The Office of the Comptroller of the Currency recently produced a supplemental “Frequently Asked Questions” to Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance” which was originally issued October 30, 2013. This bulletin provides guidance to banks for the assessment of risks and more broadly, managing risks associated with third-party relationships. The FAQs stress the importance of a sound risk management program and how banks can operationalize their assessment of third-party risk.
The OCC Bulletin 2013-29 defines a third-party relationship as any business arrangement between the bank and another entity, by contract or otherwise. Neither a written contract nor monetary exchange is necessary to establish a business arrangement. All that is necessary is an agreement between the bank and the third party. Once a business arrangement has been established, a bank should adopt risk management processes commensurate with the level of risk and complexity of the third-party relationships. This will require a bank to measure the risk of each of its business arrangements, and plan accordingly.
The OCC requires an effective third-party risk management program that addresses the following:
Planning – develop a plan to manage the relationship. When critical activities are involved, this is required; Conducting a thorough due diligence review prior to signing a contract;
Contract Negotiation – develop a contract that clearly defines the expectations and responsibilities of the third party; review the enforceability, limitations of liability and provisions addressing disputes about performance;
Termination – develop a contingency plan in the event the third-party does not deliver. This analysis should consider the process to transition to another third-party, bring in-house, or discontinue the service altogether;
Oversight and Accountability – a third-party risk management program should be integrated with the broader enterprise risk management framework;
Independent Reviews – management reviews of the effectiveness of the risk management process allow for overall assessments of whether the process aligns with the bank’s business objectives and strategy.
Practically speaking, bank management is often limited in its ability to conduct the type of due diligence, contract negotiation, and ongoing monitoring that it normally would, despite the critical nature of the service being provided. This could be for any number of reasons, including the third-party does not allow the bank to negotiate changes to their standard contract, or as a matter of policy, they do not share their disaster recovery and business continuity plans, also more commonly, they do not respond to a bank’s due diligence questionnaire. In these circumstances, bank management still needs to take steps to manage the risks presented. Despite these limits in its ability, banks should perform a “sound analysis” to support the decision that the third-party is still the most appropriate provider available and maintain supporting documentation to demonstrate the analysis. The OCC Bulletin 2013-29 (October, 2013) outlines the following suggested attributes related to due diligence a bank should incorporate: strategies and goals, legal and regulatory compliance, financial condition, business experience and reputation, fee structures, personnel qualifications, internal risk management, information security, IT operational management, resilience, and incident reporting, physical security, HR management, reliance on sub-service providers, Insurance coverages, and conflicting contractual arrangements with other parties. Additional suggested attributes to be included in contracts is also outlined in the 2013-29 Bulletin.
The risk management function may sit in different places depending on the bank and how it structures its risk management function. There is no one-size fits all. Regardless of the structure, the various business lines within the bank can provide valuable input into the third-party risk management process. They may for example complete risk assessments as it pertains to their function, review the due diligence questionnaires received from third-party entities, and ultimately provide feedback on the adequacy of the controls over the third-party relationship.
The recent release of FAQ’s provides a significant amount of information for an organization and its journey toward managing third party risk. The complexity of the third-party relationship with a bank, the type of data handled, and overall risk presented, are just a few of attributes to be considered when evaluating the level of due diligence, and ongoing monitoring to be applied. For additional information and guidance on third party risk management, you can contact Octillo attorneys and risk professionals.
Our team includes nationally-recognized leaders in data breach response and cybersecurity and privacy law, as well as former federal regulators, former in-house counsels of international companies, tech entrepreneurs, business owners and public–company executives. Our lawyers and technology specialists help you grow your business and achieve strategic objectives, adapt to new technologies and regulations, identify and reduce risk, and manage the response to data breaches, cybersecurity incidents, privacy matters and other crises.
*Attorney Advertising: Prior Results Do Not Guarantee a Similar Outcome