EPCOR Audit Team: Notes on Third-Party Service Providers

Amy Donaghue

By: Amy Donaghue, AAP, APRP, Senior Manager, Audit Services

The EPCOR Audi team has noticed an increase in the number of financial institutions who are outsourcing the handling of products and services to Third-Party Service Providers (TPSP). Partly, this increase is due to TPSP advances in technology, which enables financial institutions to provide an array of products, enhanced services and delivery channels without the expense of owning the required technology or maintaining staff required to implement and operate it. Additionally, there is an increased amount of consolidation among many of the larger service providers. As a result, financial institutions have a concentrated dependency on a smaller group of TPSPs. This trend has not gone un-noticed by the Office of the Comptroller of the Currency (OCC) and is specifically mentioned within the agency’s Semiannual Risk Perspective for Spring 2018 report which states, “Increased use of a limited number of third-party service providers creates concentrated points of failure, resulting in systemic risk to the financial services sector.”

The decision to outsource should be made by an institution’s directors and senior management to ensure it is consistent with the financial institution’s strategic plans and goals. Once the decision has been made, a degree of oversight and review of the outsourced activities must be implemented and should be subject to the same risk management practices applied to other services that are not outsourced.

The issues our team has observed while conducting an audit or a risk assessment include a pattern of financial institution staff without a clear understanding of how these systems work. Management should ensure sufficient personnel have the knowledge and ability to articulate how an outsourced process works, as well as speak to the interdependencies and interconnectivity of these systems. Often the lack of the staff’s understanding of the outsourced environment is due to employee turnover or lack of involvement of key staff members responsible for the daily activities of now outsourced processes.

Additionally, we have noted a lack of documentation indicating how outsourced products support the associated business processes and the flow of data across and between various systems. This is commonly referred to as process mapping and is a key component of an effective TPSP risk management program that serves to facilitate risk identification and the implementation of controls to manage that risk.

Appropriately managed TPSP relationships can be a cost-effective way to enhance a financial institution’s ability to remain competitive, as well as provide products and services that might otherwise be cost prohibitive to manage in-house.

Why Guess if You Have Your Bases Covered?

Have Our Expert Eyes Take a Look!

The NACHA Operating Rules require all participating depository financial institutions, Third-Party Service Providers and Third-Party Senders to conduct an ACH Rules Compliance Audit each year. The ACH Audit can help you identify potential problems, correct them before an issue arises and limit your liability. Take the guess work out of your Audit and book with our experienced audit team today by contacting memserve@epcor.org. Or, if you're going to do it it yourself, check out our workbook! Get your ACH Audit Workbook today!