1
Third Party Risk Management (TPRM) Advisory
July 2016
Assessing Law Firms
In recent years as regulators have “raised the bar” by including law firms and attorneys as 3rd party
suppliers that must be assessed and included in financial institution risk management programs. While
larger firms are readily stepping up to address financial service provider third party risk management
requirements the challenge is proving harder for smaller, less affluent law firms and attorneys. TPRM is
definitely not a “one size fits all” process for law firms. However, it can be done reasonably and
effectively. A successful approach not only protects the firm’s clients but can direct the law firm to a
more secure, low risk environment for themselves well as the financial institutions they serve.
Many of the larger and/or global law firms that frequently represent banks, consulting on regulatory
exams, interpretation of policies and procedures, contract templates, cybersecurity, and the like, have
more robust information security programs in place, today. These firms are now obtaining SOC 2 s and
providing information security due diligence to financial institutions because to address the reality that
more financial institutions are requiring it of them. Some law firm information security policies and
procedures are drafted to specifically comply with financial institutions’ regulatory compliance 3rd party
requirements.
In contrast, many smaller law firms often do not have the infrastructure or budget to have independent
3rd party audits conducted regarding their internal security controls and procedures. However, smaller
regional firms that are used on an ad hoc basis for foreclosures, collection, title, escrow, etc.… can put in
controls that are justifiable in proportion to their means and overall risk. Small regional firms may not
need to have a sophisticated security structure, but with demonstrative evidence of reasonable controls,
such as cameras, coded doors for entry, locked cabinets, current identity access management controls,
routine background checks of their employees, training, repeated training certification, etc. they can
meet basic regulatory requirements and fulfill acceptable risk expectations.
When geographically feasible, onsite visits have been a very good way to handle law firms, especially
when any gaps are found. Often such assessments result in remediation being put into effect which is
Copyright 2016 Financial Services Roundtable - All Rights Reserved
2
tailored to their risk and budget and sufficient to meet regulatory 3rd party risk management
requirements. Many member companies utilize specific playbooks or checklists developed specifically
for this type of assessment.
While many financial institutions apply standard 3rd party reviews, monitoring, policy and process to law
firms, a substantial number of BITS companies develop special categories for many firms providing legal
services. Typically reviews are conducted annually but may be more or less frequently based on the
potential level of risk. Some members share that law firms providing services for the bank are in a
business directed mode whereby the business line must have a structured program in place to vet,
monitor and maintain these relationships. Another good practice is to provide documentation which
describes all federal guidance and regulations tied to our process, how our company complies, and
require that this be covered in standard review of contracts. Some member institution in house legal
departments convene regular meetings with 3rd party attorneys to discuss the hot topics and “wording
issues” to support consistency among the attorneys.
Suggestions to support well written contracts include:
-
Utilize contract templates that align to regulatory guidance
-
Changes and deletions must be documented and kept with final contract
-
Policy for in-house legal to review all contracts
-
Sourcing engages in house legal during projects
-
TPRM centrally stores contracts and tracks renewal/expiration dates
-
Business unit should complete a contract review checklist to assure regulatory guidance.
-
Executive signs off on the contract summary that lists the contract risks and exceptions
Onboarding new attorneys will often include financial and insurance reviews as well as assessment of
information security, contingency planning, background verifications, and other compliance
requirements. Some members report that regulators are looking for checklists verifying that new
contracts for legal services cover regulatory requirements effectively. A majority of our member
companies have pre-qualifying rules which include no significant litigation against the firm, no
substantial practice in areas adverse to financial institutions, no conflicts of interest with financial
institutions and no sanction. Less but still a material percentage also require no pending state bar
inquiries, no government investigations in the last 10 years, no damage/settlement claims against the
firm, and the firm must not be paying outsourcing, referral, packaging technology, vendor selection, or
similar fees on any Fannie Mae or Freddie Mac files. Other notable practices include requirements that
attorneys that have passed the bar in the appropriate states, attorney’s must have 2-5 tears of
specifically related experience, requirement for individual attorney training by the financial institution,
A number of BITS member companies effectively partner with their own in-house legal departments to
effectively assess 3rd party attorneys and law firms.
Copyright 2016 Financial Services Roundtable - All Rights Reserved
3
Related BITS Surveys:
TPRM Survey Results – Default/Foreclosure Attorneys
https://www.surveymonkey.com/results/SM-FP3JDCLT/
Law Firm Management
May 2009
https://www.surveymonkey.com/results/SM-6DF36VVQ/
Regulatory Expectations
OCC BULLETIN 2013-29, Subject: Third-Party Relationships, Date: October 30, 2013
http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html
The OCC expects bank management to engage in a robust analytical process to identify, measure,
monitor, and control the risks associated with third-party relationships and to avoid excessive risk taking
that may threaten a bank’s safety and soundness. A bank’s failure to have an effective third-party risk
management process that is commensurate with the level of risk, complexity of third-party
relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.
Other resources:
The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service
Providers and Collaborative Opportunities for Resolution
Shared Assessments
https://sharedassessments.org/wp-content/uploads/2015/05/SA-2015-Law-Firm-Briefing-PaperFINAL.pdf
Copyright 2016 Financial Services Roundtable - All Rights Reserved
4
Are You Ready for the New Foreclosure Processing Regulations?
American Bankers Association
https://www.aba.com/Tools/Offers/Documents/CrossCheckCompliance-ForeclosureProcessing.pdf
Managing third-party relationships: It's complicated
PWC
http://www.pwc.com/us/en/financial-services/regulatory-services/publications/occ-third-partyrelationships.html
Regulatory Requirements and the Third-Party Threat
How Third Parties Increase Risk in the Financial Sector and What Organizations Can Do to Reduce
Vulnerability
LexixNexis
http://www.lexisnexis.com/en-us/products/lexis-diligence/financial-services-whitepaper.page
OCC Updates Guidance on Third-Party Relationships
Protiviti
https://www.protiviti.com/en-US/Documents/Regulatory-Reports/General-Business/Financial-ServicesFlash-Report-OCC-Third-Party-Relationships-120213-Protiviti.pdf
Policy for the Management of Third Party Residential Mortgage
Morgan Stanley
https://www.federalreserve.gov/newsevents/press/bcreg/bcreg20140707a2.pdf
Copyright 2016 Financial Services Roundtable - All Rights Reserved