The OCC has issued updated third-party risk management guidance for banks. The October 30 guidance offers advice in assessing and managing third-party risk.
In the accompanying press release, Comptroller of the Currency Thomas J. Curry said that the OCC is concerned about “the quality of risk management on the growing volume, diversity and complexity” of third-party relationships. According to Curry, the guidance “provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.”
Both press release and guidance offer the common-sense warnings that all of a bank’s risks – operational, compliance, reputation, strategic and credit – increase whenever it engages in third-party relationships; nor do third-party contracts decrease the responsibility of the bank for quality assurance or legal compliance.
With those essentially self-evident caveats issued, the guidance lays out its main point: “a bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.”
The guidance itself offers a “risk management life cycle” consisting of five stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. Throughout this life cycle, the OCC says that banks should focus on three areas: oversight and accountability, documentation and reporting, and independent reviews.
The guidance then provides an outline for each of the five life cycle stages, highlighting areas of concern and offering suggestions on things to keep in mind in all of the phases. It then summarizes the approach to oversight and accountability, documentation and reporting, and independent reviews.
Concluding with a section on supervisory reviews of third-party relationships, the guidance says that the OCC expects “a robust analytical process to identify, measure, monitor, and control the risks associated with third-party relationships.” In the bulletin’s only use of italics, the OCC warns that a failure to have a risk management process “commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.”