The on-going regulatory response to the 2008 financial crisis includes the Office of the Comptroller of the Currency (OCC) Risk Management Guidance on third-party relationships, issued in October 2013. The bulletin states that the OCC expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party.
“A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
In a recent speech before the Risk Management Association, Thomas J. Curry, Comptroller of the Currency, emphasized the importance of managing the risks “associated with bank systems and processes” even above credit risk. He noted banks’ “increasing reliance on third parties” and the systemic risks they impose.
The OCC has limited authority under the Bank Service Company Act to regulate service companies directly, but Curry characterized this as a supplement to banks’ own risk management efforts.
Although the OCC puts responsibility for managing risks associated with third parties directly on the national banks and Federal savings associations, the third party service providers should be fully aware of the issues as well (see our blog post on cash auditing and compliance for one discussion of this).
The increasingly interconnected parts of the financial system inevitably create new sources of risk for both banks and their service providers. The OCC guidance bulletin expresses a concern that risk management of third parties is “not keeping pace with the level of risk and complexity of these relationships.”
Third party vendors have a strategic interest in collaborating with banks in creating transparent, shared risk management systems, but also in internalizing the process to mitigate their own risks. The OCC guidance bulletin provides an extensive description of the components of the process that will be useful to both banks and their third party vendors.
The Risk Management Life Cycle
The OCC approach to risk management charges banks with creating a process commensurate with the level of risk, including “comprehensive risk management and oversight” of critical activities (such as payments, clearing, settlements, and custody) performed by third parties. The lengthy bulletin describes a life cycle process that includes:
- Plans that describe the bank’s strategy for an activity, including the risks inherent in the activity and how the bank assesses and selects a third party.
- Proper due diligence in selecting a third party.
- Written contracts that define the responsibilities of all parties.
- On-going monitoring of the third party’s performance.
- Contingency plans for the termination of a third party.
- Well-defined roles for managing the third party relationship and associated risk management activities.
- Documentation and reporting that supports the process, including accountability.
- Independent reviews that give bank managers an objective basis for determining whether the process is strategically correct and effective in managing risks.
These activities would be part of a routine performed throughout the life cycle of the relationship. In particular, oversight and accountability, documentation, and independent reviews would be conducted regularly on a periodic basis, as described in the Risk Management Life Cycle diagram. Feedback from these activities would be used to modify the plan or its implementation as needed.
The process described in the OCC bulletin is complex, but very useful for managers responsible for risk management in interconnected systems.
Clearly, the OCC and other regulators will continue to monitor banks and their third party vendors for performance on this issue.