Regulators offer updated advice on risk management associated with third-party relationships
Banks need to keep close tabs on key outside vendors – and their boards must devise other ways to do so if such vendors aren’t forthcoming with necessary information, regulators have told the industry.
In a notice to CEOs and chief risk officers yesterday, the Office of the Comptroller of the Currency (OCC) offers updated advice on risk management associated with third-party relationships. The guidance comes at a time when financial services firms and other companies are feeling pressure to scrutinize outside service providers to ensure they have strong cyber-security measures in an attempt to limit their own exposure to potential attacks and liability.
Banks’ management should conduct in-depth due diligence and continuing monitoring of each of the bank’s third-party service providers that support critical activities, officials write, though they add that the OCC realizes banks may not receive all the information they seek, particularly from new companies.
When a bank does not receive all the information it seeks about such firms, the OCC expects the bank’s board of directors and management to:
- Develop ‘appropriate alternative ways to analyze these critical third-party service providers’
- Establish risk-mitigating controls
- Be prepared to address interruptions in delivery. For example, use multiple payment systems, generators for power and multiple telecommunications lines in and out of critical sites
- Make risk-based decisions that these service providers are the best available to the bank despite the fact that the bank cannot acquire all the information it wants
- Retain appropriate documentation of all their efforts to obtain information and related decisions
- Ensure that contracts meet the bank’s needs.
In regards to which outside firms are covered by these requirements, officials note that many banks have recently developed ties with financial technology that involve performing services or delivering products to a bank’s customer base and therefore meet the definition of a third-party relationship.
DIFFERENT RISK LEVELS
The OCC notes that not all third-party relationships present the same level of risk and that the same relationship may present varying levels of risk across banks. That said, it expects banks to perform due diligence and monitoring for all third-party relationships.
‘Bank management should determine the risks associated with each third-party relationship and then determine how to adjust risk-management practices for each relationship,’ officials say. ‘The goal is for the bank’s risk-management practices for each relationship to be commensurate with the level of risk and complexity of the third-party relationship. This risk assessment should be periodically updated throughout the relationship.’
The board is responsible for overseeing the development of an effective third-party risk management process commensurate with the level of risk and complexity of the third-party relationships, and periodic board reporting is essential to ensure board responsibilities are fulfilled, according to the notice.
When engaging in marketplace lending activities, officials say, a bank’s board and management should:
- Understand the relationships between the bank, the marketplace lender and the borrowers
- Fully understand the legal, strategic, reputational, operational and other risks that these arrangements pose
- Evaluate the marketplace lender’s practices for compliance with applicable laws and regulations.
‘As with any third-party relationship, management at banks involved with marketplace lenders should ensure the risk exposure is consistent with their board’s strategic goals, risk appetite and safety and soundness objectives,’ the OCC says. ‘In addition, boards should adopt appropriate policies, inclusive of concentration limitations, before beginning business relationships with marketplace lenders.’
Among other things, officials assure banks that they may outsource some or all aspects of their compliance management systems to third parties, provided banks monitor and ensure that these third parties comply with current and subsequent changes to consumer laws and regulations.
‘Some banks outsource maintenance or monitoring or use third parties to automate data collection and management processes (for example, to file compliance reports under the Bank Secrecy Act or for mortgage loan application processing or disclosures),’ the guidance states. ‘The OCC expects all banks to develop and maintain an effective compliance management system and provide fair access to financial services, ensure fair treatment of customers, and comply with consumer protection laws and regulations.’