OCC Adds Substantial New Risk Management Burdens for Third-Party Relationships

more+
less-

The Office of the Comptroller of the Currency (OCC) recently issued a new Bulletin 2013-29 containing substantially more onerous risk management guidance for third-party business relationships (3PRs) of national banks and federal savings associations. Predicated on concerns about the growing volume, diversity, and complexity of both domestic and foreign 3PRs and what OCC identifies as new or increased risks?operational, compliance, reputation, strategic, and credit?attending such relationships, the Bulletin updates prior OCC guidance on 3PRs.

Other agencies, such as the FDIC, have previously issued guidance on risk management for 3PRs and identified heightened concerns regarding what they view as higher-risk activities. (Our recent legal alert discussed the FDIC's new supervisory approach to payment processing relationships?direct, or indirect through third parties (3Ps)?with merchants engaged in higher-risk activities.) 

The Bulletin develops a theme intoned by Comptroller Thomas J. Curry in a September 2013 speech in which he announced a program of "heightened expectations" for large banks, such as "strong" internal controls and audit functions ("satisfactory" ratings will no longer be acceptable) and "significant engagement" by directors, including the knowledge and focus to present a "credible challenge" to management.

OCC intends to issue regulations formalizing its "heightened expectations" program. The Bulletin moves in that direction by stressing the integration of 3PR risk management into an institution's strategic goals and risk appetite, all of which should be embodied in a plan and board-approved policies for selection, assessment (including due diligence), and monitoring of vendors, consultants, and others with whom the bank does business. For 3PRs involving "critical activities" (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., IT), that could pose material risks to the bank, the Bulletin indicates that OCC examiners will expect to find comprehensive and rigorous oversight by the bank and its senior management.

The Bulletin contains a fairly detailed discussion of a national bank's responsibilities in the life cycle of 3PRs:

  • Planning and selection
  • Due diligence
  • Contract negotiation and terms (especially important with foreign 3PRs that operate under different legal systems and cultures and are difficult to monitor)
  • Ongoing monitoring
  • Contingency plans for termination of the 3PR
  • Oversight and accountability
  • Documentation and reporting
  • Periodic independent reviews of the 3PR risk management process

While much of the Bulletin is sensible enough in the abstract, the additional compliance burden will be substantial and costly, particularly for community banks, which often must outsource necessary functions that they cannot realistically perform in-house. Although Comptroller Curry's "heightened expectations" as described in his September speech were explicitly directed only at large banks, the Bulletin conspicuously notes its own applicability to community banks. Unfortunately, the capacity of private sector financial institutions to shoulder a cumulative and ever-increasing compliance burden is not unlimited.

The actions that the Bulletin requires national banks to take with regard to 3PRs include the following:

  • An assessment of its financial condition, "growth, earnings, pending litigation, unfunded liabilities," etc., as "comprehensive as if [the bank were] extending credit"
  • Ensuring that it "periodically conducts thorough background checks on its senior management"
  • Evaluating the 3P's legal and regulatory compliance program, including whether it has "the expertise, processes, and controls to enable the bank to remain compliant with domestic and international laws and regulations"
  • Ongoing monitoring that is tantamount to an ongoing due diligence process

We are unconvinced that many 3Ps involved in 3PRs, which largely comprise unregulated, nonfinancial businesses, will find the level of intrusiveness contemplated by the Bulletin acceptable. This is particularly true for those 3Ps (like some cloud computing businesses) whose market share could result in their bank customers, of whatever size, having insufficient leverage to negotiate for what the Bulletin contemplates. The OCC's expectation that a 3P that is not itself a regulated entity would, by virtue of doing business with a national bank or federal thrift, become (or contractually consent to become) "subject to OCC examination oversight, including access to all work papers, drafts, and other materials" is, in our view, a disincentive for 3Ps to do business with national banks and federal thrifts.

Thus, the natural consequence (perhaps unintended) of the Bulletin will likely be a reduction in the number of 3Ps willing to do business with federally chartered depository institutions or increased costs to such institutions for 3P goods and services. Unless the Federal Reserve and the FDIC promulgate similarly burdensome guidance, the Bulletin will result in a competitive advantage for state-chartered institutions.