On October 30, 2013, the Office of the Comptroller of the Currency “OCC” issued a bulletin on “Risk Management Guidance” which will have wide ranging implications for all vendors of national banks and federal savings associations. The bulletin provides new guidance for assessing and managing compliance risks associated with third-party relationships. A 3rd party relationship is any business arrangement between a banks and another entity, by contract or otherwise.
3rd party relationships include activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records. Affiliate relationships are also subject to sections 23A and 23B of the Federal Reserve Act (12 USC 371c and 12 USC 371c-1) as implemented in Regulation W (12 CFR 223). Third-party relationships generally do not include customer relationships.
The OCC stated that it “expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of 3rd parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
The OCC released the bulletin in response to the on-going concern that banks were continuing to increase the number and complexity of third party relationships with both foreign and domestic 3rd parties. Specifically they highlighted:
(1) outsourcing entire bank functions to third parties, such as tax, legal, audit, or information technology operations;
(2) outsourcing lines of business or products;
(3) relying on a single third party to perform multiple activities, often to such an extent that the third party becomes an integral component of the bank’s operations;
(4) working with third parties that engage directly with customers;
(5) contracting with third parties that subcontract activities to other foreign and domestic providers;
(6) contracting with third parties whose employees, facilities, and subcontractors may be geographically concentrated; and (7) working with a third party to address deficiencies in bank operations or compliance with laws or regulations.
The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. The OCC has identified instances in which bank management has:
(1) failed to properly assess and understand the risks and direct and indirect costs involved in third-party relationships.
(2) failed to perform adequate due diligence and ongoing monitoring of third-party relationships.
(3) entered into contracts without assessing the adequacy of a third party’s risk management practices.
(4) entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party’s revenues.
(5) engaged in informal third-party relationships without contracts in place.
These examples represent trends whose associated risks reinforce the need for banks to maintain effective risk management practices over third-party relationships.