Risk Management Guidance on Third-Party Relationships
By Nick Shakarjian
What banks need to know to meet compliance with the OCC’s requirements for vendor due diligence.
Examiners have always expected banks and credit unions to perform appropriate vendor due diligence prior to engaging a third party. But with October 2013 guidance, “Third-Party Relationships”, the OCC provided definitions and guidelines for OCC banks as a risk management framework.
As the announcement points out, banks face new and increased operational, compliance, reputation, strategic and credit risks when entering into an agreement with a third party, especially when the agreement covers “critical activities”. As such, the OCC asks banks to develop a risk management process proportionate to the level of risk within the relationship. There are a variety of third party solutions available to help with this framework, but either way banks should be mindful.
“Critical activities” are described as significant bank functions, services or activities that could have a major impact on the bank’s operations. Comptroller of the Currency Thomas Curry explains: “We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic. This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.” The new guidance set forth by the OCC supersedes prior Bulletin 2001-47, “Third Party Relationships: Risk Management Principles” and OCC Advisory Letter 2009-9, “Third-Party Risk”.
Third-party relationships are defined as a business arrangement between a bank and an outside entity, by contract or otherwise. Some examples are tax, legal, audit or information technology. By entering into agreements with third parties, it is the board members’ and senior management’s responsibility that contracted activities fall in line with regulatory guidance and uphold safety and soundness for the institution.
When circumstances warrant, the OCC will apply corrective measures to ensure banks’ relationship management standards are appropriate, and these measures could include enforcement actions, special examinations and the assessment of civil money penalties.
On December 5, 2013, shortly after the OCC release, the Board of Governors of the Federal Reserve System issued “Guidance on Managing Outsourcing Risk” to supplement guidance previously issued on technology service provider risk. While the Federal Reserve’s guidance is less comprehensive than the new guidance set forth by the OCC, many of the themes are similar.
Risk Management Life Cycle
As banks continue to increase the number and complexity of third-party relationships, the OCC is concerned that the quality of risk management in the relationship may not be commensurate with the level of inherent risk. This includes proper due diligence when selecting a vendor, but it also extends into the relationship.
An effective risk management process includes a continuous lifecycle for all third-party relationships and covers:
• Due diligence and third-party selection
• Contract negotiation
• Ongoing monitoring
Prior to entering into a third-party relationship, management should develop a plan establishing the goal of the relationship and the scope of the contract. This enables the bank to discuss inherent risks and evaluate how the contracted activity relates to the bank’s overall strategic goals, objectives and risk appetite — what impact would such a relationship have? Banks are also encouraged to perform a cost-benefit analysis at this stage to determine if the potential benefit (e.g. cost reductions, expanded bank operations, increased efficiencies, heightened expertise) outweighs the estimated cost (e.g. integration and subscription fees, training, additional staffing, interruption to existing programs) and how it might impact information security. A detailed process as to how the bank will select, assess and oversee the third party must be presented to and approved by the bank’s board of directors when contracting critical activities.
An in-depth assessment of the third party’s ability to perform the activity while complying with regulatory guidelines should be performed before entering into a contract or relationship. Banks should not rely on experience with or prior knowledge of the third party, and the level of due diligence should be equal to the risk and complexity of the relationship. In practical terms, this means a core system that houses all the bank’s loan and customer data might require more attention than a relationship contracted to print deposit slips.
It is management’s responsibility to review and determine whether or not the third party meets expectations. If critical activities are part of the contract, senior management must present the due diligence results to the board for approval when making recommendations on third-party relationships.
Upon selecting a third party, a bank’s management will likely negotiate or review a contract detailing the responsibilities of each party. Contracts should fully describe compensation, fees and the circumstances under which the cost structure may be changed. Moreover, contracts need to specify what constitutes default and stipulate the conditions for termination. Banks should also re-visit existing contracts to ensure they comply with risk controls and legal protections.
The contract should also cover performance expectations, and it’s recommended for a bank to use industry standards to evaluate the contract’s service level agreement. For software, these standards might measure:
1. service availability
2. responsiveness of support requests
3. update or enhancement timelines
Again, senior management will need to get approval from the board on all contracts, prior to execution, when critical activities are involved.
Once a contract with a third party has been executed, bank management should dedicate staff with expertise and authority to oversee and monitor the relationship, especially if it involves critical activities. And the criticality of an activity may change over time, making a relationship more or less of a source of risk.
Consequently, banks will need to adapt its monitoring accordingly. Many of the due diligence criteria will extend throughout the contract’s lifetime, so banks are expected to include these reviews as part of the ongoing monitoring process. In instances where a discrepancy or issue is identified, senior management should take action and escalate significant issues to the board.
The termination phase of the risk management lifecycle is new to OCC guidance. Under the new guidance, banks are required to implement risk management controls and maintain them through the termination phase, or the end of the contract. Contracts with third parties may be terminated by the bank for several different reasons, including expiration, breach of contract, vendor change or the decision to bring the activity in-house. It’s management’s responsibility to have a plan in place and to be proactive in the event of a contract default or termination, ensuring compliance throughout the entire relationship. A bank’s contingency plan should address reputation risks, joint intellectual property, data retention and deconstruction in accordance with regulatory laws and guidelines.
Throughout the lifecycle, there are ongoing expectations laid out by regulators:
• Oversight and accountability
• Documentation and reporting
• Independent reviews
A bank’s senior management should ensure that periodic, independent reviews are conducted on its third-party risk management process. An internal auditor or independent third party may perform the review, in which case senior management is expected to present the results to the board of directors.
These results will help management determine whether and how to adjust the bank’s risk management process, policy, reporting and controls. As the figure from the OCC guidance shows, it’s an iterative and repeated process that will be refined through time.
The aforementioned criteria and expectations are indispensable when dealing with third parties.
Under the new OCC guidance, it is the senior management’s responsibility to develop and implement the bank’s third-party risk management process; however, it is up to the board of directors to approve any of the bank’s risk-based policies and contracts encompassing critical activities.
This OCC guidance does put more of the onus on the board compared to recommendations put out by the Federal Reserve. But in both cases, there is a clear effort and expectation from the OCC and Federal Reserve for banks to be more attentive to and proactive with third-party relationships and inherent risk.
Nick Shakarjian is a director at Sageworks.
Click here for original article.