The Office of the Comptroller of the Currency (OCC) is focused on the responsibility of financial institutions—national banks and Federal savings associations—to be responsible for the risk management of business operations whether they are performed internally or through third party vendors.
CIT companies are clearly included in this mandate.
The OCC recognizes that the growing interconnectedness of banks with third party cash management service providers has created new sources of risk due to gaps or inconsistencies of controls that can occur where distinct businesses interface. In everyday terms, this means there can be situations where “no one is in charge.”
Since the OCC is responsible for the security of the overall financial system, it is moving to make banks accountable for the gaps and inconsistencies between them and third party vendors that may pose risk to the system.
This creates specific kinds of difficulties for banks because they can be held accountable for the actions of organizations they do not own. Banks and their third party vendors, including CIT businesses, have different regulatory, standard practice, and incentive profiles, as well as different cultures and assumptions. It will take especially thorough due diligence to write contracts that lay out the important responsibilities and performance expectations for the different parties to get all the entities on the same page.
In these circumstances, monitoring performance takes on greater importance. There is a substantial possibility that unanticipated gaps or inconsistencies will emerge despite careful risk management planning. Banks have a strong incentive to measure performance and find irregularities as quickly as possible.
Measuring the Performance and Reporting of Third Party Vendors
For a number of reasons, internal audit reviews may prove to be inadequate in identifying failures on a timely basis. Banks may not understand CIT company procedures and controls, or even the business point of view that generated them. For example, a bank may focus a cash and coin audit only on its internal inventory. But replicating this procedure in a third party environment provides an opportunity for a CIT service provider that has several banks as customers to conceal variances and skim cash.
On-going cost pressures create incentives for third party vendors to seek efficiencies that may be risky. As a result of these pressures, banks may inadvertently enter into contracts that lead vendors to cut corners (e.g., in training or supervision) in order to maintain profits.
One of the most important reasons banks’ internal audits may fail is simply complacency. The audit process is arduous, and failures are fairly rare. It is human nature to come to rely on standard procedure when nothing has gone wrong before, and the rigor of the audit process can suffer.
Independent professional audit companies are not as subject to fatigue or complacency. They have a distinct advantage in that they see the bank-vendor relationship as a whole, without the unintended bias that immersion in a single bank’s culture can introduce. Further, independent auditors are more likely to understand both the bank’s and the vendor’s business requirements.
Any bank’s audit program has to support its business interests, while ensuring that it is in compliance with regulatory mandates. In the new world of banks’ outsourcing critical functions to third parties, the OCC mandate for banks to manage third party risk is more easily met when independent audits provide critical, objective information.
To read a more complete review of this issue, download our latest whitepaper: Banking Audit: A New World.