分类： 未分类

The Wall Street Journal recently detailed the demise of the National Bank of Delaware County (NBDC), a small community bank that had been in business since 1891, after it bought Bank of America’s sole branch in an upstate New York town. “People waited in four-hour-long lines at the Monticello, N.Y., branch and withdrew nearly half of their deposits, moving them to banks with more reliable technology … The community bank, which had been in business for more than a century, eventually sold itself in a fire sale,” the Journal dolefully reported. But despite cautionary tales, community financial institutions aren’t doomed.

Community banks have made a positive impact on our country, and they can continue their legacy with help from both traditional and non-traditional players. They’ve also played an important role in the lives of so many Americans. I’m one of them. When I was starting out as a young entrepreneur and needed additional capital to grow my business, all the big banks turned me away. It was a small community bank in Tulsa, Okla., that took a chance on me, and I’m still banking with that outfit 30 years later.

Since that time, the banking game has definitely changed. It’s no longer just about getting more accounts and deposits; it’s about servicing account holders in the ways they want to connect. It’s about enabling customer engagement across an increasing number of channels and platforms. With technology rapidly transforming our world, customer service looks a lot different than it did a decade ago, much less a century ago.

Consumers expect a banking experience as modern as their one-click shopping, app-based ride services and voice-controlled digital assistants. They want easy and convenient access to their financial accounts using the latest digital devices — anytime, anywhere. That means banks of all sizes need an omnichannel strategy that integrates web, mobile, SMS texts, email and voice. And by voice, I don’t just mean phone.

More than one in three consumers now own a smart speaker like Amazon’s Alexa, Google Assistant, Apple’s Siri, Cortana or Bixby, according to data from Adobe Analytics. And even more consumers use digital voice assistants on their smartphones, Pew Research finds. Now is the time for community financial institutions to get on board with voice banking because conversational engagement will soon extend beyond smart speakers and smartphones and will be used increasingly via software in a wider range of voice-enabled platforms, such as smart watches, televisions and automobiles. Conversational voice banking need not remain a “big-bank” technology; community banks can roll out this next-generation convenience as well.

Community institutions typically don’t have the IT staff or budget for R&D and compliance like big banks. Consumers, however, still want the technology that the major players offer but smaller banks sometimes can’t afford. But all is not lost; community financial institutions can continue to succeed by creatively capitalizing on their strengths and thinking outside the box. In today’s environment, with companies offering “right-sized” Software-as-a-service solutions for institutions of all sizes, seeking the right technology partners can enable community banks to continue to meet consumer preferences for a friendlier financial institution and simultaneously satisfy consumer demands for a technology-enhanced banking experience.

Innovators are reimagining the consumer experience and have developed turn-key solutions that equip smaller community financial institutions with modern technologies. Leveraging artificial intelligence and data analytics allows these institutions to meet the demands of digitally-savvy consumers with high-tech expectations. And this is not “tech for tech’s sake”; innovation in customer engagement is critical to the success of community institutions today. It should work hand-in-hand with the institution’s traditional customer channel experience.

Balancing the importance of in-person and digital customer engagement is crucial for community banks to protect their market share. Consumers want their financial institutions to meet them where they are, in the communications channels they like to use. In addition to smiling faces, community institutions need a technology-based, speed-first strategy. Luckily, community bankers have a history of putting technology to work for their customers. United American Bank in Knoxville, Tenn., for example, pioneered home-computer banking, bringing the service to its customers first in December 1980. Technology developers, such as Clinc AI, can help community banks lead again.

“The disappearance of hometown, community banks is not good for America,” the final slide of an NBDC shareholder presentation once read. I agree. But I’m confident that looking beyond their own walls for technology solutions will allow

“I don’t think there’s any more important topic at this time in our recovery in the economy and the state of community financial institution management,” said Dave Koch, managing director of Advisory Services at Abrigo on the topic of core deposits. “Deposits are a thing that we have coveted for a while and became quite easy. Now once again we’re back to the question of, where do I go to get more deposits? It’s a challenging and vexing business in a strong and growing economy.”

There are three, successful deposit management strategies that financial institutions can use to update the assumptions in their asset-liability models and to satisfy internal and/or regulatory requirements, according to Koch in a recent webinar, “Analyzing Core Deposits for Risk Management and Loan Growth.”  

Understand the makeup and behavior of your depositors. An institution should be able to look at the actions they have taken and determine what the demographics and behaviors of their depositors are today as the depositors of today look different than those of of 10 or 15 years ago. An important question to research is, “What makes this depositor engage with us?” This new class of depositors expects different kinds of conveniences, like online access and easy transfer of money with technology. This changing depositor landscape is shifting the strategies utilized for successful deposit management. 

Develop your pricing strategy relative to the behavior of deposits. After figuring out whom the depositors are, it is important for a financial institution to have a firm idea on pricing strategy. This includes knowing if an account will be stable or reactive to specific market conditions. Financial institutions are looking for stable deposits that are not sensitive to pricing; however, it is unlikely that deposits will behave in a steady manner. It is more common to have reactive money, which is caused by people demanding to receive the market rate when rates are higher. Although this situation can be manageable, it is important to identify the split of price-sensitive and insensitive deposits. How can a financial institution keep depositors engaged on levels other than price?

There are a lot of depositors who choose to go with other financial institutions not solely because of price but based on what they get from the relationship. Specific perks include cashback based on the number of transactions, free on-line banking and other rewards. A financial institution should learn more about those benefits and identify whether it will be profitable to incorporate those relationship-building strategies into their lines of business. 

Understand deposits’ impact on the balance sheet. Lastly, for an effective deposit management strategy, there should be an awareness of how deposits act on balance sheets. From a contractual term, deposits can look different from how they are being used in practice. On paper, non-maturity deposits are short-term contracts that can be canceled with the stroke of a pen or a click of a mouse. Yet, in practice, it’s much more common for these deposits to have a long shelf-life, and leadership should still be able to identify how this money can be leveraged and what can be funded by their deposits. In order to do this, a core funding duration or life should be calculated so that deposits are allocated in a way that continues to accomplish the overall institutional mission, which is providing excellent credit services to the market place. 

A number of financial institutions are turning to video banking technology to extend their services finds London-based RBR’s Teller Automation and Branch Technology 2019 report. This trend is particularly strong in rural areas, the research found.

Video banking technology provides banks with an additional point of contact for their customers. It enables them to offer a wider variety of transactions and assistance remotely, addressing the needs of customers in areas where full-service branches cannot be profitably located.

Bridging the Gap Between Self-Service and In-Person

The study shows that video banking allows banks to provide remote teller services to assist with transactions such as cashing checks and dispensing cash in denominations that are not typically offered at an ATM. In addition to the expansion of services, the hours of operation can also be extended.

One market where the technology is making a difference is Canada, where it allows credit unions to reach customers spread across the country’s vast geography. An example is FirstOntario Credit Union, which offers remote teller services at ATMs. Members are able to talk to and see a teller via the ATM screen and carry out services including loan payments, cash advances and booking appointments.

Video Banking Helps to Extend Bank Footprints

Banks are using video banking to build a presence in areas where a regular branch may prove too expensive to establish and maintain. In some markets, terminals have been marketed as micro-branches or booths and allow banks to offer assisted self-service transactions. According to RBR’s research, such terminals have grown in popularity within the Turkish market and are currently deployed by banks including Kuveyt Türk and ZiraatBank. DBS Bank in Singapore has deployed similar self-service terminals in soundproof booths to provide customers greater privacy when making video transactions.

“Video banking technology is now at the forefront of banks’ strategies in the provision of new offerings and cost efficiencies,” said Beatriz Benito, who led the company’s study. “Both customers and banks can benefit from the successful implementation of video banking technology in the transition towards customer-centricity.”

Policies and procedures

Finally, a bank must have strong policies and procedures in place. The policies provide a framework for vendor management while the procedures provide for implementation. The policies should reflect the commitment of the board of directors to establish a culture of compliance with regulatory guidance. Regular reporting to the board should provide oversight by demonstrating that the procedures are effectively implementing the board’s policies.

Vendor management, as with every aspect of a bank’s risk management program, is essential to a safe and sound financial institution. The vendor management program should be established with appropriate reporting structures so that the senior management and the board of directors have the appropriate information necessary to control and monitor risks to the bank.  

Vendor management programs require constant supervision and oversight to remain effective. Automation should be considered wherever practical to maintain compliance. Third-party reviews of the program can also provide assistance in identifying weaknesses or holes in compliance, processes or procedures.

Documentation

The best vendor management program is not worth much during regulatory exams if you cannot demonstrate your compliance and capabilities. That is why documentation is key.

Documentation is the evidence of complying with the requirements of the bank’s policies and procedures, regulatory/legal requirements and contractual obligations.   

Effective documentation should maintain:

• Each vendor’s risk report, due diligence and monitoring reports (ideally, a copy of the vendor contract would be contained in this file);
• All contracts in a centralized and organized filing system;
• All reports to the board;
• All internal vendor management audits;
• Vendor-related customer complaints;
• Regulatory notifications;
• Control testing results: The bank should routinely test all vendor management controls and requirements and document the results;
• Updated risk assessments and due diligence to the vendor files; and
• Deviations from policy or procedures with appropriate explanations.

Monitoring

A vendor management program without appropriate monitoring is like driving in dark at 90 mph without headlights.

Deliverables, metrics or service agreements, risks and due diligence must be tracked, monitored and updated. Mandatory monitoring should include:

• Business strategy (including acquisitions, divestitures, joint ventures) and reputation (including litigation) that may pose conflicting interests and impact the vendor’s ability to meet contractual obligations and the service-level agreement;
• Compliance with legal and regulatory requirements: Have enforcement actions or material litigation been filed against them?
• Financial condition: What fiscal changes have they experienced and why?
• Insurance coverage: Maintained, updated with appropriate limits and deductibles;
• Key personnel and ability to retain essential knowledge in support of activities;
• Ability to effectively manage risk by identifying and addressing issues before they are cited in audit reports;
• Process for adjusting policies, procedures and controls in response to changing threats, new vulnerabilities, material breaches, or other serious incidents;
• Information technology used and the management of information systems;
• Business continuity plans: Testing and reporting of test;
• Subcontractors: Location of subcontractors, and the ongoing monitoring and control testing of subcontractors;
• Agreements with other entities that may pose a conflict of interest or introduce reputation, operational or other risks to the bank;
• Ability to maintain the confidentiality and integrity of the bank’s information and systems;
• Volume, nature, and trends of consumer complaints, in particular those that indicate compliance or risk-management problems;
• Ability to appropriately address customer complaints;
• Cybersecurity; and
• Contract milestones including notification dates, renewals and terminations.

The monitoring aspect of a vendor management program is the result of the risk assessment, due diligence and contracting with the vendor. However, it is also represents the future of the vendor relationship. The bank’s monitoring activities should be tailored to develop the vendor relationship and provide visibility into the vendor’s operations and activities on numerous levels by adopting a multi-layered approach to monitoring,  gathering information from various people or areas of the vendor. This alone provides additional controls and verification on the information provided.

Of course, to achieve an appropriate level of monitoring, the bank has to devote appropriate, experienced resources to monitoring and provide the tools necessary to deliver the expected results.

Contracting

The contracting aspect of an effective vendor management program is not just signing a document or turning it over to the lawyers for drafting. Contracting in the context of vendor management requires a disciplined approach by the bank. Since the contract between the bank and the vendor will be the final authority and the point of reference for all expectations from both parties, the process of contracting must be established internally.  In developing this process the bank should consider:

• Who manages the bank’s contracts?
• How are the bank’s contracts managed? Is it a centralized, decentralized or hybrid process?
• Who is responsible for negotiating terms?

• Can financial incentives impact the vendor’s negotiations?
• Can operational incentives or issues impact the vendor’s  negotiations?
• Are there market incentives or issues that could impact the vendor’s judgment?
• Are there strategic incentives or issues that could impact the vendor’s  judgment?
• Who manages amendment and renewals?
• Who is monitoring changes in the environment (technological, market, legal, regulatory, customer base)?
• What approvals or notifications are necessary for contracts? Are there different tiers for varying costs and impact?

• Board approval is required for a contract that involves critical activities.
• Regulatory notification is required for contracts involving check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices and similar items, or any other clerical, bookkeeping, accounting, statistical or similar functions performed for a depository institution. This requirement has been very broadly interpreted by the regulators to include notification of contracts involving any technology-related services.
• Who is authorized to execute the contracts?
• Banks should be wary of the risk inherent in a decentralized system, a system that broadly grants contracting authority or practices that give apparent authority to employees and an agent.

Of course, the documentation itself is very important to the contracting process. The final contract should represent the business terms both parties expect, mitigation of the risks identified in the risk assessment, and tools to maintain due diligence and monitor ongoing performance. The key provisions that should be considered in any contractual relationship are:

• Nature and scope of arrangement

A thorough and complete description of the services to be provided is the core of any services agreement. Regulators recommend that the description also include ancillary services such as software or other technology support and maintenance, employee training and customer service. 

• Performance measures

Service levels, metrics, deliverables or benchmarks are a second essential element to an outsourcing agreement. Regulators caution that performance measures should not incentivize undesirable performance, such as sacrificing accuracy for speed or compliance requirements, to the detriment of customers. 

• Cost and compensation

The contract must establish payment terms, but banks should ensure the contracts do not include burdensome upfront fees or incentives that could result in inappropriate risk taking by the bank or the vendor. The contract should specify the conditions under which the cost structure may be changed, including limits on any cost increases and any penalties for any failures to meet service levels, controls and audit requirements, or late payments.

• Audit rights

The regulatory authorities have broadly applied the legal authority they are granted in the Bank Service Company Act to include rights to directly examine bank vendors.  Banks are presumed to include contractual language that will give them and regulators access to the vendor’s operations, records and employees to conduct examinations and audits when appropriate.

• Confidentiality and integrity

Contracts must require confidentiality of any customer information provided or even potentially available to the vendor. Vendors must protect that information according to regulatory standards and applicable law. The contract should specify when and how the vendor will disclose information about security breaches, and whether the breach resulted in unauthorized intrusions or access that may materially affect the bank or its customers. The contract should address the power of each party to change security and risk management procedures and requirements, and to resolve any confidentiality and integrity issues arising out of shared use of facilities owned by the third party.

• Ownership and license

In a world where it is becoming common for banks and vendors to jointly develop or create products and services,  the contract must address ownership rights of jointly developed property as well as ownership rights of property contributing to or utilized in that development. Also, the bank should require the vendor to warrant that any third-party intellectual property used is (1) licensed for the services provided, (2) that such use, and the property or tools the vendor is contributing, will not infringe upon someone else’s intellectual property, and (3) in the case of software and/or hardware, the property will not transmit any unwanted or harmful programs to the bank’s systems.

• Indemnification

Many times this is a point of contention or confusion. However, it is important that the bank ensure that any indemnities it provides to the vendor make sense from a risk management perspective and that any indemnities it receives from the vendor appropriately assess the risks inherent in the relationship. 

• Default and termination

Banks should always ensure the contract provides them the right to terminate if the vendor fails to meet its obligations. However, regulators have identified three other points to consider in the default/termination clause:

1. The bank should determine whether it includes a provision that enables the bank to terminate the contract, upon reasonable notice and without penalty, in the event that, among other circumstances, a regulator formally directs the bank to terminate the relationship. 
2. The services agreement should permit the bank to terminate the relationship in a timely matter without prohibitive expense. 
3. The services agreement should include termination and notification requirements with time frames to allow for the orderly conversion to another vendor.

• Dispute resolution

Most contracts should provide for some form of dispute resolution, either an informal process of meetings between management or a formal plan involving arbitration or mediation.

• Liability caps

Large risks banks face come from limits of liability. A vendor that a bank pays $50,000 per year could expose the bank to a class action that costs $25,000,000. If the bank has agreed to a limit of liability on the amount of fees paid to the vendor in a year, this outsourcing poses a significant risk. 

To address this risk, the bank also should determine whether any liability caps are in proportion to the amount of loss the bank might experience. Banks should reject the all-too-common “annual fees paid” formulation unless that amount is an accurate reflection of the bank’s risk.

• Insurance

The contract should stipulate that the third party is required to maintain adequate and appropriate insurance coverage, to notify the bank of material changes to coverage, and to periodically provide evidence of coverage or upon demand.  

• Customer complaints

When a vendor could receive complaints from customers, the contract should specify whether the bank or vendor is responsible for responding to customer complaints and outline specific standards for when a response is given and instruct the vendor which bank officer should receive the complaint. In those situations, the contract must also address retention guidelines and escalation procedures for customer complaints.

• Business resumption and contingency plans

Given the increased regulatory attention to disaster recovery, banks would be wise to require the vendor to provide the bank with disaster recovery plans, testing schedules, the ability to participate in the tests and the sharing of the results of those tests.

• Foreign-based third parties

Contracts with foreign-based third parties should include choice-of-law and jurisdictional provisions that provide for adjudication of all disputes under the laws of a specified jurisdiction. Regulators do not require that the jurisdiction or applicable law be the United States or a political subdivision thereof, bu when a U.S. bank submits to the laws and jurisdiction of a foreign country, there should be a plan in place to protect its rights in that jurisdiction and an articulable reason for accepting the foreign jurisdiction.

• Subcontracting

The contract should specify: (1) any specific activities that cannot be subcontracted; (2) whether the bank prohibits the vendor from subcontracting activities to certain locations or to specific subcontractors; (3) a notification to the bank before a subcontractor is engaged (with an opportunity to perform due diligence on the proposed subcontractor) or when an existing subcontractor is terminated; and (4) ability to perform an audit and get due diligence on subcontractor. 

The bank should also reserve the right to terminate the services agreement without penalty if the vendor’s subcontracting arrangements do not comply with the contract or if the bank does not approve a proposed subcontractor.

• Responsibilities for providing, receiving and retaining information

As part of establishing and reporting performance metrics, the contract should require the vendor to provide and retain timely, accurate and comprehensive information that allows the bank to monitor performance, service levels and risks. Additionally, regulators have recommended other reports that many vendors are not eager to accept but actually are very important to maintaining an effective vendor management program.  Specifically:

• Prompt notification of financial difficulty, catastrophic events and significant incidents such as information breaches, data loss, service or system interruptions, compliance lapses, enforcement actions or other regulatory actions.  
• Personnel changes, or implementation of new or revised policies, processes and information technology.
• Notification to the bank of significant strategic business changes, such as mergers, acquisitions, joint ventures, divestitures or other business activities that could affect the activities involved.
• Responsibility for compliance with applicable laws and regulations

The contract should require compliance with laws, regulations, guidance and best-practices standards applicable to the bank. Some vendors will try to avoid this by saying the regulations that govern banks do not apply to them. However, the bank is still responsible for compliance with its laws and regulations, and a vendor that is not meeting those requirements when performing services for the bank is putting the bank at significant risk. Bank vendors must be informed of the requirements, and they must agree to follow and implement relevant rules, regulations and laws that apply to banks.

The bank must always weigh the nature of the services, the risk posed by the outsourcing, and the relationship of the parties to construct contractual provisions that meet the bank’s needs, vendor-management program and legal/regulatory requirements.

Due diligence

After the risks of the outsourcing to the bank are evaluated, the bank must necessarily turn its focus to the potential vendor and perform due diligence. The amount of due diligence required is directly related to the level of risk and complexity of the vendor’s service. Critical vendors, those with access to confidential data, particularly customer data, and those that pose high risk to the bank will require the most extensive due diligence.

Banks too often rely on their prior experience with the vendor or recommendations from other banks as a proxy for due diligence and do not conduct a thorough vetting of the vendor. That is a recipe for major problems because a vendor’s condition can change and the expectations and requirements of a vendor may vary widely from one bank to another. 

To establish an effective due-diligence component of the vendor management program, the bank may need to investigate the following:

• Strategies

Consider the effect of the vendor’s business plans and focus on the outsourcing. If  its business focus is moving away from the services the bank needs, that should be a red light for the bank. Similarly, if it is contracting, acquiring or partnering with businesses that are competitive to the bank, certain contractual and operational controls may be necessary. Also, if the vendor is associating itself with businesses that may reflect negatively on the bank in the eyes of the public or the regulators, that is another factor to consider.

• Legal and regulatory compliance

The vendor’s potential to impact the bank from a compliance standpoint has to be quantified and, when appropriate, the bank should evaluate the vendor’s legal and regulatory compliance programs to ensure that not only does the vendor have the appropriate licenses to provide the services but also to ensure that it has the necessary internal controls and programs to provide the services in compliance with applicable laws and regulations. Also, the bank should investigate whether the vendor has any enforcement actions against it, or regulatory related civil actions that could materially affect its ability to perform as expected.

• Financial condition

The bank should review the vendor’s  financial statements, to make a reasoned judgment as to whether the vendor will be financially able to perform the outsourcing. Audited financial statements are the best because the auditors state whether they believe the vendor will be in business one year later.

• Reputation

Determine how the vendor is viewed by existing customers, its industry and the public in general.  Review marketing materials to make sure the vendor accurately represents it business, deliverables and capabilities.

• Operational capability

Fundamental to any outsourcing is the ability of the vendor to perform.  Whatever the relationship is, the bank should determine if the vendor can provide the services and products the bank needs. This may take the form of reviewing the vendor’s existing products and services, the vendor’s resources, its proposed staffing and its experience.

• Fee structure

The proposed fee structure of the service must be analyzed to determine if it creates inappropriate risks such as high upfront fees or fees that could incentivize inappropriate behavior.

• Background checks

One of the reasons that banks are so heavily regulated is that their business is considered vital to the U.S. (and global) economy, and perhaps  national security, as well. To that end (not to mention some federal legal requirements), a bank must be sure that its vendors (and their subcontractors) are not hiring employees with criminal records.

• Security

Because of the critical nature of the information that banks possess and the financial implications of transactional relationships, banks must consider a vendor’s access to confidential customer information, money or accounts. When such access is part of an outsourcing, the bank must scrutinize the vendor’s information security and physical security programs and policies, internal controls and infrastructure.

• Human resource management

The bank should review the vendor’s programs to train employees on policies and procedures and its process for dealing with violations and failure to pass screenings. Depending on the services provided, the bank may need to consider the vendor’s succession plan for key personnel and its ability to continue to retain or attract skilled employees to perform the services.

Appraise  how the vendor’s employment practices could bear on the relationship or reflect on the bank. For example, diversity programs are part of the business landscape, and a vendor without a diverse employee base may have potential social or legal issues in its future or may even  damage the bank’s reputation. 

• Subcontracting

It is imperative that the bank assess any potential vendor’s use of, and reliance on, subcontractors and its ability to monitor and manage them. If the services provided by the subcontractor have the potential to impact the bank or if they involve customer information, due diligence may be required on the subcontractor. 

• Insurance

Assess the vendor’s insurance coverage to ensure that appropriate types and levels of coverage exist. Of course, the coverage requirements will vary depending on the size of the vendor and the nature of the outsourced function. 

Be wary of the terms of coverage and other contractual terms. For example, a high deductible or co-insurance requirement in conjunction with a limit of liability may render the insurance coverage ineffective.

• Business background and strategy

Recent innovations in products and services, and the resulting boom of new banking vendors, might seem to shift the due-diligence focus away from vendor backgrounds. In many cases, the vendors are providing something brand new. However, even in cases where the service, product or the vendor is new to the market, consider how the vendor got into its business and its roadmap.

• Risk management

Examine the effectiveness of the vendor’s risk management program and internal controls. Include a review of the vendor’s internal audit department and its effectiveness, as well as a review of Service Organizational Control reports and any external certifications.

• Management of information systems

Understand  the vendor’s technology systems, processes, maintenance and compatibility. The bank should also understand how the metrics expected from the service will apply to the vendor systems and schedules for upgrades and/or enhancements.

• Disaster recovery

There is concern among the regulators that banks are not paying enough attention to their vendor’s business continuity plans as evidenced by the FDIC’s guidance recently issued. Evaluate the vendor’s ability to deal with service disruptions from external and internal events and determine how those disruptions and recovery plans will impact its operations. Ensure the vendor is appropriately testing those procedures and confirming they remain effective and up to date.

• Incident reporting

The bank should determine if the vendor has a satisfactory and sufficient process to identify, report, escalate and resolve incidents, including but not limited to, data security incidents, employee-related incidents, operational disruptions, compliance violations and legal claims. The vendor must be able and willing to report anything that could impact the bank, the bank’s customers or the vendor’s ability to perform.

Although no amount of diligence can eliminate all risk, the bank’s due-diligence policies and procedures should reasonably assure the board of directors, senior management and regulatory authorities that the appropriate investigation into potential third-party vendors was conducted.

Risk assessment

Before anything is outsourced, the bank should first determine whether the outsourcing is consistent with its strategic direction and then conduct a cost/benefit assessment. This assessment should include all risks of the outsourcing, starting with: whether there are qualified and experienced vendors to perform the service on an ongoing basis; if the bank will be able to provide the appropriate oversight and monitoring of the vendor going forward;  and what resources are required and what safeguards are in place for disruptive events.

Once these preliminary issues are addressed, additional key risks from outsourcing functions to external vendors should be considered:

• Operational/transactional risk

The ability of the service provider to perform the expected function should be one of the first risks considered. When evaluating this risk, consider the vendor’s infrastructure, resources, training program, employee onboarding, expertise, equipment, facilities, employees and corporate governance. Make sure the vendor can perform the tasks expected without subjecting the bank to undue risks.

• Reputational risk

The  adage “birds of a feather flock together” is not only good advice for people (and birds) but also for a bank choosing its associates. Be mindful that the choice of vendors can reflect directly on how the public and the regulators view the bank. Evaluate how the vendor runs its operations and how those operations could (not will) impact customers. Assess the vendor’s legal and compliance history and its overall reputation. By choosing any given vendor, its reputation becomes part of the bank’s reputation.

• Compliance risk     

Very few people outside the banking industry understand the length, breadth and complexity of the regulatory structure that banks must follow. With any outsourcing, the bank must evaluate the compliance risk in the relationship. In some cases, a vendor may have a direct impact on a bank’s ability to comply with legal and regulatory requirements. For instance, outsourcings involving consumer privacy, consumer protection, information security, record retention, and/or Bank Secrecy Act and Office of Foreign Assets Control should be thoroughly vetted. 

However, in some relationships, the regulatory implications may not be so obvious. Always consider the indirect effect that a relationship could have on compliance. For example, a vendor may not have a direct impact on regulatory compliance (like a vendor that provides disclosures); however,  the vendor may be responsible for providing tools that enable a bank to meet its regulatory obligations. 

• Concentration risk

One noted frequent weakness in vendor management is an over-reliance by some banks on a single vendor for too many operational functions. Without appropriate risk identification and mitigation, certain operations, and possibly even the bank itself, could be jeopardized or impaired by over-reliance on a single service provider, a limited number of service providers or those concentrated in the same geographic location. Always consider what would happen if that vendor or the vendor’s geographic location suffered a catastrophe and how that would affect the bank.

• Strategic risk

Before embarking on any outsourcing, senior management should determine how that outsourcing fits into the bank’s long-term and/or short-term strategy. Once that analysis is done, the outsourcing should be specifically tailored to meet the bank’s business plans. For instance, if the outsourcing is a short-term fix to an immediate problem, the risk inherent could be considerably higher than a long-term relationship with an established partner. A vendor with a limited duration is less likely to be as engaged and as responsive and may be  more willing to compromise on the things that are essential to regulatory compliance and effective vendor management.

• Legal risk

Once perhaps the most overlooked risk in an outsourcing relationship, legal risks have now been recognized as significant by banks who engage third-party service providers. Through numerous examples over the past few years, banks have learned that vendors can do things or fail to do things that get banks in legal trouble. In addition to analyzing legal risks, banks must also consider regulatory implications like data security, Reg E and Reg Z, as well as the rules of payment systems that can result in hefty fines, chargebacks and penalties when vendors fail to meet their obligations. For example, a business that uses recurring debits to a bank account, but is not appropriately capturing, storing or cancelling customer authorizations, can quickly cause a bank to incur substantial fines from NACHA (previously National Automated Clearing House Association) and chargeback demands from other financial institutions.

• Financial risk

Two aspects of financial risk should be considered:

First, evaluate the financial condition of the vendor and whether it will financially be able to perform as agreed. Balance sheets, profit and loss statements, audited financials and public filings are all tools banks can use to evaluate a vendor’s financial health.

Second, consider the financial risk of the outsourcing. How much should the bank be willing to pay and how should payments be structured? For instance, if the bank were to pay 100 percent at contract signing, the bank incurs a much greater risk that paying a vendor after performance.

• Country risk

Many banks will assume that a “country risk” analysis does not apply to them because they do not contract with vendors outside the United States. That may be true, but how many of their vendors have subcontractors located outside the U.S. that are providing part of the services or products to the bank? Many vendors that provide services and products to the banking industry have some components of their operations offshore either subcontracted to foreign companies, domestic companies with foreign operations, or foreign subsidiaries or affiliates. 

Country risk may very well be the most overlooked risk category that the regulators specifically identify. A bank should not only determine if the services or products provided involve offshore operations, affiliates, subsidiaries or contractors but also if any of the vendor’s operations are offshored in any manner. If so, then it is necessary to consider exposure to economic, social and political conditions and events in the foreign country — if those conditions could adversely affect the ability of the vendor to meet the level of service required — and any harm to the bank that may result. 

Of course, this is after a determination is made that the foreign country is not on the list of countries that are prohibited to U.S. banks. If so, then analysis ends, and the vendor should not be used.[2] If the country is not “prohibited” but is under sanctions, careful and thorough legal analysis is required before a contractual relationship is established.

• Credit risk

Finally, one of the most obvious and important risks that a bank should consider is credit risk. This may not be a risk inherent in most vendor relationships, but when the bank is contracting with a third party to originate loans on the bank’s behalf, when the third party solicits or refers customers, engages in or conducts underwriting analysis, or implements product programs for the bank, the credit risks have to be identified and mitigated. It is imperative in those situations that the bank understands the underwriting and credit standards the vendor is applying to those potential bank customers and that those meet the bank’s risk appetite.

At the end of the risk assessment, the bank should be in a position to determine the risk “value” of the outsourcing. The valuation is not just a fiscal or convenience determination but an incorporation of all aspects of the outsourcing risk and mitigation tools. If the value of the risk posed by the outsourcing is within the bank’s established risk profile, the outsourcing can proceed. 

Further, the risk assessment should be revisited and updated as appropriate. Needs change, circumstances change, operations change and as a result a vendor that was  categorized as low risk can suddenly pose a significant risk to the bank.

银行系理财子公司与VC/PE

今年6月，国内规模最大的银行系理财子公司“工银理财”亮相。

在获得银保监会批准开业后，工商银的全资子公司工银理财，一口气发布了六款新规产品，并透露其符合资管新规要求的产品已超3700亿。工银理财的注册资本为人民币160亿元，值得注意的是，“特色私募股权”为其三大重要产品系列之一。

例如，工银理财的权益类产品“博股通利”，即科创主题的私募股权产品。它将选取具有发展潜力的科技创新企业，在企业成长过程中直接投资未上市的股权，后续主要通过科创板上市退出。此外，工银理财还同高瓴资本、君联资本等进行合作。

按目前规定，银行自有资金不可以进行股权投资，因此银行系下子公司不断开展各类股权投资业务。例如建设银行也通过建银国际、建信信托和建信股权三个平台来开展PE基金业务和直接股权投资；邮政储蓄银行此前也明确表示，理财子公司成立后，将参与未上市企业的股权投资，如Pre-IPO阶段、PE阶段。

在起步阶段，银行理财子公司倾向于与私募等机构进行合作，进行优势互补。因此，有私募股权投资人认为：“银行理财子公司与VC/PE间的合作将大于竞争。”

银行理财子公司能否缓解“募资难？不少VC/PE机构正翘首以盼，抱着极大的希望，但也有IR提醒：根据目前的信息，银行理财子公司产品应该仍以固定收益类为主。就配置比例来看，股权投资可能排在比较靠后的位置，也就是说最后其流向股权投资市场的资金未必很多。另外，银行理财子公司多以直投的方式参与到一级市场，对于“银行理财+资管计划+私募基金LP”的投资路径，不少人还在观望当中。

VC/PE圈还在等待更多的相关细则出炉。最新消息显示，各家银行理财子公司高管团队正陆续到位。据21世纪经济报道称，招商银行方面，行长助理兼资产管理部总经理刘辉或将担任招银理财董事长，招行原零售信贷部总经理汪涛或将担任招银理财总经理。

平安银行方面，中国平安联席CEO、平安银行董事长谢永林或将担任平银资产董事长，平安银行首席资金执行官王伟负责平银资产的相关筹备，平银资产的具体管理或由平安证券副总经理张东操盘。

光大银行方面，度小满金融原副总裁张旭阳重回光大，拟出任光大银行理财子公司董事长。光大银行资产管理部总经理潘东拟出任该行理财子公司总经理。不过，上述任命仍需监管批准。