Risk management guidance on third party relationships

Sageworks
January 30, 2014
Read Time: min

Examiners have always expected banks and credit unions to perform appropriate vendor due diligence prior to engaging a third party. But with October 2013 guidance, Third-Party Relationships, the OCC provided definitions and guidelines for OCC banks as a risk management framework.

As the announcement points out, banks face new and increased operational, compliance, reputation, strategic and credit risks when entering into an agreement with a third party, especially when the agreement covers “critical activities.” As such, the OCC asks banks to develop a risk management process proportionate to the level of risk within the relationship.

Third-party relationships are defined as a business arrangement between a bank and an outside entity, by contract or otherwise. Some examples are tax, legal, audit or information technology. By entering into agreements with third parties, it is the board members’ and senior management’s responsibility that contracted activities fall in line with regulatory guidance and uphold safety and soundness for the institution.  

“Critical activities” are described as significant bank functions, services or activities that could have a major impact on the bank’s operations. Comptroller of the Currency Thomas Curry explains: “We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic. This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.” The new guidance set forth by the OCC supersedes prior Bulletin 2001-47, “Third Party Relationships: Risk Management Principles” and OCC Advisory Letter 2009-9, “Third-Party Risk.”

When circumstances warrant, the OCC will apply corrective measures to ensure banks’ relationship management standards are appropriate, and these measures could include enforcement actions, special examinations and the assessment of civil money penalties.

On December 5, 2013, shortly after the OCC release, the Board of Governors of the Federal Reserve System issued “Guidance on Managing Outsourcing Risk” to supplement guidance previously issued on technology service provider risk. While the Federal Reserve’s guidance is less comprehensive than the new guidance set forth by the OCC, many of the themes are similar.

For more information on the risk management process and best practices for evaluating third-party relationships, download the whitepaper: Risk Management Guidance on Third Party Relationships.

About the Author

Sageworks

Raleigh, N.C.-based Sageworks, a leading provider of lending, credit risk, and portfolio risk software that enables banks and credit unions to efficiently grow and improve the borrower experience, was founded in 1998. Using its platform, Sageworks analyzed over 11.5 million loans, aggregated the corresponding loan data, and created the largest real-time database of private-company financial information in the United States. The company was acquired in 2018 and is now part of Abrigo.

Full Bio

About Abrigo

Abrigo is a leading technology provider of compliance, credit risk, and lending solutions that community financial institutions use to manage risk and drive growth. Our software automates key processes — from anti-money laundering to fraud detection to lending solutions — empowering our customers by addressing their Enterprise Risk Management needs.

Make Big Things Happen.

 

Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!