Risky Business? Banks Urged to Increase Security Processes When Outsourcing

Author: Mark Andrews

On December 5, 2013, the U.S. Federal Reserve issued new guidance to state banks and bank holding companies about the risks of outsourcing to service providers for reviewing loans, information technology and other bank operations. The Federal Reserve advised banks to be wary of new exposures, such as cyber-attacks, and reminded bank managers and directors that they are responsible for the activities of any contractors they hire. Banks were urged to review their risk management policies to ensure they have strong risk management strategies in place. In its guidance, the Federal Reserve stated, "if not managed effectively, the use of service providers may expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation."

Assessing the Risks

Outsourcing may create risks involving a bank's strategy and market, operation, finance, human capital, IT, legal/compliance, and reputation:

  • Not choosing the right service provider, and not providing adequate oversight, may result in unnecessary risks to the bank.
  • Poor service or service that is not consistent with the bank’s own policies can cause a serious reputational risk.
  • Compliance risks may occur if there are inadequate legal compliance controls in place.
  • With many outsourcing initiatives relying on technology, an inadequate IT infrastructure may create operational risks.
  • Legal issues related to privacy, confidentiality, and security of business transactions may result in increased risk to the bank.

Mitigating the Risks

Although this is a serious concern, many outsourcing providers, particularly in the legal arena, are stepping up their own security and risk management processes. For example, in response to prior concerns expressed by the legal community, many Legal Process Outsourcing (LPO) providers have taken definitive steps to mitigate risk. They have instituted strong risk management protocols of their own across the service spectrum. Further, many LPO providers have implemented globally recognized processes and certifications, such as Six Sigma, ISO 27001, and ISO 9001.

Managing the Risks

Banks should follow strategic risk management processes to reduce the risks of outsourcing for key bank stakeholders, including shareholders. First and foremost, banks need to choose a well-established LPO provider, one that aligns their specific needs. Due diligence should include an understanding of the LPO's background, areas of expertise, and track record of success. Banks should also require proper certifications from LPO's across all of its key delivery centers.

A bank's in-house legal counsel should carefully assess their legal needs, and along with that, determine the services and requirements that are most suitable to outsource to an LPO. Banks that outsource less important activities might not have to devote as many resources to monitoring those contracts. In-house counsel also need to be careful that they do not expose themselves under professional conduct rules in matters of confidentiality and security of client information. They must also ensure that the work is adequately supervised.

Finally, it is important for banks to ensure that business continuity plans are in place, and in the event that an outsourcing vendor cannot fulfill its obligations, banks should have a crisis plan ready.

LPO is Still a Viable Strategy for Banks

Despite the cautions issued by the Federal Reserve, LPO - and outsourcing more generally – can be a viable alternative for banks seeking to reduce costs. However, banks that employ outsourcing strategies should give thorough consideration of and take careful accounting of the bank's legal circumstances and needs. With a strong risk mitigation plan, outsourcing can be successful strategy that you can bank on.