The OCC issued guidance to national banks and federal savings associations in assessing and managing risks related to third-party relationships. The OCC defines a third-party relationship as “any business arrangement between a bank and another entity, by contract or otherwise.” In the guidance, the OCC states that a bank’s failure to have an effective risk management process that is “commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.” Specifically, the OCC’s supervisory expectation is that a bank will (throughout the life cycle of each third-party relationship) manage its third-party relationship risks by taking the certain actions, including developing a plan that outlines the bank’s strategy, identifies the inherent risks of the activity, and details how the bank will select, assess, and oversee the third party; performing proper due diligence to identify risks and select a third-party provider; conducting ongoing monitoring of the third party’s activities and performance; and conducting independent reviews of the risk management process to enable management to assess that the Bank’s process aligns with its strategy and effectively manages risks from third-party relationships, among other things.

IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this informational piece (including any attachments) is not intended or written to be used, and may not be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.