OCC Issues Updated Risk Management Guidance On Third-Party Relationships

more+
less-

The Office of the Comptroller of the Currency (“OCC”) has revised its risk management guidance on third-party relationships, advising banks to adopt risk management processes that provide more comprehensive oversight and management of third-party relationships involving critical bank activities. The guidance only applies to national banks and federal savings associations; however, state chartered banks are subject to guidance issued by the Federal Deposit Insurance Corporation (“FDIC”) on this topic, and credit unions are subject to guidance issued by the National Credit Union Administration (“NCUA”) on this topic.

As banks continue to increase not only the number, but also the complexity of their relationships with both foreign and domestic third parties, the OCC is concerned that the quality of risk management may not be keeping pace with those changes. The updated guidance states that banks should adopt risk management processes that are proportionate with the level of risk and complexity of third-party relationships and that ensure comprehensive risk management and oversight of third-party relationships involving critical activities.

To manage risks associated with third-party relationships, the OCC advises banks to:

  • Develop plans that outline the bank’s strategy, identify inherent risks of the activity and detail how the bank will select, assess and oversee the third party;
  • Perform proper due diligence when selecting a third-party provider, which includes, but is not limited to, reviewing and evaluating the third party’s overall business strategy, legal and regulatory compliance program, depth of resources, previous experience and risk management program;
  • Negotiate written contracts that clearly outline the rights and responsibilities of all parties;
  • Conduct ongoing monitoring of the third party’s activities and performance;
  • Execute a plan to terminate the relationship in a manner that allows the bank to transition the activities to another third party, bring the activities in-house or discontinue the activities;
  • Assign clear roles and responsibilities for overseeing and managing the third-party relationship and risk management process;
  • Maintain proper documentation and reporting to facilitate oversight, accountability, monitoring and risk management; and
  • Conduct independent reviews of the risk management process to enable management to assess that the bank’s process aligns with its strategy and effectively manages risks.

As a result of this guidance, the OCC has rescinded its previous Bulletin 2001-47 entitled “Third-Party Relationships: Risk Management Principles” and Advisory Letter 2000-9 entitled “Third-Party Risk.”

The complete guidance can be found on the OCC’s website at http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html. Guidance by the FDIC on this topic can be found at http://www.fdic.gov/news/news/financial/2008/fil08044a.html, and guidance by the NCUA can be found at http://www.ncua.gov/Resources/Documents/LCU2007-13ENC.pdf.

Topics:  FDIC, OCC, Risk Management, Third-Party, Third-Party Relationships

Published In: General Business Updates, Finance & Banking Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cullen and Dykman LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »