Raising the Bar for Banks' Third Party Risk Management
On Jan 24 2017 the US Office of the Comptroller of the Currency issued Supplemental Examination Procedures for Third Party Relationships. These examination procedures are intended to supplement OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. The supplemental procedures promote consistency when examining national banks and federal savings associations' (collectively, banks) risk management of third-party relationships. These procedures expand on the core assessment contained in the “Community Bank Supervision,” “Large Bank Supervision,” and “Federal Branches and Agencies Supervision” booklets of the Comptroller’s Handbook.
This document is more than just an update – it sets new, higher expectations for the banks the OCC regulates around the management of third party relationship risks. The previous OCC document on the topic, “Risk Management Guidance”, issued in 2013, then took a more tactical approach, reflecting the way banks were approaching these relationships.
In the new, 2017 document, it’s clear the OCC expects banks to take a much more strategic approach to managing third party relationships and third party risk. It expects the financial institutions it supervises to:
- Have a third-party relationship (and within that a risk management) strategy that applies to all of its relationships
- Use technology to supply a wide range of different kinds of business, risk, compliance, and control information to all relevant stakeholders involved with the third-party relationships - including independent reviewers and regulators
- Have an involved Board – a Board that sets third party strategy and monitors the success of that strategy. No longer is the Board meant to deal primarily with escalations and crises
- Embed understanding of different kinds of risks – including concentration risk and credit risk – directly within the third-party risk management strategy
- Understand that third party subcontractors must be monitored and reviewed at nearly the same level of scrutiny as the third parties themselves. These so-called “fourth parties” are now viewed as a significant potential source of risk
- Treat independent reviews of third party relationships as an essential “check and balance” - and resource these activities appropriately
- Ensure the talent that manages the third party relationships within the bank is adequately skilled, resourced, and empowered – but also that it’s incentivized in a risk-appropriate way.
This paper by Aravo provides detailed insight into the key expectations of the new guidance. It will help financial institutions understand the new focus as well as the nuances of some of the updates since the 2013 guidance.
Banks – whether or not they are regulated by the OCC – should review their own approach to third party risk in light of this new guidance, and begin to implement people, processes, and technology systems accordingly. It’s clear that regulators are broadening and deepening their understanding of the risks posed by third party relationships, and so financial institutions will need to as well.
Aravo has a specialist financial services third party management application, designed specifically to help firms meet the requirements of this OCC guidance and other applicable rules. Contact us for more information.