HB Ad Slot
HB Mobile Ad Slot
Office of the Comptroller of the Currency (OCC) Issues Risk Management Guidance
Friday, November 1, 2013

On October 30, the Office of the Comptroller of the Currency (OCC) issued guidance (Bulletin 2013-29) to national banks and federal savings associations (collectively, banks) for assessing and managing risks associated with third-party relationships. A third-party relationship is “any business arrangement between a bank and another entity, by contract or otherwise.” The bulletin rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles” and OCC Advisory Letter 2000-9, “Third-Party Risk.” The OCC “expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.” The OCC “is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.” The OCC stated that it has identified instances in which bank management has 

  • Failed to properly assess and understand the risks and direct and indirect costs involved in third-party relationships.

  • Failed to perform adequate due diligence and ongoing monitoring of third-party relationships.

  • Entered into contracts without assessing the adequacy of a third party’s risk management practices.

  • Entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party’s revenues.

  • Engaged in informal third-party relationships without contracts in place. 

According to the OCC, an effective third-party risk management process follows a continuous life cycle for all relationships and incorporates the following phases: 

  • Planning: Developing a plan to manage the relationship is often the first step in the third-party risk management process. This step is helpful for many situations but is necessary when a bank is considering contracts with third parties that involve critical activities.

  • Due diligence and third-party selection: Conducting a review of a potential third party before signing a contract helps ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.

  • Contract negotiation: Developing a contract that clearly defines the expectations and responsibilities of the third party helps to ensure the contract’s enforceability, limit the bank’s liability and mitigate disputes about performance.

  • Ongoing monitoring: Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the bank’s ability to manage risk of the third-party relationship.

  • Termination: Developing a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied in response to contract default, or in response to changes to the bank’s or third party’s business strategy. 

In addition, a bank should perform the following throughout the life cycle of the relationship as part of its risk management process:

  • Oversight and accountability: Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-party risk management process with its enterprise risk management framework to enable continuous oversight and accountability.

  • Documentation and reporting: Proper documentation and reporting to facilitate oversight, accountability, monitoring and risk management associated with third-party relationships.

  • Independent reviews: Conducting periodic independent reviews of the risk management process to enable management to assess whether the process aligns with the bank’s strategy and effectively manage risk posed by third-party relationships. 

The entire Bulletin is available here.

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins