A Former Regulator’s Perspective on Third-Party Risk Management

As part of our Venminder Thought Leadership series where we speak with the industry’s sought-after thought leaders for their perspective and advice on third parties, mitigating risk, best practices, trends and more, I had the opportunity to speak with Elizabeth Khalil of Dykema Gossett PLLC.

Elizabeth Khalil Interview Highlights

Elizabeth is a partner at the law firm of Dykema Gossett PLLC. She has been a federal banking regulator for both the OCC and FDIC. Her areas of focus include vendor management issues and UDAAP risk making her a well-respected industry expert. You can listen to the full interview here. During our time, we covered:

• Understanding her experienced perspective on the state of third-party risk management
• Challen­­ges with fintech companies in incorporating regulatory guidance to meet financial institution expectations
• UDAAP and where she thinks the industry stands
• Vendor monitoring – The vendor management pillar that is often neglected
• Senior management and board level vendor management attention

Elizabeth started with sharing that banks and credit unions seem to truly understand the regulatory requirements and third party issues overall. The industry has matured over the years and expectations have certainly evolved.

Elizabeth went on to share her thoughts on the fintech industry and any challenges she sees them facing in incorporating the regulatory guidance and meeting financial institution expectations. 

Fintech Industry Challenges

While the fintech industry has become accustomed to the idea that they need to include certain language and reps and warranties to meet their third party partner’s regulatory expectations, they aren’t quite sure yet which party is responsible for what. For example, she states, that a fintech company may only be providing part of a functionality, so they may not control all of the areas being required to be regulated.

The real challenge is drilling down who is responsible for what and what should be expected from both the fintech company and the third party. These responsibilities really do need to be thoroughly outlined so all parties are on the same page and there is not a disconnect.

UDAAP – The Frustration and Where the Industry Stands

Elizabeth has had much exposure and is an expert around UDAAP (Unfair, Deceptive or Abusive Acts or Practices). Over the last few years UDAAP has gained even more attention as it’s been so closely tied to enforcement actions. Elizabeth shared her perspective on UDAAP and where we are regarding this in the industry.

The biggest frustration with UDAAP is that many don’t know or can’t anticipate what is deemed unfair, deceptive or abusive since there are no specific regulations with examples. Elizabeth shared she doesn’t really see this changing much and even though it’s frustrating, it will always involve a best judgement call. Because of this it’s important to reference what we already have related to unfair, deceptive and abusive practices such as the Dodd Frank Act and Federal Trade Commission to understand if you’re violating UDAAP.

Some tips to help with understanding if your practices and disclosures are acceptable:

• Are your disclosures easy to understand?
• Are they transparent?
• Is there anything the institution could have done to avoid an unfair act from occurring?
• Are consumer complaints being addressed appropriately?

Moving on from UDAAP, Elizabeth made a great point in mentioning that ongoing vendor monitoring is often the forgotten pillar of vendor management. It’s important to never forget about monitoring. This is the phase in third party relationships that the most can go wrong and very rapidly.

Best Practices for Ongoing Vendor Monitoring

• Do not sit back and discontinue monitoring a vendor because all seems well from the beginning. This can be a false sense of security and less active oversight can lead to more risk.
• It’s not one size fits all. You can always change up your monitoring as the vendor relationship evolves over time. For example, you may find at times you need to do site visits for one type of vendor whereas for another type of vendor you may need certain reports from them at times.
• Stay organized, be open to customizations and continue to monitor.

Why Risk Management Doesn’t Receive Enough Attention from the Board/Senior Management and How to Better Involve Them

In addition to ongoing monitoring, it’s important to keep the senior management level and board of directors informed at all times. I made a point to ask Elizabeth if she feels risk management is getting enough attention, generally speaking, from both of these groups and how to better demonstrate their level of involvement. Her response from being in risk management herself, unsurprisingly, is that risk management never gets enough attention!

It’s important to understand that both senior management and the board are being pulled in so many directions. It can make it difficult to prioritize issues. It’s important both are informed on what is going on at the institution. Make it a point to provide reports that they can robustly review. It’s so important that, as risk managers, you document all the steps you take to monitor a third party relationship, not only for regulators, but also for your board and senior management executives.

In addition, it’s important senior management and the board ask good questions, ask the right questions and think about strategic goals regarding third party relationships. This will help to further their involvement and ensure everyone stays on the same and right track.