On October 30, the Office of the Comptroller of the Currency (OCC) issued guidance (Bulletin 2013-29) to national banks and federal savings associations (collectively, banks) for assessing and managing risks associated with third-party relationships. A third-party relationship is “any business arrangement between a bank and another entity, by contract or otherwise.” The bulletin rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles” and OCC Advisory Letter 2000-9, “Third-Party Risk.” The OCC “expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.” The OCC “is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.” The OCC stated that it has identified instances in which bank management has
-
Failed to properly assess and understand the risks and direct and indirect costs involved in third-party relationships.
-
Failed to perform adequate due diligence and ongoing monitoring of third-party relationships.
-
Entered into contracts without assessing the adequacy of a third party’s risk management practices.
-
Entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party’s revenues.
-
Engaged in informal third-party relationships without contracts in place.
According to the OCC, an effective third-party risk management process follows a continuous life cycle for all relationships and incorporates the following phases:
-
Planning: Developing a plan to manage the relationship is often the first step in the third-party risk management process. This step is helpful for many situations but is necessary when a bank is considering contracts with third parties that involve critical activities.
-
Due diligence and third-party selection: Conducting a review of a potential third party before signing a contract helps ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.
-
Contract negotiation: Developing a contract that clearly defines the expectations and responsibilities of the third party helps to ensure the contract’s enforceability, limit the bank’s liability and mitigate disputes about performance.
-
Ongoing monitoring: Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the bank’s ability to manage risk of the third-party relationship.
-
Termination: Developing a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied in response to contract default, or in response to changes to the bank’s or third party’s business strategy.
In addition, a bank should perform the following throughout the life cycle of the relationship as part of its risk management process:
-
Oversight and accountability: Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-party risk management process with its enterprise risk management framework to enable continuous oversight and accountability.
-
Documentation and reporting: Proper documentation and reporting to facilitate oversight, accountability, monitoring and risk management associated with third-party relationships.
-
Independent reviews: Conducting periodic independent reviews of the risk management process to enable management to assess whether the process aligns with the bank’s strategy and effectively manage risk posed by third-party relationships.
The entire Bulletin is available here.
