On October 30, 2013, the OCC published a broad update of its guidance regarding national banks and their third-party relationships. The guidance also applies to federal savings associations (“FSAs”) as well as extending coverage of various prior OCC releases to FSAs. In Bulletin 2013-29, the OCC maintains the central theme of its predecessor, Bulletin 2001-47 (now rescinded), published more than a decade ago, but updates the agency’s guidance on planning, diligence, contracting, monitoring, and reporting in order to address increased reliance by national banks and FSAs on third parties to complete critical tasks and associated risks. (The 2013 Bulletin also expressly rescinds the OCC’s 2000 advisory letter on third party risk (AL 2000-9)).
Specifically, the 2013 Bulletin adds the notion of a risk management lifecycle, a concept aimed at ensuring safety and soundness in the face of continual change and evolution of third-party service providers and the functions that they undertake on behalf of national banks and FSAs. Such third-party risk management lifecycle includes termination, oversight, and an independent review process. In addition, the 2013 Bulletin cautions that when outsourced processes are moved back in-house, or cancelled, institutions must consider the transitional impact to the safety and soundness of their operations. Institutions must set out clear management responsibilities and ensure that those responsibilities are being met. And institutions must maintain an independent review process in order to assess the third-party risks associated with their vendor relationships and whether their risk management process is adequate in maintaining vendor relationships in a sound manner.
Click here to view table.
The 2013 Bulletin supplements prior OCC and other agency guidance on third-party relationships, which we have discussed in previous PLA posts, including the following: