This post was written by Timothy J. Nagle.
Yesterday, the Office of the Comptroller of the Currency issued OCC Bulletin 2013-29 on Third-Party Relationships. The document rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, both of which had served as the basis for supplier management practices and inspections for many years. It is much more expansive than CFPB Bulletin 2012-03 (“Service Providers”), but the two should be read as complementary. With this new Bulletin, the OCC maintains the core elements of its guidance regarding the processes and risk-management principles by which banks contract with and supervise third parties, including merchant payment processing services, joint ventures, and services provided by affiliates or subsidiaries. However, the tone, level of prescription, and escalation of responsibility to the Board of Directors suggest a more active role by regulators.
As with prior guidance, this Bulletin describes an effective risk-management process and life cycle, specifies appropriate contract terms, and allocates oversight and accountability within the financial institution. But there are new requirements and admonitions, highlighted by the statement in the discussion of supervisory review of third-party relationships that a bank’s failure to have an effective third-party risk management process “…may be an unsafe and unsound banking practice.” Compliance and audit executives, start your engines. To ensure they don’t feel left out, the Bulletin has a special note for the boards and management of Community Banks, advising them to be certain that the bank has risk-management practices in place to manage the risks presented by the use of vendors for critical activities. This focus on third-party relationships who are involved in critical activities continues with the requirement that the board of directors approve the plan for managing the vendor and the negotiated contract with the third party.
Other items of interest in the guidance include the note that supervised banks that provide services to other supervised banks will be held to the standards described in the Bulletin, and an expectation that a bank will conduct a due diligence examination (possibly including a site visit) before entering into a contract. This review will include a business experience and reputation evaluation, part of which is a reference check with industry organizations, the Better Business Bureau, Federal Trade Commission, state attorneys general and consumer affairs offices, SEC filings, and similar foreign authorities. The third party will be required to conduct periodic background checks on its senior management and employees, and have adequate succession plans and employee training programs to ensure compliance with policies and procedures. The Bulletin goes into great detail regarding appropriate contract provisions, such as right to audit and require remediation, compliance with a broad range of laws and regulations, and whether the contract contains fees or incentives that could present undue risk to either party. It contemplates joint exercise of disaster recovery and incident management plans “involving unauthorized intrusions or other breaches in confidentiality and integrity.” As stated previously, senior management should obtain board approval of any contract involving critical activities. Finally, the default and termination provisions of the contract with a third party must allow the bank to terminate “in the event that the OCC formally directs the bank to terminate the relationship.”
With the issuance of this Bulletin, any financial institution that is regulated by the OCC will have to review its vendor management and third-party relationship processes, standard contract provisions, and senior management and board oversight responsibilities (including the possibility of appointing a senior manager to provide oversight of a third party involving critical activities). The Bulletin reflects a renewed focus by the OCC on joint ventures and other third-party relationships outside of the standard service provider context, risks of offshoring services, and the need for closer and ongoing management of third parties that support critical functions. It also emphasizes consideration of “concentration risk,” the impact on dual employees and assessment of the complexity of the arrangement. A bank should expect to be asked about “the robust analytical process” it uses to assess and manage third-party relationships during a supervisory review. Similarly, any third party that provides services to financial institutions regulated by the OCC, especially those involved in critical activities, should expect to be presented with more stringent and intrusive contract terms, and be prepared to undergo an audit by this regulator.