On October 30, 2013, the OCC released new risk management guidance to assist national banks and federal savings associations (collectively, banks) in assessing and managing risks associated with their third party relationships. The guidance, contained in OCC Bulletin 2013-29 ("Third-Party Relationships; Risk Management Guidance"), is effective immediately and rescinds OCC Bulletin 2001-47 ("Third-Party Relationships; Risk Management Principles") and OCC Bulletin 2000-9 ("Third-Party Risk").
Although much of the rescinded guidance carried over into the new guidance, the new guidance echoes some of the findings we've seen coming out of examinations and enforcement actions in the last few years, as well as some of the recent testimony and speeches given by Comptroller Curry and Director Corday reminding institutions that they are ultimately responsible for the acts of their third party service providers. Banks, particularly smaller community banks, appear to be outsourcing more and more activities to third parties in response to increased pressure to raise capital and remain competitive in the marketplace. The concern expressed by the OCC in the new guidance is that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. While the guidance is directed to banks regulated by the OCC, other regulatory agencies have expressed similar concerns and published similar examination findings with respect to inadequate third party oversight by their supervised institutions. As such, we would encourage all our bank clients to review the guidance and consider updating your third party risk management programs accordingly.
The new guidance clarifies that the OCC expects more comprehensive and rigorous oversight and management of third party relationships that involve "critical activities", meaning activities that involve significant bank functions, significant shared services, or other activities that could pose significant risk to the bank's customers or significant operational, compliance, reputation, strategic or credit risk to the bank itself. The term "critical activities" was not explicitly defined in the prior guidance. The new definition provides some clarity that was previously missing from the guidance, which will hopefully help banks better determine which third parties require increased due diligence and oversight.
The traditional four pillars of an effective risk management process--namely, risk assessment, due diligence review, contract structuring and ongoing oversight--have also been expanded upon in a number of areas. The most extensive modifications appear to be with respect to the level of due diligence banks are expected to perform initially and throughout the course of the relationship with a third party. For example, the new guidance now states, amongst other things, that banks need to evaluate the third party's compliance program (including required licensing), risk management program, training and human resource management program, and information security program to ensure that the third party will be operating in compliance with law and in a manner that will not present increased risk to the bank. While the prior guidance alluded to some of these items, the new language is more specific and suggests that third parties will need to have documented programs, policies and procedures in place in each of these areas and be willing to share these documents with the bank in order for the bank to conduct a comprehensive due diligence review. The new guidance also adds a fifth pillar--termination--to the requirements of an effective risk management process. This new pillar requires institutions to have a contingency plan in place to ensure that the bank can transition the outsourced activities to another provider, bring them in-house, or discontinue the products or services if need be. Finally, the new guidance reminds banks that, throughout the life cycle of each third party relationship, the bank's board of directors and staff are required to monitor and oversee the bank's third party activities, refresh due diligence reviews, maintain proper documentation and reporting to assess each third party relationship and identify risks, and conduct independent reviews of the bank's third-party risk management program commensurate with the level of risk and complexity associated with the bank's third party relationships.
Given that this bulletin was effective immediately, we strongly encourage you to revisit your third party risk management programs, due diligence process, and service provider contracts and update these accordingly to incorporate the new requirements from the guidance. We routinely assist clients with their third-party risk management programs and service provider contracts. If you need assistance, please do not hesitate to contact your Lindquist & Vennum attorney for assistance.