OCC Issues Updated Risk Management Guidance on Third-Party Relationships

The Office of the Comptroller of the Currency (“OCC”) has revised its risk management guidance on third-party relationships, advising banks to adopt risk management processes that provide more comprehensive oversight and management of third-party relationships involving critical bank activities. The guidance only applies to national banks and federal savings associations; however, state chartered banks are subject to guidance issued by the Federal Deposit Insurance Corporation (“FDIC”) on this topic, and credit unions are subject to guidance issued by the National Credit Union Administration (“NCUA”) on this topic.

As banks continue to increase not only the number, but also the complexity of their relationships with both foreign and domestic third parties, the OCC is concerned that the quality of risk management may not be keeping pace with those changes. The updated guidance states that banks should adopt risk management processes that are proportionate with the level of risk and complexity of third-party relationships and that ensure comprehensive risk management and oversight of third-party relationships involving critical activities.

To manage risks associated with third-party relationships, the OCC advises banks to:

• Develop plans that outline the bank’s strategy, identify inherent risks of the activity and detail how the bank will select, assess and oversee the third party;
• Perform proper due diligence when selecting a third-party provider, which includes, but is not limited to, reviewing and evaluating the third party’s overall business strategy, legal and regulatory compliance program, depth of resources, previous experience and risk management program;
• Negotiate written contracts that clearly outline the rights and responsibilities of all parties;
• Conduct ongoing monitoring of the third party’s activities and performance;
• Execute a plan to terminate the relationship in a manner that allows the bank to transition the activities to another third party, bring the activities in-house or discontinue the activities;
• Assign clear roles and responsibilities for overseeing and managing the third-party relationship and risk management process;
• Maintain proper documentation and reporting to facilitate oversight, accountability, monitoring and risk management; and
• Conduct independent reviews of the risk management process to enable management to assess that the bank’s process aligns with its strategy and effectively manages risks.

As a result of this guidance, the OCC has rescinded its previous Bulletin 2001-47 entitled “Third-Party Relationships: Risk Management Principles” and Advisory Letter 2000-9 entitled “Third-Party Risk.”

The complete guidance can be found on the OCC’s website at http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html. Guidance by the FDIC on this topic can be found at http://www.fdic.gov/news/news/financial/2008/fil08044a.html, and guidance by the NCUA can be found at http://www.ncua.gov/Resources/Documents/LCU2007-13ENC.pdf.

If you have any questions regarding the updated guidance or how to manage the risks associated with third-party relationships, please feel free to contact Joseph D. Simon at 516-357-3710 or via email at jsimon@cullenanddykman.com, or Elizabeth A. Murphy at 516-296-9154 or via email at emurphy@cullenanddykman.com.