On Jan. 24, the Office of the Comptroller of the Currency issued supplemental examination procedures for risk management of third-party relationships for national banks and federal savings associations. The examination procedures significantly expand the examination procedures in the OCC’s Corporate and Risk Governance Comptroller’s Handbook.
The new examination procedures, along with the existing third-party relationships guidance found in OCC Bulletin 2013-29 provide the framework for what the OCC is expecting in an institution’s oversight of its third-party relationships.
Beginning with the full lineup of partners
Examiners will be starting their review of a bank’s third-party relationship risk management by asking for the bank’s full inventory of such arrangements.
The examination procedures evaluate whether this inventory includes not only all “critical activities,” but also relationships involving subcontractors, affiliates, and technology-based services storing bank data. (The procedures consider the following to be “critical activities”: payments, clearing, settlements, custody, information technology, or other activities that could cause a bank to face significant risk if the third party fails to meet expectations.)
Due diligence process examined
The institution’s due diligence that went into selecting third-party relationships will be scrutinized. The examination procedures include evaluation of the third party’s use of subcontractors; the third party’s policies and procedures; the third party’s independent audit reports; and the third party’s customer complaints.
Institutions are expected to conduct adequate due diligence of third parties, which includes comparing the cost of providing the services internally versus outsourcing (a good business practice). The process also extends to verifying whether the third party and its subcontractors have publicly known outstanding issues with regulatory entities or law enforcement agencies.
What have you put in writing?
Examiners will review a sample of contracts between the institution and third parties. In this review the officials will consider whether they:
• Adequately address cost and compensation.
• Specify performance measures or benchmarks that define expectations and responsibilities for both parties.
• Address the institution’s responsibility to audit and require remediation, if necessary.
• Address how the third parties or their subcontractors should disclose in a timely manner information security breaches.
• Address activities that cannot be subcontracted.
• Require third parties to maintain appropriate insurance and provide evidence of coverage.
Just to name a few…
Importance of ongoing monitoring
Ongoing monitoring is key to the risk management life cycle and integral to the examination process.
Examiners are evaluating whether management periodically reviews third-party relationships. They want to know if the institution periodically re-evaluates the criticality of the relationship. A non-critical third-party relationship last year might become a critical third-party relationship this year.
The level of monitoring will be challenged based on the risk and criticality, with on-site monitoring expected of more critical third-party relationships.
Impact on customers scrutinized
Customer complaints play a prominent role in these examination procedures, as it does in all of examination-dom. Under the category of “reputation risk” associated with the use of third parties, the examination procedures focus on how well the institution manages the customer complaints associated with third parties.
Examiners are expected to determine:
• If the institution has in its contracts with third parties that the third party is responsible for responding to customer complaints adequately and promptly and providing the institution with reporting about customer complaints.
• If the institution obtains customer complaint information or regular reports from third parties and their subcontractors.
• The adequacy of the institution’s processes for receiving and analyzing customer complaint information from third parties and their subcontractors and taking appropriate action.
All banks covered by vendor management concerns
Third-party relationship risk management is a significant examination focus. It is not limited to critical operational functions. It is not limited to large or even medium-size institutions. It has impact on operational risk, compliance risk, strategic risk, reputational risk, credit risk, and management risk.
There is much more information in the Supplemental Examination Procedures for Risk Management of Third Party Relationships. Consider this required reading!