Upon selecting a third party, a bank’s management will likely negotiate or review a contract detailing the responsibilities of each party. Contracts should fully describe compensation, fees and the circumstances under which the cost structure may be changed. Moreover, contracts need to specify what constitutes default and stipulate the conditions for termination. Banks should also re-visit existing contracts to ensure they comply with risk controls and legal protections.
The contract should also cover performance expectations, and it’s recommended for a bank to use industry standards to evaluate the contract’s service level agreement. For software, these standards might measure: 1. service availability
2. responsiveness of support requests
3. update or enhancement timelines
Again, senior management will need to get approval from the board on all contracts, prior to execution, when critical activities are involved.
Once a contract with a third party has been executed, bank management should dedicate staff with expertise and authority to oversee and monitor the relationship, especially if it involves critical activities. And the criticality of an activity may change over time, making a relationship more or less of a source of risk.
Consequently, banks will need to adapt its monitoring accordingly. Many of the due diligence criteria will extend throughout the contract’s lifetime, so banks are expected to include these reviews as part of the ongoing monitoring process. In instances where a discrepancy or issue is identified, senior management should take action and escalate significant issues to the board.
The termination phase of the risk management lifecycle is new to OCC guidance. Under the new guidance, banks are required to implement risk management controls and maintain them through the termination phase, or the end of the contract. Contracts with third parties may be terminated by the bank for several different reasons, including expiration, breach of contract, vendor change or the decision to bring the activity in-house. It’s management’s responsibility to have a plan in place and to be proactive in the event of a contract default or termination, ensuring compliance throughout the entire relationship. A bank’s contingency plan should address reputation risks, joint intellectual property, data retention and deconstruction in accordance with regulatory laws and guidelines.
Throughout the lifecycle, there are ongoing expectations laid out by regulators:
• Oversight and accountability
• Documentation and reporting
• Independent reviews
A bank’s senior management should ensure that periodic, independent reviews are conducted on its third-party risk management process. An internal auditor or independent third party may perform the review, in which case senior management is expected to present the results to the board of directors.
These results will help management determine whether and how to adjust the bank’s risk management process, policy, reporting and controls. As the figure from the OCC guidance shows, it’s an iterative and repeated process that will be refined through time.
The aforementioned criteria and expectations are indispensable when dealing with third parties.
Under the new OCC guidance, it is the senior management’s responsibility to develop and implement the bank’s third-party risk management process; however, it is up to the board of directors to approve any of the bank’s risk-based policies and contracts encompassing critical activities.
This OCC guidance does put more of the onus on the board compared to recommendations put out by the Federal Reserve. But in both cases, there is a clear effort and expectation from the OCC and Federal Reserve for banks to be more attentive to and proactive with third-party relationships and inherent risk.
Nick Shakarjian is a director at Sageworks.