On October 30, the OCC issued updated risk management guidance for national banks and federal savings associations related to third-party relationships. The banks should:
-
Develop a plan that outlines the bank’s strategy, identifies the inherent risks of the activity and details how the bank will select, assess and oversee the third party;
-
Perform proper due diligence to identify risks and select a third-party provider;
-
Negotiate written contracts that clearly outline the rights and responsibilities of all parties;
-
Conduct ongoing monitoring of the third party’s activities and performance;
-
Execute a plan to terminate the relationship in a manner that allows the bank to transition the activities to another third party, bring the activities in-house or discontinue the activities;
-
Provide for clear responsibilities for overseeing and managing third-party relationships and the risk management process;
-
Maintain proper documentation and reporting to encourage oversight, accountability, monitoring and risk management; and
-
Independently review the risk management process to enable management to assess that the bank’s process aligns with its strategy and effectively manages risks from third-party relationships.
The guidance rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles,” and OCC Advisory Letter 2000-9, “Third-Party Risk.” Release. Guidance.