On October 30th, the OCC issued new guidance on third-party relationships and associated risk management (Bulletin). The Bulletin, OCC 2013-29, rescinded and replaced prior guidance on this subject (OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9) but specifically retained numerous other OCC and interagency issues on third-party relationships as listed in Appendix B to the Bulletin.
The Bulletin states that the OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of the relationship. It details the expected management of all aspects of third-party relationships and is more specific than prior guidance about the responsibility of a bank’s board of directors for overseeing the management processes. For example, the board must ensure an effective process is in place, approve the bank’s risk-based policies governing third-party management, review and approve plans for using third parties, approve contracts with third parties, review management’s ongoing monitoring of the relationships and hold accountable those employees who manage the relationships.
While the Bulletin focuses on third-party relationships that involve “critical activities,” a bank’s judgment of what is critical could be subject to second guessing, particularly if the bank experiences difficulties with consumers or the examiner otherwise believes that the bank’s risk management process is weak. Also note that the OCC states that a bank’s failure to have an effective third-party risk management process may be an unsafe and unsound banking practice.
The Bulletin should be seen as a significant warning to the banking industry and third-party processors and other vendors. The Bulletin follows several high profile enforcement actions against banks arising from third-party relationships and is in the midst of 50 or more pending enforcement actions involving banks and their management of processors and their services to third-party processors. It seems safe to assume that third-party relationship management will be a significant focus of the OCC and other federal regulators in coming examinations. For the emerging payments industry, this likely will mean a heightened focus on a bank’s relationships with program managers and other third-party service providers and, for that reason, those service providers can expect their bank partners to heighten their demands and expectations.