Sales Practices: Third-Party Risk Management Matters Too

Dan Ryan is Banking and Capital Markets Leader at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Roberto Rodriguez, Mike Alix, Adam Gilbert, and Julien Courbe.

Sales practices in the financial services industry have come under increased scrutiny from both regulators and financial institutions since last year. The attention so far has been largely on the financial institutions’ sales practices, which include activities throughout the customer relationship lifecycle from marketing to sales, servicing, and collection. However, the scope is broadening to include third parties, which have been used over the last decade to help institutions grow revenues, cut costs, and improve the customer experience. [1]

Interest in third-parties’ role in sales practices is consistent with the progression of regulatory examinations of the industry’s sales practices that began last year with the Office of the Comptroller of the Currency’s (OCC) horizontal examinations at large and mid-size institutions. [2] In its initial phase, OCC examinations focused on activities that were at the heart of sales practices issues, such as opening accounts without consent. However, the scope of sales practices reviews has expanded to include the institution’s policies and practices, compensation schemes, and sales goals that could lead to inappropriate sales behavior. Ultimately, regulators will expect to see that institutions have an enterprise-wide sales practices risk management framework in place to prevent future transgressions.

We expect this trend to continue, bringing common third-party activities related to sales practices including servicing activities such as billing, payment scheduling, and collections, under increased regulatory scrutiny, as has been the case with add-on products and concerns related to Unfair Deceptive or Abusive Acts or Practices (UDAAP). [3] In the past few years, for example, third-parties’ role in selling products and services on behalf of banks have led to several US regulatory agencies raising their standards for third-party oversight. [4]

Many institutions recognize that effectively managing their third-party operational risk (i.e., risks resulting from people, processes, and systems) is not only important to regulators but is also good business strategy. As a result, institutions should take action to enhance their third-party risk management (TPRM) programs to ensure they are effectively managing the unique risks associated with third parties that interact directly with consumers on their behalf in the sales process (e.g., opening accounts).

This post provides our perspective on (a) key sales practices risk associated with third parties and (b) what institutions should do now.

Key sales practices risks associated with third parties

Institutions can outsource processes, but they cannot outsource accountability for the activities conducted on their behalf. Thus, the failure to effectively manage third-party relationships can lead to financial penalties and long-lasting reputational damage. For example, activities such as opening unauthorized accounts, adding unauthorized services or features to accounts, deceptively marketing a product or service feature to consumers (e.g., add-on products for credit cards), forcing customers to accept products or services they do not want (i.e., bundling), and delaying or misapplying payments, present numerous risks during the sales process.

These types of misconduct are seldom the result of a single process or control weakness in a financial institution’s environment, but rather a combination of issues at both the institution and the third party. The most common risk factors (and a focus for regulators) include a high-pressure sales culture focused on unrealistic sales targets and an incentive compensation structure based on account and volume metrics, which could lead to steering consumers toward more expensive products. For example, compensation arrangements designed solely to drive higher account or transaction volumes may incentivize a third party to take actions that are not consistent with customer needs or requests and could lead to UDAAP issues.

Third parties are also frequently involved in account servicing activities, including collection of delinquent accounts, and it is common for the third party to be incentivized based on the amount of debt collected. Without proper controls, these incentive arrangements, may encourage the third party to use overly aggressive collection tactics that could lead to sales practices risk, as well as potentially violate debt collection laws.

How the institution should approach third-party sales practices risk

While financial institutions should ensure that they are applying the same standards and risk appetite to third parties as they are to internal sales and servicing processes, it is necessary to remember that third parties present a different type of risk to the institution and that each relationship comes with its own unique risks. [5] As a result, risk management practices should not only be tailored for third-party risk generally, but for the services the third party is providing to the institution.

Assess the current state of third-party relationships

Financial institutions’ compliance and TPRM resources should begin by performing a current state assessment to identify all third parties involved in the sales process and the sales practices risk associated with the third party. In doing so, the compliance and TPRM teams should:

  • Establish a comprehensive TPRM program that addresses all third-party relationships, not just traditional third-party vendors (e.g., IT service providers, call centers). As such, affiliates, joint ventures, indirect sales agents, co-branded sales partners, and other third parties posing sales practices risk should also be addressed. The TPRM program should start with a risk appetite statement related to the use of third parties and be supported by policies and procedures for the management of these relationships.
  • Institute enterprise-wide policies, procedures, and processes for reviewing, tracking, and evaluating complaints to identify potential sales practices issues or misconduct by third parties. Suspicious activity should then be independently investigated and corrective actions should be taken by the institution or the third party, as appropriate (e.g., refund of unauthorized fees, correcting inaccurately reported credit bureau information).
  • Determine which third-party relationships require a tailored risk management process by reviewing whether existing third-party due diligence, governance, and controls over sales practices risks are adequate in light of heightened institutional and regulatory expectations.
  • Ensure the TPRM program has the necessary insight into the third party’s internal controls in order to be able to assess the adequacy of issue escalation and resolution processes for both consumers and employees (e.g., ethics hotline).
  • Evaluate the institution’s decision-making process related to the use of third parties to ensure that any additional costs associated with heightened sales practices risk are considered. Using third parties is often more cost efficient than developing the same skills and capabilities in house, but the risk management costs (financial, operational, and reputational) may outweigh the benefits.

Governance and reporting

As mentioned above, regulators expect the Board to be accountable for overseeing the institution’s TPRM program and to pay particular attention to sales practices risk. To that end, institutions should:

  • Implement reporting procedures that include measures to ensure the Board has a full understanding of the risks that third-party sales practices present to their institution and how residual risks are being managed.
  • Ensure reports to the Board regarding third-party sales practices include key risk indicators such as customer complaints and management’s analysis of emerging risk areas.
  • Enhance or design new third-party risk reporting to ensure transparency and highlight any areas where sales practices risk has changed and misconduct may have occurred, including escalation and remediation procedures as required.

Enhance controls to assess and monitor third parties

Regulators have made it clear that governance and risk management activities must be commensurate with the risk and complexity of the third-party relationship. [6]

TPRM leaders should enhance processes and controls around third-party sales practices risks identified through the current state assessment, focusing on:

Due diligence

We recommend institutions apply their enhanced internal controls around sales practices when performing due diligence on a potential third-party vendor:

  • Request and review the third-party’s sales practices guidelines and processes for training and monitoring its sales and service agents. This may include reviewing sales training curriculum, attendance records, and monitoring procedures, to ensure these controls are adequate and fully implemented.
  • Assess the third-party’s employee and consumer complaint management processes to ensure the third party’s definition of complaint, resolution and escalation processes and reporting of complaints meet the institution’s standards.
  • Review the third-party’s business reputation and any past legal or regulatory matters related to sales practices. This may include reviewing news sources or social media to identify any past or present allegations of deceptive or abusive sales practices. Institutions should assess whether the third party has a pattern of sales practice abuses and determine whether it is prudent to enter into a relationship with the third party.

Advanced analytics

Financial institutions invariably generate significant volumes of customer and employee data that have historically been used for assessing business performance, and the data is often confined within the business unit or location where it is produced. While some institutions have begun leveraging this data toward improving institutions’ sales practices risk oversight by investing in advanced data analytics infrastructure and capabilities (e.g. data visualization tools, speech analytics), [7] we recommend these tools be extended to monitor third-party sales practices risk. To that end, institutions should consider the following:

  • Assess third parties’ analytics capabilities to monitor their own sales practices risks and determine whether the institution could rely on the third parties’ capabilities as a supplement to its own monitoring activities.
  • Apply the institution’s own analytics capabilities to identify potential sales practices issues at third parties. This may require negotiations and updates to contractual agreements to ensure the third parties are willing to share additional data (e.g., sale transaction data, call logs, customer complaints) with the institution.
  • Aggregate and analyze third party, external, and internal data (e.g., internal consumer complaints and publicly available data via regulatory portals or social media) and create a repository of consumer complaint information. Consider combining consumer complaints with sales data to identify a pattern of bad behavior at third parties and other sales transactions that may warrant additional review.
  • Implement call monitoring or speech analytics to help detect potential deceptive sales practices. For example, an institution might use analytics software programmed to send an alert when certain “risk” words are said on a call or used in an email. These alerts are then reviewed by compliance to determine if the use was inappropriate.
  • Make customer complaint systems searchable to allow for mining of key words in order to identify possibly systemic conduct and to categorize conduct into risk levels. Potential fraudulent opening of accounts would likely be at the highest risk level and could be revealed by customer complaint terms such as “unaware” or “without permission.”

Review compensation agreements with third parties

Third parties may be more likely to take imprudent risks as a result of how their compensation agreements are structured. Though it will require a significant investment of time and resources, reviewing existing and new compensation agreements with third parties will help identify where arrangements may need to be re-structured and guide efforts to develop a strategy to re-negotiate them. We recommend that compensation arrangements be reviewed by the Legal and Risk Management teams and:

  • Involve appropriate subject matter experts to assess the third party’s controls related to sales practices and incentive compensation arrangements prior to entering into the relationship.
  • Establish clear risk appetites for sales practices incentive compensation and variable compensation agreements to ensure clear protocols for evaluating such arrangements to identify potential sales practices risks (both in contracts with the third party and in compensation arrangements between the third party and their own employees).
  • Prohibit or limit sales incentives paid to third-party staff that may otherwise encourage inappropriate sales behavior.
  • Require regular trainings on the institution’s policies and applicable regulatory guidance.
  • Conduct performance reviews to consider whether third parties adhere to the policies and procedures of the TPRM program and risk limits.


1See PwC’s FS Viewpoint, Significant others: How financial firms can manage third-party risks (May 2015).(go back)

2To learn more about the OCC’s sales practices examinations and for additional information on sales practices risk, see PwC’s A closer look, Sales practices: OCC exams and beyond (October 2016).(go back)

3The scope of enforcement actions under UDAAP have expanded from institutions themselves to their third-party service providers engaged in sales and servicing activities on institutions’ behalf (e.g., sales of lending add-on products, billing, and collection activities).(go back)

4These include the OCC, the Federal Reserve Board, and the Consumer Financial Protection Bureau.(go back)

5See PwC’s publication, Third party risk management, One size doesn’t fit all—Managing special third party relationships (September 2016).(go back)

6See note 4.(go back)

7Depending on where each institution stands along its path to digital transformation and other factors (e.g., number of existing legacy systems), implementing new data analytics tools and other potentially needed enhancements in data infrastructure and generation can be costly. However, once implemented, a robust data infrastructure and advanced data analytics will provide benefits across the organization including more accurate business performance assessment and reporting, digital marketing, customer acquisition, etc. For more information see PwC’s financial services digital publications, Digital banking: A tale of two cities (December 2015) and Get your head in the cloud (August 2016).(go back)

Both comments and trackbacks are currently closed.