Examiners have always expected banks and credit unions to perform appropriate vendor due diligence prior to engaging a third party. But with October 2013 guidance, "Third-Party Relationships", the OCC provided definitions and guidelines for OCC banks as a risk management framework.
As the announcement points out, banks face new and increased operational, compliance, reputation, strategic and credit risks when entering into an agreement with a third party, especially when the agreement covers “critical activities”. As such, the OCC asks banks to develop a risk management process proportionate to the level of risk within the relationship. There are a variety of third party solutions available to help with this framework, but either way banks should be mindful.
“Critical activities” are described as significant bank functions, services or activities that could have a major impact on the bank’s operations. Comptroller of the Currency Thomas Curry explains: “We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic. This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.” The new guidance set forth by the OCC supersedes prior Bulletin 2001-47, “Third Party Relationships: Risk Management Principles” and OCC Advisory Letter 2009-9, “Third-Party Risk”.
[For More On Third-Party Management and Compliance: Red Flags in Cloud Vendor Management]
Third-party relationships are defined as a business arrangement between a bank and an outside entity, by contract or otherwise. Some examples are tax, legal, audit or information technology. By entering into agreements with third parties, it is the board members’ and senior management’s responsibility that contracted activities fall in line with regulatory guidance and uphold safety and soundness for the institution.
When circumstances warrant, the OCC will apply corrective measures to ensure banks’ relationship management standards are appropriate, and these measures could include enforcement actions, special examinations and the assessment of civil money penalties.
On December 5, 2013, shortly after the OCC release, the Board of Governors of the Federal Reserve System issued “Guidance on Managing Outsourcing Risk” to supplement guidance previously issued on technology service provider risk. While the Federal Reserve’s guidance is less comprehensive than the new guidance set forth by the OCC, many of the themes are similar.
Risk Management Life Cycle
As banks continue to increase the number and complexity of third-party relationships, the OCC is concerned that the quality of risk management in the relationship may not be commensurate with the level of inherent risk. This includes proper due diligence when selecting a vendor, but it also extends into the relationship.
An effective risk management process includes a continuous lifecycle for all third-party relationships and covers:
• Due diligence and third-party selection
• Contract negotiation
• Ongoing monitoring
Prior to entering into a third-party relationship, management should develop a plan establishing the goal of the relationship and the scope of the contract. This enables the bank to discuss inherent risks and evaluate how the contracted activity relates to the bank’s overall strategic goals, objectives and risk appetite — what impact would such a relationship have? Banks are also encouraged to perform a cost-benefit analysis at this stage to determine if the potential benefit (e.g. cost reductions, expanded bank operations, increased efficiencies, heightened expertise) outweighs the estimated cost (e.g. integration and subscription fees, training, additional staffing, interruption to existing programs) and how it might impact information security. A detailed process as to how the bank will select, assess and oversee the third party must be presented to and approved by the bank’s board of directors when contracting critical activities.
[To learn more about how financial firms are preparing for and responding to security incidents, attend the Acknowledge the Inevitable: How to Prepare For, Respond to, and Recover from a Security Incident session at Interop 2014 in Las Vegas, March 31-April 4.
You can also REGISTER FOR INTEROP HERE.]
An in-depth assessment of the third party’s ability to perform the activity while complying with regulatory guidelines should be performed before entering into a contract or relationship. Banks should not rely on experience with or prior knowledge of the third party, and the level of due diligence should be equal to the risk and complexity of the relationship. In practical terms, this means a core system that houses all the bank’s loan and customer data might require more attention than a relationship contracted to print deposit slips.
It is management’s responsibility to review and determine whether or not the third party meets expectations. If critical activities are part of the contract, senior management must present the due diligence results to the board for approval when making recommendations on third-party relationships.