Managing Third Party Risk

Outsourcing is not unique to the collection industry.  It seems every industry in the country is outsourcing some portion of their operational functions.  The benefits of outsourcing include greater expertise on certain tasks, greater efficiency at completing those tasks, lower production costs, overall greater net revenue, and better quality service to clients.  The problem is that many companies choosing to outsource critical functions incorrectly assume that they are not responsible for the quality of service provided by the third party.  Worse yet, outsourcers incorrectly assume they can draft vendor contracts which immunize them from responsibility when vendors violate the law or cause damage to others.  Listen up collection industry!  Consumers, consumer attorneys, and regulators are striving tirelessly to eliminate the legal concept of “independent contractor” and instead impose the theory of principal and agent on every vendor relationship in the financial services industry.  After all, companies in the collection business call themselves collection agencies.

The Consumer Financial Protection Bureau has not been silent on the issue of third party risk and responsibility.  The CFPB plans to hold regulated entities responsible for the behavior of their third party service providers.  This position is not novel.  The Federal Deposit Insurance Corporation (“FDIC”) has been advising the banking industry about third party risk for years.  Collectors can learn from this guidance as the industry begins to prepare for a new level of regulation and government oversight.  According to the FDIC, managing third party risk involves four major elements:  (1) assessing the risk third parties pose to your organization, (2) vetting potential candidates for third party relationships, (3) consummating contractual relationships with third parties, and (4) ensuring proper oversight of the third party.  These issues should be addressed and directed by the highest levels of an organization.

Assessing Third Party Risk:  Many outsources fail to consider the type, scope, and magnitude of the risk a trusted third party might post to their businesses.  What will vendor be doing and why can’t that function be performed in-house as well or better?  An agency will perform a cost/benefit analysis making especially sure to consider the costs involved in keeping the relationship if something goes wrong and overseeing the vendor to ensure proper functioning of the relationship.  Examination of the legal aspects of the relationship and potential risks associated with a particular vendor should also be considered when making a risk assessment on a third party relationship.  Risk assessment should include the establishment of expected performance standards, appropriate internal controls, and anticipated reporting obligations sufficient to monitor the relationship over time.  Several key roles in an organization would be involved in this process, including legal advisors, compliance personnel, information technology employees, and internal auditors.

Vetting Vendor Candidates: Choosing the right vendor may be one of the single most important decisions a collection agency can make when managing third party risk.  This should not be a one-time process.  Vendors should be vetted periodically to ensure they continue meet the high standards established by an organization’s risk assessment.  The level of detail the vetting process involves should be directly related to the importance of the operational function the vendor will perform.  For the collection industry, vendors who “touch” consumers or have access to consumer data should be subject to the highest levels of scrutiny in the vetting process.  Examples of information a collector may review when performing due diligence on a potential vendor which will be performing a critical operational function include: complaint data, significant ligation and regulatory investigations/actions, subcontractor information, disaster recovery and business continuity plans, policies and procedures for legal compliance, experience and qualifications of key managers, insurance coverage, financial statements, training materials, a proposed contract for services, and information technology controls and security.

Consummating The Contract: Lawyers are not the only persons who should be reviewing the services contract with a potential vendor.  Operations people should review it to ensure the collector can deliver on the contract’s promises and the sales people should also review them to ensure they are not “selling” more than is actually being delivered under the contract.  Contracts should clearly and comprehensively describe the scope of the relationship and address issues such as the services to be performed, the measurement of quality expected in those services, the term of the contract, reporting obligations, auditing rights, compensation structure, conditions of default, dispute resolution terms, confidentiality and data security, indemnity and defense, disaster planning, and limits on liability, just to name a few.  Collectors should not ignore the significance of ensuring that the terms protect the collector, its clients, and consumers.  More importantly, collectors must understand that they may not abdicate their responsibility to perform critical functions properly simply by imposing those obligations on third parties via contract.

Overseeing Third Parties:  One thing is certain in the collection industry – things change.  Vendors change.  Clients change.  Technology changes. Performance and quality may drift.  Service may slump. Financial, legal, and social pressures may result in “corner-cutting.”  These changes put an organization at risk.  When these changes happen to vendors, it puts the organization at even more risk – especially if the organization is not aware of those changes.  Monitoring and oversight of third party vendors is a necessary ingredient in any risk management recipe.  Periodic review of critical vendor relationships should be conducted by the highest levels of the organization.  As if the vetting process recommences, collectors should reexamine their vendor relationships regularly to ensure the vendor is meeting the needs identified in its risk assessment and that the vendor continues to meet the high standards established by the vetting process.

Managing third party risk is serious business in today’s collection industry.  No longer should debt collectors be content relying on contract terms which have not have been reviewed in years.  The CFPB is focusing on third party relationships.  Wise collectors will focus on their own third party risk management programs before someone else with a government title does.