On October 30, 2013, the OCC issued a new bulletin providing guidance to national banks and federal savings associations regarding risk management of third party relationships (the Bulletin). The Bulletin rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9.
The Bulletin sets forth a framework that the OCC expects institutions to follow throughout the life of its relationships with third parties, and describes in detail its expectations with respect to each of the five stages of a third party relationship. These stages are as follows:
- Planning. Institutions should develop, before the relationship commences, a plan to manage the relationship that is commensurate with the risk and complexity of the third party relationship.
- Due Diligence and Third Party Selection. Institutions should conduct due diligence on potential third parties prior to entering into a relationship, and the degree of due diligence conducted should be commensurate with the risk and complexity of the relationship. In particular, an institution should consider its own strategies and goals, and the third party's legal and regulatory compliance, experience and reputation, fees, risk management program, information security and systems, human resources management, insurance and conflicting contractual arrangements. Institutions should assess the results of its due diligence review in determining if the third party will meet the institution's expectations and if the relationship is advisable.
- Contract Negotiation. Once a third party is selected, the institution should proceed to contract negotiation, and obtain board approval prior to execution if the relationship involves critical activities. The Bulletin notes that "critical activities" include relationships that involve significant institution functions (such as payments, clearing, settlements, custody) or significant shared services (such as information technology), or other activities that (a) could cause an institution to face significant risk if the third party fails to meet expectations, (b) could have significant customer impacts, (c) require significant investment in resources to implement the third party relationship and manage the risk or (d) could have a major impact on institution operations if the institution has to find an alternate third party or if the outsourced activity has to be brought in-house. Contracts negotiated with third parties should clearly specify the rights and responsibilities of the institution and the third party. In particular, any contract should provide for performance measures, information retention requirements, audit rights, confidentiality, OCC supervision and many more standard contractual provisions.
- Ongoing Monitoring. Following the execution of a contract and the commencement of a third party relationship, the institution should dedicate staff with the necessary expertise to monitor the relationship on a level commensurate with the risk and complexity of the relationship. This monitoring should address the areas to be covered in conducting due diligence of the third party, and should cover changes to the third party that could impact the relationship.
- Termination. Institutions should terminate relationships in an efficient manner and, if there is no other third party for the services being provided, the institution should have a plan to provide the services in-house.
The Bulletin also sets forth responsibilities for each of the board, senior management and employees of an institution in the management of third party relationships, and describes how the OCC expects documentation and record keeping to be conducted by an institution with respect to its third party relationships. The Bulletin also requires independent reviews of an institution's third party risk management process and sets forth how the OCC will examine an institution's compliance with the Bulletin.
From a practical and operational standpoint, the Bulletin requires that institutions review their third party risk management program and make any changes necessary to comply with the requirements described above and in the Bulletin. Institutions should do so with the expectation that the OCC will look closely at third party risk management issues in forthcoming examinations, and that the OCC will use particular scrutiny when the relationship involves "critical activities."
The Bulletin may be found here: http://occ.gov/news-issuances/