04:05 PM
Nick Shakarjian, Sageworks
Nick Shakarjian, Sageworks

Risk Management Guidance on Third-Party Relationships

What banks need to know to meet compliance with the OCC's requirements for vendor due diligence.

Upon selecting a third party, a bank’s management will likely negotiate or review a contract detailing the responsibilities of each party. Contracts should fully describe compensation, fees and the circumstances under which the cost structure may be changed. Moreover, contracts need to specify what constitutes default and stipulate the conditions for termination. Banks should also re-visit existing contracts to ensure they comply with risk controls and legal protections.

The contract should also cover performance expectations, and it’s recommended for a bank to use industry standards to evaluate the contract’s service level agreement. For software, these standards might measure: 1. service availability

2. responsiveness of support requests

3. update or enhancement timelines

Again, senior management will need to get approval from the board on all contracts, prior to execution, when critical activities are involved.

Ongoing Monitoring

Once a contract with a third party has been executed, bank management should dedicate staff with expertise and authority to oversee and monitor the relationship, especially if it involves critical activities. And the criticality of an activity may change over time, making a relationship more or less of a source of risk.

Consequently, banks will need to adapt its monitoring accordingly. Many of the due diligence criteria will extend throughout the contract’s lifetime, so banks are expected to include these reviews as part of the ongoing monitoring process. In instances where a discrepancy or issue is identified, senior management should take action and escalate significant issues to the board.


The termination phase of the risk management lifecycle is new to OCC guidance. Under the new guidance, banks are required to implement risk management controls and maintain them through the termination phase, or the end of the contract. Contracts with third parties may be terminated by the bank for several different reasons, including expiration, breach of contract, vendor change or the decision to bring the activity in-house. It’s management’s responsibility to have a plan in place and to be proactive in the event of a contract default or termination, ensuring compliance throughout the entire relationship. A bank’s contingency plan should address reputation risks, joint intellectual property, data retention and deconstruction in accordance with regulatory laws and guidelines.

Throughout the lifecycle, there are ongoing expectations laid out by regulators:

• Oversight and accountability

• Documentation and reporting

• Independent reviews

Independent Reviews

A bank’s senior management should ensure that periodic, independent reviews are conducted on its third-party risk management process. An internal auditor or independent third party may perform the review, in which case senior management is expected to present the results to the board of directors.

These results will help management determine whether and how to adjust the bank’s risk management process, policy, reporting and controls. As the figure from the OCC guidance shows, it’s an iterative and repeated process that will be refined through time.

Photo Courtesy of Sageworks.Photo Courtesy of Sageworks.

The aforementioned criteria and expectations are indispensable when dealing with third parties.

Under the new OCC guidance, it is the senior management’s responsibility to develop and implement the bank’s third-party risk management process; however, it is up to the board of directors to approve any of the bank’s risk-based policies and contracts encompassing critical activities.

This OCC guidance does put more of the onus on the board compared to recommendations put out by the Federal Reserve. But in both cases, there is a clear effort and expectation from the OCC and Federal Reserve for banks to be more attentive to and proactive with third-party relationships and inherent risk.

Nick Shakarjian is a director at Sageworks.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/9/2014 | 2:40:49 AM
re: Risk Management Guidance on Third-Party Relationships
Presumably firms would already have been doing strict reviews of the third parties they are dealing with meet have proper protocols, but that appears to not be the case.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.