The Latest OCC Guidance for Third-Party Risk Management and the Implications for Banks
- July 18, 2023
Raising awareness: The OCC's updated guidance for third-party risk management
In June of 2023, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) published guidance for banks and financial institutions on all stages of third-party risk management. The latest guidance provides principles banking organizations can apply when executing third-party risk management approaches as adapted by the banking organization. The published guidance rescinds the FRB's 2013 guidance, the FDIC's 2008 guidance and the OCC's 2013 guidance, along with FAQs from 2020.
The OCC's focus is for banks and financial institutions to ensure risk frameworks are commensurate to the organization's risk profile and complexity across all stages of the third-party lifecycle.
The OCC has identified that third-party relationships can include "outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures." This list isn't exhaustive but emphasizes the variety and potential complexity of an organization's third-party relationship options. A successful third-party risk management framework will consider a variety of risk domains, including strategic, reputational, compliance, operational and credit risk. Failure to consider these can lead to adverse impacts that disrupt operations, incur financial loss, result in regulatory fallout and cause reputational damage.
Today, it's more vital than ever that organizations identify and understand the scope and nature of all third-party relationships.
While significant benefits can be derived from third parties, (including access to new technology, human capital, delivery channels, products, services and markets) engaging with third parties, also reduces organizations' direct control, introducing new risks or increasing existing ones. Also, as third-party services' complexity grows, the organization's risks also grow.
Emphasis on the third-party lifecycle
The OCC's guidance emphasizes implementing a comprehensive risk management framework. Policies, procedures, and processes must address all stages of the third-party lifecycle, from planning to due diligence and selection, contract negotiation and onboarding, ongoing monitoring of the third party, and termination. Throughout the guidance, it's repeatedly stressed that oversight of third-parties must vary based on the levels of risk with third-parties.
Effective third-party risk frameworks use a method appropriate and proportionate to the relationship's materiality.
For example, an organization wouldn't determine the inherent risk of a cloud services provider using the same assessment questionnaire used for a landscaper. The agency's guidance repeatedly reinforces that the risk framework and approach are commensurate with the bank's risk profile and complexity, as well as the criticality of the activity supported by the third party.
Regarding the third-party lifecycle, the following is essential to note:
- Outsourcing Strategy and Internal Risk Assessment: Clear definition of the organization's objectives for engaging a third party is an essential first step. This is followed by internal due diligence and risk assessment. The goal is to identify risks posed to the organization by engaging a third party for a specific need.
- Due Diligence and Third-Party Selection: Before engaging a third-party service provider, banks should conduct thorough due diligence to assess their financial stability, reputation, and ability to meet the bank's needs. Due diligence should include reviews of the third party's business practices, internal controls, information security and regulatory compliance. The OCC encourages banks to consider the third party's track record with similar engagements and the adequacy of their disaster recovery and business continuity plans.
- Contract Negotiation: The OCC advises banks to establish written contracts that clearly define both parties' rights, responsibilities and expectations. Contracts should address key elements such as performance metrics, data rights, confidentiality, subcontracting, termination clauses and dispute resolution. Banks should involve legal and subject matter experts during the negotiation process to make sure contracts adequately address the bank's risk concerns.
- Ongoing Monitoring and Oversight: Banks must implement a robust system for continuous monitoring and oversight of third-party relationships. This includes monitoring the third party's performance, financial condition and compliance with contractual obligations. Regular communications and site visits can provide insight into the third party's operations and help identify any emerging risks. Banks should also establish mechanisms to promptly address and resolve any issues or deficiencies identified during the monitoring process.
- Termination and Off-Boarding: The OCC guidance underscores the need for banks to establish contingency plans for ending and transitioning away from third-party relationships. Banks should identify alternative service providers or develop internal capabilities to provide seamless operations in the event of termination. Termination clauses should be clearly defined in contracts, addressing notice periods, data transfers and the return or destruction of sensitive information.
Third parties are undertaking critical activities, and the OCC guidance defines what is pertinent in a bank’s third-party risk management framework.
The OCC guidance doesn't explicitly use the term "critical third parties." However, the guidance emphasizes the need for banks to assess and manage risks associated with all third-party relationships, particularly those involving critical activities.
In the context of third-party risk management, critical activities refer to service providers or vendors whose activities significantly impact the bank's operations, customers, financial stability or regulatory compliance. These may include service providers supporting payment processing, data hosting, cybersecurity or other key operational activities. Although it is a common correlation, not every third party providing critical activities is necessarily a critical third party.
The OCCs guidance focuses on illustrative, risk-based characteristics of activities. Critical activities are typically defined during the third-party lifecycle's Outsourcing Strategy and Internal Risk Assessment phase. Although these activities may change based on market conditions, technology upgrades or organizational restructuring.
Effectively managing third-party relationships is essential for banks and financial institutions to mitigate risks associated with outsourcing activities. The OCC's principle-based guidance provides direction and scope for banks to develop a robust third-party risk management framework. By adhering to these guidelines, banks can enhance their ability to assess, monitor and mitigate risks arising from third-party relationships, ensuring the safety and soundness of their operations in an increasingly interconnected business landscape.
In summary, the final interagency guidance:
- Promotes consistency in the agencies' supervisory approach to third-party risk management
- Outlines the third-party risk management lifecycle and identifies risk management principles applicable to each stage of the life cycle
- Clarifies that not all third-party relationships present the same level of risk or criticality to a bank's operations
- Describes sound risk management principles to consider when developing and implementing third-party risk management practices commensurate with the bank's risk profile and complexity, as well as the criticality of the activity supported by the third-party
At NTT DATA, we know the challenges banking organizations face in Third-Party Risk Management. We have experience resolving third-party regulatory issues, implementing new technologies in support of third-party risk management and supporting third-party assessments. Our experience can work for you.