Third Party Risk Management Interview with Ballard Spahr Attorney

As part of Venminder’s Thought Leadership series, I recently had the opportunity to speak with Glen Trudel, Partner at Ballard Spahr. In this series, we speak with the industry’s sought-after thought leaders for their perspective and advice on third parties, mitigating risk, best practices, trends and more.

Glen’s a consumer financial services, banking and business attorney who counsels financial institutions, marketplace lenders, fintech entities and other companies on both regulatory and transactional matters. He has significant experience with the documentation and creation of marketplace lender platforms and structures and the acquisition and divestiture of consumer and business credit card and other loan portfolios. He also advises state and federal financial institutions and other entities on regulatory, operational and vendor outsourcing matters, debt sales and collection agreements, other transactions and assists clients in the structure and documentation of new credit products and on formation and licensing issues in Delaware.

Glen Trudel Interview Highlights

During our time, we covered:

• Predictions for the rest of the year from a regulatory compliance perspective
• The OCC Fintech Charter and how fintechs are doing overall with third party risk management
• Third party risk struggles and how to conquer them
• Third party risk best practices

A Regulatory Breakdown: What to Expect

There have been a number of changes at the prudential regulators this year. It’s been exciting to watch and is leading to much change, but with change also comes a lot of looming, unanswered questions. Glen is an expert in the industry, so I wanted to hear his perspective on the changes and what this means for us for the rest of the year from a regulatory compliance perspective. Glen really gave me an in-depth overview breaking it down by regulator, their 2019 focal points thus far and how he sees this impacting vendor risk management the rest of the year:

FDIC

1. Chairman of the FDIC, Jelena McWilliams, has shared that the agency is reviewing their guidance and that they want to do better with the de novo bank process; she’s working hard to give insight regarding the FDIC’s processes and why they do what they do and more
2. Since the agency was finding many technology service provider contracts to be inadequate, they issued new guidance – FIL-19-2019 – to remind financial institutions to review and implement strong contractual provisions and other specific requirements in their third party technology service provider agreements

FDIC Prediction: All of these changes at the FDIC don’t mean there’s going to be an immediate change to vendor risk management per se, Glen shares. However, it does mean the FDIC is keeping a close eye on the industry and they do still feel they’re at the forefront and responsible for advising banks – who they primarily regulate – and ensuring they’re following regulatory guidance.

OCC

1. No radical departures from prior guidance and no major changes this year

OCC Prediction: No radical changes at the OCC  is likely due to the agency’s guidance being considered by many to be the most comprehensive vendor risk management guidance available. Therefore, there are no real significant vendor risk management changes predicted for the rest of the year as far as the OCC goes.

FTC

1. All five commissioners have started within the last year
2. They continue to be an aggressive regulator
3. There have been efforts to eliminate robocalls and a lot of focus around debt collection, debt repair schemes, identity theft, privacy and data security and more

FTC Prediction: The agency’s approach to vendor risk management and the direction they take can all change rapidly as the commissioners become more and more comfortable in their roles

CFPB

1. Have shared their focus on preventing consumer harm rather than merely handing out fines
2. A symposium to discuss the term “abusive” in more detail
3. Active on the supervision and enforcement side of things

CFPB Prediction: As far as the rest of this year goes, Glen sees the CFPB continuing to place a strong focus on prevention and education.

Fintechs: Are They Progressing in Third Party Risk Management?

Respectfully, Glen shares that he can’t state collectively how all fintechs are doing as he doesn’t feel it would be of particular value. However, like with any industry, some fintechs will be significantly better at identifying and controlling risk as compared to some of their peers. Glen says in order for a fintech to progress and be successful in third party risk management, they need to make third party risk a priority and work diligently to do it correctly. Fintechs and their approach to third party risk will continue to be a regulatory focus.

As far as the charter is concerned, Glen doesn’t foresee an application for the charter that will come to the fore as long as the OCC Fintech Charter litigations are in place. In his opinion, being the first fintech to seek a charter would certainly draw scrutiny and would potentially put itself into the current litigation efforts.

Maintaining a Vendor Management Program Is Not an Easy Feat

Glen and I chatted briefly about the biggest vendor management struggles. According to Venminder’s 2019 State of Third Party Risk Management survey, fourth party risk assessments and third party cyber security assessments were found to be the next biggest hurdles in vendor management.

Although Glen agrees those are definitely struggles, he thinks the biggest struggle is hard to pinpoint as it will always vary from company to company and industry to industry. He proposes the biggest struggle is really, put simply, keeping your vendor management program in order at all times. You may have a strong program, but can you keep it that way. That’s a struggle and true feat in itself.

Your Vendors’ Vendors: Why Fourth Parties Matter

Another challenge can certainly be having to rely to some degree on your vendors to adequately monitor their vendors. These are considered your fourth party vendors and is in line with Venminder’s survey as a common industry challenge. Glen gives us some sound advice that everyone should follow.

He says, “These fourth party issues can be something that can be identified in an organization’s initial vendor due diligence and perhaps watched over as part of the organization’s ongoing monitoring to identify these gaps that may inhibit or prevent them from adequately monitoring their important vendors. And, identifying those gaps early on and also enlisting the vendor's aid in getting those better handled on such downstream providers is an important area.”

It really all comes back to the basics of third party risk management and identifying issues through the due diligence and risk assessment process to make sure you’re not missing any gaps and risk.

Wrap Up

Glen wraps up the conversation with a quick mention that it’s important to verify the resources you have in-house to manage your third party risk management program are adequate. If they’re not, because you don’t have enough people or maybe you just don’t have the someone with the expertise, then it’s perfectly acceptable to bring in third party resources to assist. It can often be the most cost-effective solution that reaps results in a quick manner, instead of playing catch-up in an area where you don’t want to be behind.

On behalf of myself and Venminder, thank you to Glen for taking the time to participate in this podcast. Be sure to check it out here  to hear more insight and perspective.

Understand more about the current State of Third Party Risk Management. Download the whitepaper.