On October 30 2013 the Office of the Comptroller of the Currency (OCC) released OCC Bulletin 2013-29, "Third-Party Relationships", highlighting the enhanced scrutiny to which national bank engagements of third-party service providers are now subject. The bulletin notes the increasing significance and complexity of these relationships, and raises the concern that banks' risk-management processes may not be keeping pace with these developments. In particular, the OCC has identified deficiencies in banks' risk-management processes that include:
- failing to assess properly and understand the risks and costs of third-party relationships;
- failing to perform adequate due diligence or ongoing monitoring;
- failing to assess a service provider's risk-management practices before entering into a contract;
- entering into contracts that incentivise the service provider to take risks that increase revenue, but may be detrimental to the bank and its customers; and
- engaging in informal relationships without contracts.
In light of these problems, as emphasised through recent agency enforcement actions, the bulletin replaces OCC Bulletin 2001-47, "Third-Party Relationships: Risk Management Principles" and OCC Advisory Letter 2000-9, "Third-Party Risk", with increasingly detailed guidance and more stringent direction regarding banks' ultimate responsibility for their vendors' performance.
National banks should revisit their policies, procedures and processes for evaluating, engaging and monitoring third-party service providers in light of this new articulation of the OCC's supervisory expectations.
Overview of OCC risk management expectations
The OCC makes clear that a national bank's failure to have an effective risk-management process that is "commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice". To develop an effective risk-management process, a bank should formulate a strategy with respect to its third-party relationships and should manage risk throughout each relationship by:
- performing appropriate due diligence;
- executing written contracts;
- engaging in ongoing monitoring;
- establishing contingency plans in the event of termination;
- delineating clear roles, both within the bank and between the bank and its third-party service providers;
- maintaining appropriate documentation and reporting to senior management and the board of directors; and
- conducting independent reviews of the bank's risk-management processes.
More rigorous risk management will be needed for 'critical activities' – that is, those activities that involve significant bank functions (eg, payments, clearing, settlement and custody) or that could cause the bank significant risk, would require a significant commitment of resources or would have a significant effect on customers or bank operations.
- due diligence;
- contract negotiation;
- ongoing monitoring; and
A few highlights are summarised below. In each area, the bulletin differentiates to some extent between specific references that are expressed as a mandate through the use of strong affirmative language and other somewhat softer 'best practices' that are identified through reference to actions that a bank should 'consider' taking. While the latter language may give banks slightly greater leeway to deal with specific facts and circumstances, institutions should evaluate carefully any proposal to deviate from any of the standards suggested by the bulletin, even if the standard is one that the OCC merely indicates that banks should 'consider'.
A bank's senior management should develop a management plan for its third-party relationships, particularly when critical activities are involved. This plan should account for, among other things:
- risks associated with the outsourced activity;
- the bank's strategy;
- the complexity of the relationship;
- the cost of controlling risks;
- the nature and handling of customer interactions;
- implications for information security;
- specific laws applicable to the third-party activity;
- how the bank will monitor and assess compliance; and
- whether the relationship is consistent with the bank's broader corporate policies.
Elaborating on the unremarkable concept that a bank should conduct due diligence on all prospective third-party providers before making a selection and entering into a contract, the bulletin goes on to indicate that a bank should not rely merely on previous experience with or knowledge of the provider. Even banks that have extensive direct and practical experience with a vendor will now need to place that knowledge within the rubric of "an objective, in-depth assessment of the third party's ability to perform the activity" safely and soundly and in compliance with law. As part of its diligence, a bank should ensure that, among other things, the third party:
- has effective risk-management and compliance programmes;
- has the necessary licences and expertise for the activity;
- is financially stable; and
- has a fee and incentive structure and subcontractor relationships that will not cause the vendor to take undue risks.
A bank should also ensure that the third party conducts periodic background checks on its senior management and employees, as well as subcontractors with access to critical systems or confidential information.
The bulletin addresses a number of topics that are suggested or required for inclusion in third-party provider contracts. Institutions that fail to address adequately any of the listed contract topics are likely to be asked to justify the omission. For example, the bulletin indicates that a third party should be required to notify the bank promptly of material issues and to retain records sufficient to enable the bank to monitor performance and legal compliance. The bulletin emphasises the need for audit rights in addition to other oversight provisions, including the direction to "[r]eserve the bank's right to conduct its own audits of the third party's activities or to engage an independent party to perform such audits". This directive is certain to engender some difficult discussions with larger providers of common platforms used by dozens, even hundreds, of banks.
The contract should also address IP rights and compliance with specific laws relevant to the relationship, and should provide for OCC supervision, as well as the right to terminate at OCC direction. National banks should carefully consider what indemnity provisions or limits on liability are appropriate for the specific relationship contemplated. The contract should address the extent to which the third party will be liable for the actions of its subcontractors, and the bank should reserve the right to terminate the contract if the third party's subcontracting arrangements do not comply with the terms of the contract. The contract should not include burdensome upfront fees or other incentives that might lead to inappropriate risk taking. The bulletin also indicates that third-party contracts should be approved by the bank's board when critical activities are involved – a suggestion that may require process changes at many institutions, particularly if the bulletin is read to require board approval of such agreements, even if they are not otherwise material.
A bank should dedicate sufficient staff to oversee and monitor third parties on an ongoing basis. In particular, a bank should assess a third party's controls, its ability to meet service-level agreements and performance metrics, compliance and trends in consumer complaint volume and resolution. National banks should receive regular reports from their third-party providers, and regular onsite visits may also be appropriate.
After a default or termination, a bank should have a contingency plan to transition functions in-house or to another provider. The contingency plan should cover:
- capabilities, resources and timeframe for transition;
- risks associated with data retention and destruction, information system connections and access control issues;
- how joint intellectual property will be handled; and
- reputation risks, if the termination results from the third party's failure to meet expectations.
The bulletin also recommends that a bank's board of directors, senior management and bank employees that directly manage third-party relationships focus on three key areas throughout the relationship.
Oversight and accountability
The bank should have clear roles for the board of directors, senior management and employees that directly manage third-party relationships:
- The board should ensure that effective risk-management processes are in place and review and approve relevant policies and processes, as well as contracts related to critical activities.
- Senior management should implement risk-management processes, ensure appropriate monitoring, due diligence and documentation of third-party relationships, hold accountable employees managing third-party relationships and terminate agreements that no longer align with the bank's strategies or where the vendor is not meeting expectations.
- Employees should conduct due diligence and ongoing monitoring of third parties, ensure compliance, address or escalate issues, keep third parties informed of bank operational issues, maintain appropriate documentation and recommend termination where appropriate.
Documentation and reporting
A bank should retain documentation of its third-party risk-management process and its arrangements with third parties. The bank should receive regular risk-management and performance reports from third parties. Senior management should provide regular reports to the board on its ongoing monitoring and the results of independent reviews.
A bank's internal auditor or an independent third party should conduct reviews of the bank's risk-management processes. Among other things, these reviews should assess whether:
- a third-party relationship is still aligned with the bank's overall strategy;
- the bank's processes adequately identify, monitor and report risks;
- the bank adequately responds to material issues, such as breaches or service disruptions;
- multiple disciplines are involved in risk management where needed (eg, human resources, physical security, legal);
- there are clearly defined roles and responsibilities;
- there are any conflicts of interest in the selection and oversight of third-party relationships; and
- concentration risks are managed.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.