November 2, 2001
OCC Guidance Cautions National Banks on Third Party Relationships
WASHINGTON — The Office of the Comptroller of the Currency (OCC) today issued guidance on managing the risks that arise when national banks have business relationships with third parties.
"National banks should be extremely cautious before entering into any third-party relationship in which the third party offers products or services through the bank with fees, interest rates, or other terms that cannot be offered by the third party directly," said Comptroller of the Currency John D. Hawke, Jr. "Such arrangements may constitute an abuse of the national bank charter."
The guidance notes that the OCC will scrutinize carefully any arrangement and may use its supervisory authority to examine the operations of third parties who act as service providers to national banks which are sought out to deliver potentially abusive, predatory, or unfair and deceptive products. The OCC will likely conduct regular examinations of both the bank and the third party to assess the risks associated with these activities.
The OCC recognizes that third-party relationships can offer banks a variety of legitimate and safe opportunities to improve financial performance. Through effective use of third-party relationships, banks can enhance product offerings, diversify assets and revenues, access superior expertise and industry best practices, devote scarce human resources to core businesses, facilitate operations restructuring, and reduce costs.
The guidance also states, however, that reliance on third-party relationships can significantly increase a bank's risk profile, notably strategic, reputation, compliance, and transaction risks. Increased risk most often arises from poor planning, oversight, and control on the part of the bank and inferior performance or service on the part of the third party. To control these risks, management and the board must exercise appropriate due diligence prior to entering the third-party relationship and effective oversight and controls afterward.
The OCC advises national bank management to adopt a risk management process that includes:
- A risk assessment to identify the bank's needs and requirements;
- Proper due diligence to identify and select a third-party provider;
- Written contracts that outline duties, obligations, and responsibilities of the parties involved; and
- Ongoing oversight of the third parties and third-party activities.
"A bank's use of third parties to achieve its strategic goals does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner," said Comptroller Hawke. "Many third-party relationships should be subject to the same risk management, security, privacy, and other consumer protection policies that would be expected if a national bank were conducting the activities directly."
Mr. Hawke stated that "the value a bank will derive from its use of third-party business relationships is directly proportional to the quality of management's strategic planning, due diligence and ongoing oversight activities, and sensitivity to customer expectations and understandings with regard to the services and products offered by the third parties."
The new third-party guidance supplements, but does not replace, previous guidance on third-party risk.
Today's bulletin is available on the OCC Web site at www.occ.treas.gov.