith Office of Comptroller of the Currency (OCC) guidelines in w hich it is noted that a bank’s risk management system should reflect the overall level of risk involved
An added layer of risk management is required, and banks are not ready
Banks currently do not have all the necessary capabilities to consistently include aspects of consumer risk in their current risk management processes Banks must build processes that incorporate elements of consumer risk into performance metrics, third-party processes, and governance mechanisms
Banks are not clear on the scope of compliance requirements
The bulletins provide limited details that banks need for guidance, requiring higher a level of due diligence on third-party vendors It is unclear w hether these bulletins are “regulations” or “guidelines”
Banks are required to build expertise that conflicts with the business need
Banks leverage third-party service providers because they need to rely on expertise that w ould not otherw ise be available in-house How ever, the bulletins require banks to develop substantive expertise w ith respect to compliance obligations that might apply to an outsourced function
K& L Gates; Booz & Company Analysis
Booz & Company
3
In addition, banks are grappling with other TPM issues Typical TPM Issues Improving visibility into the full range of risk exposures with third-party relationships Gaining more influence over business partners’ management of risks and controls Standardizing risk management processes across the company Improving tools and technology available to support third-party risk management Improving risk expertise within the company Improving communication between the company and third-party companies Defining responsibility for third-party risk more clearly Overcoming resistance to risk management practices at the operational level Overcoming a lack of interest in third-party risk at the executive level of the company
Source:
Survey conducted by CFO Research Services in collaboration with Crowe Horwath LLP in Fall 2011; 58 executives in the financial services industry responded.
Booz & Company
4
To ensure compliance, banks are adopting a broad-based approach or pursuing a more targeted approach Typical Approaches
Increasing Level of Resource Requirements
Targeted and Following Take a wait-and-see approach as actions unfold Identify at-risk products, services, and suppliers (e.g., mortgage and cards) Assess potential governance issues (e.g., retooling the TPM program to focus on compliance and monitoring) Redeploy resources based on further precedents and/or CFPB guidance
Booz & Company
Broad-Based and Shaping Updating segmentation models to identify vendors/products with high risk Discontinuing products/suppliers as needed (e.g., identify theft, payment protection) Hiring significant resources to review contracts (current and future) Setting aside provisions in anticipation of penalties
5
Our perspective: Compliance expectations in the current environment requires banks to fundamentally reframe TPM 1
Assessment and Administration
2
Vendor Requirements and Education
Segmented methodologies incorporating type and extent of consumer risk
Vendor education and understanding of compliance requirements
Performance measurement and transparency
Vendor staff training Vendor process controls and checks
Governance and interaction models Tools and technologies
3
Supplier Base Structure
Vendor portfolio customer risk and exposure
Third-Party Management
4
LOB Policies and Procedures
Product pricing and design
Portfolio risk consolidation/diversification
Sales, marketing, and fulfillment guidelines and processes
Contract management
Treatment of customer privacy
Booz & Company
6
1. Assessment and Administration
Vendor segmentation must incorporate additional consumer risk metrics Example Supplier Segmentation Matrix CoreClassification by Segmentation Strategic
High
Total Spend
Suppliers that represent a large portion of spend but have more limited valuecreation potential and limited risk
Frequency and nature of supplier consumer interactions
Suppliers that provide products/services that are core to client’s ability to deliver value and manage risk
Transactional
Suppliers that account for a small portion of the spend and have little or no valuecreation potential
Additional Consumer Risk Metrics
Supplier presence in customer value chain Product susceptibility to upselling opportunities by suppliers (non-bank products/services)
Niche
Supplier FTE compensation model (commission based) Visibility into supplier consumer interactions (call recording and monitoring)
Suppliers that can significantly affect client’s ability to deliver value yet are small in spend
Level of customer recourse (e.g., ease of cancellation/modification)
Low Low
Booz & Company
Business Criticality
High
Extent of supplier autonomy in making consumer decisions
7
2. Vendor Requirements and Education
Banks must consistently educate vendors on the requirements and implications of CFPB’s mandate Education and Communication on CFPB mandates Upfront Supplier Education Conduct regular supplier education programs on CFPB mandates and policies
Key Activities Needed
Booz & Company
Ensure contract terms impose suppliers to regularize training programs for all client-facing personnel on CFPB regulations Be sure supplier continues to emphasize consumer protection risk requirements in ongoing internal dialogues
Centralize and Standardize Operating Processes Maintain a standard operating process rulebook documenting training, communication, and standardized timings for interactions w ith vendors Maintain regular log of all trainings and communication activities w ith vendors Ensure all client-facing personnel sign off on ability to understand the requirements and implications of CFPB’s mandate
Ongoing Com m unication Ensure “push-based” communication on latest updates and changes from CFPB to suppliers Conduct regular w orkshops w ith key Tier 1 vendors on CFPB updates and implications Maintain an internal and supplier-oriented w ebsite that maintains all updated information on CFPB mandates
8
3. Supplier Base Structure
The supplier base must strike the right balance between business risk and consumer risk Supplier Base Structure
Business Risk
Consumer Risk Business Need
Increasing supplier base helps to diversify business risk (while also increasing management costs)
Increasing supplier base with customer contact also increases potential failure points
Expertise Cost Management Negotiation Leverage Scale
The enhanced due diligence standards will significantly increase management costs and complexities as supplier base increases
Decision Points
Booz & Company
Consolidate where too many customer-facing suppliers
Diversify where high supplier concentration
9
4. LOB Policies and Procedures
Finally, LOB policies and “unwritten” practices must be evaluated to ensure compliance Typical Consumer Risk Areas Misleading promotions and claims Difficult to redeem product offerings Prior consumer content “optional” for some products
Sales Incentiv es
Adv ertising & Promotions Consumer Consent
Hidden fees Price changes hidden in “fine print” Misleading terms and conditions
Fulfillment
Discriminatory prospecting practices Incentives tied to sales w ithout consequences Disrespectful collection practices
Product Design Pricing & Fees Consumer Priv acy Account Cancellation
“No product return” policies Consumer information and contact preferences taken for granted
Booz & Company
Customer Solicitation
Collections
10
Getting Started: (1) Focus on identifying high-risk vendors/products; (2) Determine gaps in the TPM processes Longer-Term Priorities
Shorter-Term Priorities 1
Enhance segmentation framework and identify high-risk vendors/products
Build out a longer-run, best practice TPM operating model: − Strategy − Organization
2
Review TPM governance process against best practices and determine gaps: − Vendor assessment and administration − Vendor requirements and education
− Roles and responsibilities Design the new operational processes required to support the new operating model
− Supplier base structure − LOB policies and procedures
Booz & Company
11
Contact Information Chicago Ashish Jain Partner +1-312-578-4753
[email protected]
New York Paul Hyde Senior Partner +1-212-551-6069
[email protected]
Lisa Mitchell Principal +1-312-578-4802
[email protected]
Kumar Kanagasabai Principal +1-212-551-6455
[email protected] Florham Park Pat Houston Partner +1-973-410-7602
[email protected]
Booz & Company
12
The most recent list of our of f ices and af f iliates, with addresses and telephone numbers, can be f ound on our website, www.booz.com
W orldwide Offices Asia Beijing Delhi Hong Kong Mumbai Seoul Shanghai Taipei Tokyo Australia, New Zealand & Southeast Asia Adelaide Auckland Bangkok Brisbane Canberra Jakarta Kuala Lumpur Melbourne Sydney
Europe Amsterdam Berlin Copenhagen Dublin Düsseldorf Frankfurt Helsinki Istanbul London Madrid Milan Moscow Munich Oslo Paris Rome Stockholm Stuttgart Vienna Warsaw Zurich
Middle East Abu Dhabi Beirut Cairo Doha Dubai Riyadh North America Atlanta Chicago Cleveland Dallas DC Detroit Florham Park Houston Los Angeles Mexico City New York City Parsippany San Francisco South America Buenos Aires Rio de Janeiro Santiago São Paulo
Booz & Company is a leading global management consulting firm focused on serving and shaping the senior agenda of the world’s leading institutions. Our founder, Edwin Booz, launched the profession when he established the first management consulting firm in Chicago in 1914. Today, we operate globally with more than 3,000 people in 58 offices around the world. We believe passionately that essential advantage lies within and that a few differentiating capabilities drive any organization’ s identity and success. We work with our clients to discover and build those capabilities that give them the right to win their chosen markets. We are a firm of practical strategists known for our functional expertise, industry foresight, and “sleeves rolled up” approach to working with our clients. To learn more about Booz & Company or to access its thought leadership, visit booz.com. Our award-winning management magazine, strategy+business, is available at strategy-busine ss. com.
©2012 Booz & Company Inc.
Booz & Company
13