Third-party relationships between banks and other entities – such as payment processors, affiliates, consultants, security providers, and joint ventures, among others – are the subject of recent guidance issued by the Office of the Comptroller of the Currency.
As banks “continue to increase the number and complexity of relationships with both foreign and domestic third parties,” the OCC expressed concern that “the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.”
With this in mind, the agency released bulletin 2013-29, updating its advice to banks with a “life cycle” approach, setting forth the necessary risk management during each stage of a relationship with a third party, from planning and due diligence to ongoing monitoring to termination. Given the variety and range of potential relationships – with some more risky than others – the bulletin recommended that financial institutions take a risk-based approach, depending upon the relationship at issue. Certain “critical activities” (such as significant bank functions) that pose greater risks would therefore be subject to heightened standards, such as board approval of the relationship and involvement in the negotiation and monitoring.
Management of risk begins at the inception of a third-party relationship, the OCC said, with planning. Even before the relationship commences, senior management should assess the risks and complexity of the activity at issue, conduct a cost-benefit analysis of the relationship, and assess the potential impact on employees, customers, and strategic initiatives. For example, the financial institution’s plan should evaluate the laws and regulations that might apply to the outsourced activities (e.g., the Bank Secrecy Act) and the necessary compliance. A contingency plan for an alternative third party should also be included.
The next steps in the life cycle are due diligence and selection of the third party. The bulletin noted that banks should not rely on prior experience or knowledge of the third party in lieu of an “objective, in-depth assessment of the third party’s ability to perform the activity in compliance with all applicable laws and regulations and in a safe and sound manner.”
Specifically, due diligence – which should be commensurate with the level of risk and complexity presented by the relationship – should consider the third party’s overall business strategy and goals to ensure alignment with the bank’s interests, evaluate the entity’s legal and regulatory compliance, assess the financial condition of the third party (including growth, earnings, pending litigation, and audited financial statements), and review the third party’s business experience and reputation, including reference checks with external organizations and agencies as well as the company’s website and marketing materials.
Other considerations include the third party’s fee structure and incentives, the qualifications, backgrounds, and reputations of company principals, insurance coverage (as incident-reporting and management programs) and overall risk management. Senior management should review the due diligence to make a decision about whether to proceed with the third-party relationship.
Once the decision has been made to move forward with a third party, the bank enters the third stage: contract negotiation. The bulletin advises financial institutions that the document should clearly specify “the rights and responsibilities of each party,” with board approval for relationships involving critical activities. Topics to be addressed in the contract include a defined nature and scope of the arrangement between the parties (including ancillary services such as technology support and maintenance or employee training, the OCC noted) and performance measures or benchmarks, although care should be used so as not to incentivize undesirable performance (e.g., encouraging process volume or speed without ensuring accuracy).
The bulletin set forth a list of responsibilities for providing, receiving, and retaining information that should be enumerated in the contract, suggesting that the parties specify the frequency and type of reports as well as details about the thresholds for notification before making significant changes to the contracted activities or notice of financial difficulty or catastrophic events.
Contracts should also delineate issues such as OCC supervision, the right to audit and require remediation, and compliance with applicable laws and regulations (e.g., the Gramm-Leach-Bliley Act), ensuring that the bank has the power to conduct compliance reviews of the third party.
The next phase of the relationship is ongoing monitoring. This requires dedicated staff to oversee the third party in line with the level of risk and complexity of the relationship. Regular on-site visits may be useful, the OCC suggested, as well as performance reports, audit reports, and control testing. Because relationships change over time, the bank should be prepared to respond to changes with the third party (e.g., shifts in financial condition or a revised business strategy).
The final phase of the life cycle is termination of the relationship. Efficiency is key when terminating the relationship, the OCC said, and in the event of a contract default, the bank should have a plan in place covering the necessary capabilities, resources, and time frame to transition the activity, how to handle joint intellectual property that may have been developed during the course of the relationship, and any reputational risks to the bank if the termination involves the third party’s inability to meet expectations.
The bulletin also offered guidance on oversight and accountability, and a breaking down of responsibilities, from the board of directors to senior management to employees. The need for documentation and reporting, periodic independent reviews, as well as supervisory reviews were also noted by the agency.
“A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organization structure of the bank may be an unsafe and unsound banking practice,” the OCC emphasized.
To read OCC 2013-29, click here.
Why it matters: With two bulletins addressing the oversight of third-party relationships in recent months (in addition to 2013-29, the OCC released 2013-33 on the use of independent consultants for enforcement actions), financial institutions are on notice that the agency is keeping a close eye on risk management relating to third parties. Both bulletins note that the failure to adopt the OCC’s recommendations could result in enforcement actions or a downgrade in rating. As the agency cautioned in 2013-29, “[a] bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.” In light of this focus, financial institutions should review their policies and procedures with regard to management and oversight of third-party relationships.