What’s The Risk? Contractual and Insurance Considerations for Banks and Financial Institutions

Wall Street Lawyer

  • Published On: July 9, 2024

How can a financial institution determine which elements of its outsourced work product constitute critical activities, and what can the financial institution do to mitigate the risks that accompany that thirdparty critical activity? To address those questions, a trio of federal agencies (the Federal Reserve, the FDIC, and the Office of the Comptroller of the Currency) issued guidance last June. Financial institutions should review their internal risk mitigation procedures in conjunction with this federal guidance to ensure that potentially unforeseen risks do not fall through the cracks.

Critical Activities

The federal guidance is just that—guidance. It is not a set of hard and fast rules, but rather guideposts to help banking organizations navigate both known and novel risks in a continuously evolving industry. For example, the federal guidance declines to make a bright-line determination regarding what, specifically, constitutes a critical activity. But it does provide a number of hallmarks of critical activities: they generally have the potential for significant customer impacts, have a significant impact on a banking organization’s financial condition or operations, and would expose a financial institution to significant risk were expectations for the activity not met. Aside from these and similar principles, the guidance leaves it up to each banking organization to determine what its “critical activities” are, and which third-party relationships support those activities.

Similarly, the guidance suggests various due diligence activities but leaves the final determination regarding the extent of diligence to the banks themselves. The guidance provides an extensive list of diligence activities that financial institutions should consider, including assessing the financial condition of the vendor; evaluating the risk management protocols that the vendor has in place; assessing the insurance coverage program of the third-party; and analyzing the sub-vendors, or fourth-party vendors, that the third-party may utilize to perform its critical activities for the bank.

As evidenced above, the guidance recognizes that the complexities of banking operations also occasionally call for fourth-party vendors to complete critical activities. Here, too, banks and other financial institutions should account for the additional risks posed by adding an additional relationship into the mix. The guidance suggests that banks should assess their vendor’s ability to assess risks posed by its vendor. This may include early determination of when a third-party will use a sub-vendor, oversight into the operations performed by the sub-vendor, periodic audits, and assessing whether the geographic location of the sub-vendor presents additional concerns. While banks certainly consider that risk and liability may flow up from their own vendors, they must also recognize the possibility that additional risks and liabilities may flow back from that party’s vendors. Performing diligence at the outset of any relationship—including a fourth-party relationship—may minimize the exposure that banks eventually face.

To read this full article, download PDF.

Related People
John M. Leonard
View Moreimage
Regan E. Samson
View Moreimage
Related Practice Areas

© Copyright 2024 by Anderson Kill P.C.