OCC Issues Guidance for Third Party Vendor Management
by: Anna DeSimone
October 30, 2013 the Office of the Comptroller of the Currency (OCC) issued updated guidance on third-party risks and vendor management. The guidelines note eight specific areas where banking institutions are expected to make improvements to their vendor management programs related to third-party relationships.
Risk Management Guidance
The OCC recommends banking institutions better manage their third-party risks by following these practices:
-
Develop plans that outline and identify inherent risks associated with the third-party activity and detail how the banking institution will select, assess and oversee the third party;
-
Perform proper due diligence in selecting a third-party provider;
-
Negotiate written contracts that clearly outline the rights and responsibilities of all parties;
-
Continually monitor third parties’ activities and performance;
-
Execute plans to terminate a relationship with a third-party if certain criteria are not met, and ensure that the bank is able to transition the outsourced activities to another third party, bring those activities in-house, or discontinue those activities all together;
-
Assign clear roles and responsibilities for overseeing and managing third-party relationships and the risk management processes;
-
Maintain proper documentation and reporting to facilitate oversight, accountability, monitoring and adequate risk management;
-
Conduct independent reviews of the risk management process to ensure that the bank’s processes can effectively manage risks from third-party relationships.
The OCC’s bulletin points out that its updated guidance rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles,” and OCC Advisory Letter 2000-9, “Third-Party Risk.”
Community Banks
The OCC guidance applies to all banks with third-party relationships. A community bank is expected to adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships. The OCC expects the community bank’s board and management to identify those third-party relationships that involve critical activities and ensure the bank has risk management practices in place to assess, monitor, and manage the risks.
Risk Management Life Cycle
The OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank’s organizational structures. Therefore, the OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities – significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that
-
could cause a bank to face significant risk if the third party fails to meet expectations.
-
could have significant customer impacts.
-
require significant investment in resources to implement the third-party relationship and manage the risk.
-
could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.
An effective third-party risk management process follows a continuous life cycle for all relationships and incorporates the following phases:
-
Planning
-
Due diligence and third-party selection
-
Contract negotiation
-
Ongoing monitoring
-
Termination
-
Oversight and accountability
-
Documentation and reporting
-
Independent reviews
Responsibility for Compliance With Applicable Laws and Regulations
The OCC guidance states that institutions must ensure the contract addresses compliance with the specific laws, regulations, guidance, and self-regulatory standards applicable to the activities involved, including provisions that outline compliance with certain provisions of the Gramm-Leach-Bliley Act (GLBA) (including privacy and safeguarding of customer information); BSA/AML; OFAC; and Fair Lending and other consumer protection laws and regulations. Ensure that the contract requires the third party to maintain policies and procedures which address the bank’s right to conduct periodic reviews so as to verify the third party’s compliance with the bank’s policies and expectations. Ensure that the contract states the bank has the right to monitor on an ongoing basis the third party’s compliance with applicable laws, regulations, and policies and requires remediation if issues arise.
Risks Associated With Third-Party Relationships
The OCC guidance states that the use of third parties reduces management’s direct control of activities and may introduce new or increase existing risks, specifically, operational, compliance, reputation, strategic, and credit risks and the interrelationship of these risks. Increased risk most often arises from greater complexity, ineffective risk management by the bank, and inferior performance by the third party. Refer to the “Bank Supervision Process” booklet of the Comptroller’s Handbook for an expanded discussion of banking risks and their definitions.
• Operational Risk
• Compliance Risk
• Reputation Risk
• Strategic Risk
• Credit Risk
About the Author:
Anna DeSimone is President and Founder of Bankers Advisory, Inc. She can be reached at anna@bankersadvisory.com
Anna DeSimone founded Bankers Advisory in 1986 and is a nationally recognized authority in residential mortgage lending. She has received numerous industry awards and has authored more than 40 best practices guides and hundreds of articles.
A test to determine whether a contract is successfully managed is whether the client was able to attain what he needed from the supplier or obligor when the contract is enforced. Conscientiousness and a great deal of accuracy are required from this stage up to when the terms and conditions of the contract is specified and written down as an enforceable obligation.
project contract management