The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 might garner the most headlines, but it is hardly the only federal regulation deserving the attention of U.S. banks.
Two other federal regulations are increasing the pressure on banks and other financial institutions to monitor and manage third parties. A third party is any outside entity doing work for a bank, regardless of whether the third party is an individual, partnership, or corporation, and regardless of whether the work is done under contract or on a more casual basis.
These two regulations are:
Bulletin 2013-29 from the Office of the Comptroller of the Currency (OCC)
OCC Bulletin 2013-29 provides risk management guidance regarding banks and other financial institutions’ use of third parties. It mandates that institutions adopt a risk management lifecycle for assessing and monitoring the conduct of all their third parties.
The Foreign Corrupt Practices Act (FCPA) of 1977
The FCPA forbids companies trading securities in the U.S. and others from making illicit payments—bribes—to foreign officials. To make bribery easier to detect, the FCPA requires companies to maintain the transparent accounting practices mandated by the Securities Exchange Act of 1934. Critically, the FCPA holds companies responsible not only for the conduct of their own employees, but also for the conduct of their third parties.
Here’s an overview of each regulation, along with examples of the enforcement penalties that can result for compliance violations.
OCC 2013-29: Risk Management Guidance for Third-Party Relationships
The Office of the Comptroller of the Currency’s Bulletin 2013-29 begins by noting that the third-party relationships of banks and other financial institutions have become increasingly important and complex. Because institutions rely so much on third parties, it’s important that those third parties are carefully selected and routinely assessed and monitored.
The OCC bulletin directs banks to systematically manage risk involving third parties:
- A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
- A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
The OCC recognizes that not all third parties are equally important. Proper risk management includes assessing the disparate risks posed by various third parties. Banks should assess the potential risk a third party poses in the case of poor performance, a data security breach, or some other operational lapse.
To assess and monitor all its third parties, a bank should establish a risk management lifecycle that encompasses all aspects of the bank’s relationship with each third party, including:
- Due diligence and third-party selecting
- Contract negotiation
- Ongoing monitoring
- Oversight and accountability
- Documentation and reporting
- Independent reviews
The risk management lifecycle should also include evaluations of each third party’s financial condition, risks, and capabilities. Contracts should describe the nature of the terms and scope of the relationship between an institution and its third parties.
To implement a risk management solution this broadly requires discipline, rigorous attention to detail, and a technological approach that can scale easily across markets and regions.
OCC Enforcement Actions
Failure to implement a risk management lifecycle and prevent improper conduct by third parties can be costly.
Since issuing Bulletin 2013-29, the OCC has assessed multi-million dollar fines against banks and other financial institutions for failure to manage their third parties properly. For example:
- $45 million penalty and nearly $500 million in restitution for Bank of America
In April 2014, the OCC assessed a $25 million penalty against Bank of America and its credit card subsidiary FIA Card Services, and ordered restitution totaling approximately $9.5 million to 1.9 million consumers. As part of the assessment, the OCC ordered the bank “to improve governance of third-party vendors associated with ‘add-on’ consumer products and submit a risk management program for ‘add-on’ consumer products marketed or sold by the bank or its vendors.” In bringing this action against Bank of America, the OCC worked with the Consumer Finance Protection Board (CFPB), which assessed its own $20 million fine against the bank.
- $70 million penalty against Citibank
In July 2015, the OCC assessed a $35 million penalty against Citibank and its affiliate, Department Stores National Bank. The OCC ordered Citibank to identify and make restitution to harmed customers. As in the Bank of America case, the OCC ordered the bank to improve its governance of third-party vendors. In this case, too, the OCC coordinated its activity with the CFPB. The CFPB assessed its own $35 million penalty against the bank, raising the cost of penalties to $70 million.
At a time when banks are partnering with organizations ranging from FinTech start-ups to data security companies, the lesson from these penalties is clear: banks need to assess, monitor, and manage their third parties carefully, or the results will be costly fines imposed by the OCC and other regulatory bodies such as the CFPB.
The Foreign Corrupt Practices Act of 1977
The Foreign Corrupt Practices Act (FCPA) of 1977 forbids publicly traded U.S. companies and their subsidiaries and third parties from bribing foreign officials in order to grow or retain business. The FCPA also requires companies to maintain transparent accounting practices so that instances of bribery can be easily detected.
Even if a bank is not a publicly traded company, it may find itself subject to the FCPA for any of the following reasons:
- A third party or other intermediary of the bank bribes a foreign official.
- Another company that is controlled to a sufficient degree by the bank through its investment portfolio bribes a foreign official.
Penalties for violating the FCPA can be onerous. Fines can reach up to $25 million per violation. Individuals can be fined up to $5 million per violation and imprisoned up to 20 years. Regulators may also order companies to disgorge profits. Regulators might also disbar or suspend a company from doing business with the U.S. government.
FCPA Enforcement Actions
In the past five years, DOJ and SEC investigations of FCPA violations have broadened to include financial services organizations. In 2011, the SEC sent letters of inquiry to several financial institutions, including banks, asking about corrupt payments made to help institutions obtain investments from sovereign wealth funds. (A sovereign wealth fund is a government-owned investment fund derived from fiscal surpluses and other government sources.)
Recent FCPA penalties against financial institutions include:
- Penalties of $3.8 Million and Imprisonment in a Morgan Stanley Case
In April 2012, the SEC charged Garth Peterson, a former managing director for Morgan Stanley’s real estate business in China, with violations of the anti-bribery and internal controls provisions of the FCPA. They also filed criminal charges against Peterson for conspiring to violate the internal controls provisions of the FCPA. Peterson eventually settled with the SEC and disgorged over $3.8 million. He was also sentenced to nine months in prison.
- Penalties of $14.8 Million against BNY Mellon
When BNY Mellon awarded highly sought after internships to poorly qualified family members of foreign government officials associated with a Middle Eastern sovereign wealth fund, the SEC charged BNY Mellon with violating the FCPA. The bank’s $14.8 million settlement in 2015 comprised $8.3 million in disgorgement, $1.5 million in prejudgment interest, and a $5 million penalty. BNY Mellon was found by the SEC to lack “sufficient internal controls to prevent and detect . . . improper hiring practice.”
The BNY Mellon case illustrates the risks of not closely monitoring employee activity and not implementing sufficient controls to prevent acts of bribery or illicit favoritism. To ensure regulatory compliance and avoid penalties like BNY Mellon’s, banks and other financial institutions need to craft detailed Anti-Bribery and Anti-Corruption (ABAC) policies and implement rigorous controls for both employees and third parties.