Risk management guidance on third party relationships
Examiners have always expected banks and credit unions to perform appropriate vendor due diligence prior to engaging a third party. But with October 2013 guidance, Third-Party Relationships, the OCC provided definitions and guidelines for OCC banks as a risk management framework.
As the announcement points out, banks face new and increased operational, compliance, reputation, strategic and credit risks when entering into an agreement with a third party, especially when the agreement covers “critical activities.” As such, the OCC asks banks to develop a risk management process proportionate to the level of risk within the relationship.
Third-party relationships are defined as a business arrangement between a bank and an outside entity, by contract or otherwise. Some examples are tax, legal, audit or information technology. By entering into agreements with third parties, it is the board members’ and senior management’s responsibility that contracted activities fall in line with regulatory guidance and uphold safety and soundness for the institution.
“Critical activities” are described as significant bank functions, services or activities that could have a major impact on the bank’s operations. Comptroller of the Currency Thomas Curry explains: “We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic. This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.” The new guidance set forth by the OCC supersedes prior Bulletin 2001-47, “Third Party Relationships: Risk Management Principles” and OCC Advisory Letter 2009-9, “Third-Party Risk.”
When circumstances warrant, the OCC will apply corrective measures to ensure banks’ relationship management standards are appropriate, and these measures could include enforcement actions, special examinations and the assessment of civil money penalties.
On December 5, 2013, shortly after the OCC release, the Board of Governors of the Federal Reserve System issued “Guidance on Managing Outsourcing Risk” to supplement guidance previously issued on technology service provider risk. While the Federal Reserve’s guidance is less comprehensive than the new guidance set forth by the OCC, many of the themes are similar.
For more information on the risk management process and best practices for evaluating third-party relationships, download the whitepaper Risk Management Guidance on Third Party Relationships.