October 30, 2013
Office of the Comptroller of the Currency Releases Guidance on Third-Party Relationships
WASHINGTON — The Office of the Comptroller of the Currency today issued updated risk management guidance for national banks and federal savings associations related to third-party relationships.
“We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic,” said Comptroller of the Currency Thomas J. Curry. “This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.”
Third-party relationships include business arrangements between the bank and another entity, by contract or otherwise. The use of third parties does not diminish the responsibility of the board and management to ensure the activity conforms to safe and sound banking practices and complies with applicable laws.
The guidance notes that banks face new or increased operational, compliance, reputation, strategic, and credit risks when engaging in third-party relationships. The OCC advises banks to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships, and expects more comprehensive oversight and management of third-party relationships that involve critical bank activities. To manage risks from third-party relationships, banks should:
- Develop a plan that outlines the bank’s strategy, identifies the inherent risks of the activity, and details how the bank will select, assess, and oversee the third party;
- Perform proper due diligence to identify risks and select a third-party provider;
- Negotiate written contracts that clearly outline the rights and responsibilities of all parties;
- Conduct ongoing monitoring of the third party’s activities and performance;
- Execute a plan to terminate the relationship in a manner that allows the bank to transition the activities to another third party, bring the activities in-house, or discontinue the activities;
- Assign clear roles and responsibilities for overseeing and managing third-party relationships and the risk management process;
- Maintain proper documentation and reporting to facilitate oversight, accountability, monitoring, and risk management; and
- Conduct independent reviews of the risk management process to enable management to assess that the bank’s process aligns with its strategy and effectively manages risks from third-party relationships.
The guidance rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles,” and OCC Advisory Letter 2000-9, “Third-Party Risk.” This guidance supplements and should be used in conjunction with other previously issued guidance on third-party relationships as listed in appendix B.