Financial institutions around the world are subject to an increasingly rigorous regulatory framework.  While much of the overwhelming regulatory environment is a result of the financial crisis, another set of regulations emanate from concerns about corruption.  These sets of regulations are driving banks to have a greater understanding of all their third-party relationships, both to protect banking customers from the risk that a bank’s supplier will in some way fail and to ensure that all the bank’s suppliers are not involved in corrupt practices.

The risks to financial institutions are great:  legal, reputational and financial risk if an important supplier is not solid and also regulatory risk, including large fines and even jail terms, for violation of the Foreign Corrupt Practices Act (FCPA) or the UK Anti-Bribery Act.

The literature on these subjects is massive.  Below is a list of what we believe are the 10 best pieces that will help someone dealing with these risks get up to speed.

1. Managing when vendor and supplier risk becomes your own, McKinsey & Company, July 2013

Overall this is a great primer on vendor risk management issues and the authors offer some basic recommendations.

Regulators now expect institutions to know their third parties, how each of them interacts with consumers, and what activities it performs. Many firms do not have this information readily available… In our experience, an effective database of third parties includes all of them—that is, any noncustomer entity with which a financial institution has a business relationship. An enterprise-wide survey is a good way to get started.

Once a firm has a complete inventory of third-party suppliers and the risks they pose to customers, it can segment its suppliers by risk level. Even a simple system of high-, medium-, and low-risk categories can be useful…

[Also see: Managing third-party risk in a changing regulatory environment, McKinsey Working Papers on Risk, Number 46 May 2013]

2. Foreign Corrupt Practices Act & Bribery Act 2010 – A Primer on Compliance, Hunton & Williams, February 2011

This is an excellent, concise description of both the FCPA and the Bribery Act.

Although no single compliance program fits all organizations, common themes of compliance programs include (i) an assessment of the risks faced by the organization, (ii) the involvement of senior management, (iii) training programs and the availability of policies to employees and potential intermediaries, (iv) appropriate diligence on business partners, and (v) the inclusion of bribery-related provisions in contracts with business partners.

[Also see: 2013 Mid-Year FCPA Update, Gibson Dunn, July 8, 2013]

3. A Resource Guide to the U.S. Foreign Corrupt Practices Act, U.S. Department of Justice, November 2012.

At 130 pages this is not light reading. But familiarity with the background and the requirements of the Act are critical for anyone even tangentially to vendor risk management.

Released in November 2012, A Resource Guide to the U.S. Foreign Corrupt Practices Act is the Department of Justice’s and Securities and Exchange Commission’s detailed compilation of information about the FCPA, its provisions, and enforcement. It is the product of extensive efforts by experts at DOJ and SEC, and has benefited from valuable input from the Departments of Commerce and State. It endeavors to provide helpful information to enterprises of all shapes and sizes – from small businesses doing their first transactions abroad to multi-national corporations with subsidiaries around the world. The Guide addresses a wide variety of topics, including who and what is covered by the FCPA’s anti-bribery and accounting provisions; the definition of a “foreign official”; what constitute proper and improper gifts, travel and entertainment expenses; the nature of facilitating payments; how successor liability applies in the mergers and acquisitions context; the hallmarks of an effective corporate compliance program; and the different types of civil and criminal resolutions available in the FCPA context. On these and other topics, the Guide takes a multi-faceted approach, setting forth in detail the statutory requirements while also providing insight into DOJ and SEC enforcement practices through hypotheticals, examples of enforcement actions and anonymized declinations, and summaries of applicable case law and DOJ opinion releases.

[For a summary, see: DOJ and SEC Issue Much-Anticipated FCPA Guidance, Kramer Levin, November 19, 2012 and DOJ and SEC Issue FCPA Guidance, Davis Polk, November 16, 2012]

4. Internal Audit’s Role in Managing Third-Party Risks, by Jose Tabuena, Compliance Week, April 2013

A short but compelling article by Jose Taubena, Compliance Week columnist and compliance and regulatory counsel with Orion Health, a global provider of clinical workflow and health data integration technologies and solutions.

As companies continue to get in trouble for the actions of their business partners, some may be wondering, “Am I my brother’s keeper?” The answer, at least in the eyes of regulators, is yes.   The types of risks from third parties continue to proliferate: corruption, product defects, supply chain disruption, data security breaches, theft of intellectual property, and others—with any occurrence potentially resulting in negative publicity and prosecution. Additionally, companies should recognize that vendors, distributors, and licensees can fail to meet their full contract obligations given the complexity of the environment.

5. Vendor Risk Management (VRM), How Much Is Enough? John Edison, CEO, Fortrex Technologies April, 2010

This paper discusses which vendor relationships should be included in an institution’s vendor oversight program and to what level they should be reviewed. Only the vendor oversight component of VRM, not vendor selection or pre contract due diligence, is discussed. Intended Audience: Any staff member having responsibility for developing or managing a financial institution’s vendor oversight program, based on guidance from the Federal Financial Institution Examination Council (FFIEC).

6. OCC Issues New Guidance on Third-Party Relationships Risk Management Sidley Austin LLP, November 7, 2013

This is one of many recent law firm bulletins covering recent OCC guidance.

On October 30, 2013, the Office of the Comptroller of the Currency (“OCC”) released OCC Bulletin 2013-29, “Third-Party Relationships,” highlighting the enhanced scrutiny to which national bank engagements of third-party service providers are now subject.

[Also see: OCC Adds Substantial New Risk Management Burdens for Third-Party Relationships Ballard Spahr LLP, November 26, 2013;

OCC Releases New Guidance on Third-Party Risk Management Wilmer Hale October 31, 2013 and OCC: New Guidance for Third Party Risks, by Tracy Kitten, Bank Info Security, October 13, 2013

7. Vendor Risk Management — Compliance Considerations by Cathryn Judd, Examiner, and Mark Jennings, Former Examiner, Federal Reserve Bank of San Francisco

This article summarizes the best practices discussed during a Federal Reserve System webinar titled Vendor Risk Management – Compliance Considerations on May 2, 2012.

8. Guidance on Managing Outsourcing Risk Board of Governors, Federal Reserve System, December 5, 2013

Fourteen pages from the Federal Reserve covering financial institution risk from the use of Service Providers.

For purposes of this guidance, “service providers” is broadly defined to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or

9. Third Party Risk Management in the New Regulatory Environment KPMG December 2013

This KPMG marketing piece covers requirements of the OCC, CFPB, BSA and Bank Service Company Act.

10. How Banking CIOs Can Meet Third-Party Vendor Requirements by Richard Raysman and Francesca Morris, partners with Holland & Knight LLP in CIO Journal from the Wall Street Journal.

This article, written for Chief Information Officers, provides an outline of the recommended practices that banks and vendors must follow with special regard to corporate security breaches.