The new FDIC Supervisory Insights Winter 2010 newsletter addresses several issues of interest to bankers, including Trust Preferred Securities, Managing Agricultural Credit, and Senior Life Settlements. But there was also a section that analyzed the results of a survey that was conducted by FDIC examiners over the past year. The more than 2,100 responses are producing some interesting results, especially when correlated with other financial reports like call reports, but of particular interest to me were the findings examining how financial institutions are “responding to the recent period of economic and competitive challenges”. One of the trends identified in the survey results was how financial institutions are increasingly “…making use of third-party providers to offer new and innovative products”, and particularly, “how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.”
Community financial institutions are no strangers to vendor management, particularly the importance of addressing privacy and security issues, but the article makes reference to the risk of Unfair or Deceptive Acts and Practices (UDAP). This is not a traditional risk category in and of itself, and may not be a consideration in your current vendor management program, but based on recent enforcement cases, maybe it should be. The article makes reference to FDIC guidance here, and the FFIEC provides additional guidance here and here, but none of the existing guidance specifically mentions the significant financial liabilities and increased reputation risk that can result from a lawsuit based on UDAP.
The conclusion states:
Overall, Survey results show that banks are responding to ongoing economic and competitive challenges in a variety of ways, for example, by tightening underwriting standards and making use of third-party service providers to offer new and innovative products. These operational changes can affect an individual institution’s risk profile and its ability to effectively manage the resulting consumer compliance risks. The analysis of data gathered through this Survey will continue to help the FDIC understand how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.
I suggest you incorporate UDAP risk into your existing vendor management risk assessment by assuring that it is identified as one of the potential contributors to reputation risk (along with privacy and security breaches), and that the legal risks are assessed along with standard regulatory/compliance risks.