Reining in Third Party Risks

Yesterday, the Office of the Comptroller of the Currency (OCC) issued one of the most important statements of policy guidance to national bankers this year, particularly for community bankers.  And I say that knowing about all of the Dodd-Frank rulemaking and Basel III-related bank capital and liquidity management guidance recently proposed.

The OCC policy guidance relates to assessing and managing risks associated with third-party relationships.  It is contained in OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance.

What precipitated this update in the OCC's guidance on third-party relationships?  Here are the stated reasons:

"Banks continue to increase the number and complexity of relationships with both foreign and domestic third parties, such as

• outsourcing entire bank functions to third parties, such as tax, legal, audit, or information technology operations.
• outsourcing lines of business or products.
• relying on a single third party to perform multiple activities, often to such an extent that the third party becomes an integral component of the bank’s operations.
• working with third parties that engage directly with customers.
• contracting with third parties that subcontract activities to other foreign and domestic providers.
• contracting with third parties whose employees, facilities, and subcontractors may be geographically concentrated.
• working with a third party to address deficiencies in bank operations or compliance with laws or regulations.

The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. The OCC has identified instances in which bank management

• failed to properly assess and understand the risks and direct and indirect costs involved in third-party relationships.

• failed to perform adequate due diligence and ongoing monitoring of third-party relationships.

• entered into contracts without assessing the adequacy of a third party’s risk management practices.

• has entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party’s revenues.

• engaged in informal third-party relationships without contracts in place.

Possibly, one background reason for the issuance of this OCC Bulletin may be the recent concerns about "the world's largest global provider dedicated to banking and payments technologies" (2012 Annual Report for FIS).  Check out this write-up on the distinguished news site Krebs on Security.

Key Points to Keep in Mind

Every banker needs to be aware that third-parties are not just defined as transaction processing entities.  The OCC definition includes ALL third-party arrangements, including arrangements with independent consultants.  Here's the definition:

"...activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records. Affiliate relationships are also subject to sections 23A and 23B of the Federal Reserve Act (12 USC 371c and 12 USC 371c-1) as implemented in Regulation W (12 CFR 223). Third-party relationships generally do not include customer relationships."

It sets formal risk management expectations for these third-party relationships so that they are managed in a safe and sound manner.  The OCC Bulletin provides comprehensive guidance and is an excellent template for every bank to use to assess the degree of risk present in the bank's existing or contemplated third party relationships.  It is incumbent on every bank board of directors to use the guidance outlined in this Bulletin to benchmark their own bank against these standards.

Time is of the essence since examiners will be referring to this guidance during the course of their regular bank examinations going forward.

Here are the highlights:

• A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships. 
• A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
• An effective risk management process throughout the life cycle of the relationship includes
• plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.

• proper due diligence in selecting a third party.

• written contracts that outline the rights and responsibilities of all parties.

• ongoing monitoring of the third party’s activities and performance.

• contingency plans for terminating the relationship in an effective manner.

• clear roles and responsibilities for overseeing and managing the relationship and risk management process.

• Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.

• Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.

Many community banks may already be informally doing several of these things under earlier guidance provided by the OCC, but now that guidance has been significantly expanded and clarified.  It is extremely important that the risk management process over third-party relationships be formalized so that they can be reviewed by examiners through the periodic examination process.  The guidance is very specific about the duties and responsibilities of boards of directors, senior bank management, and bank employees who directly manage these relationships.  It also sets very granular standards for required independent reviews of the bank's third-party risk management process.  

My biggest concern with the OCC guidance, typical of major policy guidance issuances from all federal bank regulatory agencies, is that no grace period (like 60/90/180 days) has been specified before examiners would begin to enforce this updated guidance and write up Matters Requiring Attention (MRAs) in their reports of examination.

The slow unbundling of the typical community bank, over the last three decades, into a amalgamation of platforms and services provided by other parties makes this bank supervision initiative by the OCC a major, vital, and welcome exercise of its prudential bank supervision authority.  Unfortunately, for many community bank boards of directors, it also comes with a lot of work involved and little time to do it.