The OCC's new third-party risk management standards go well beyond its prior issuances.
On October 30, 2013, the Office of the Comptroller of the Currency (“OCC”) issued Bulletin 2013-29, “Third-Party Relationships.” The Bulletin’s enhanced guidance and new requirements address the growing volume and complexity of operational interconnectedness with third parties. Effective immediately, it applies to OCC-regulated entities, i.e., national banks and federal savings associations (“banks”).
The Bulletin builds on previous OCC issuances in four major ways. First, the Bulletin enhances prior risk management standards. As important examples, it addresses the risk of third-parties’ reliance on subcontractors (i.e., fourth-parties to the bank), and it adds resilience as an element of managing third-party risk.
Second, the Bulletin expands the covered range of “third-party relationships” beyond those addressed in prior OCC issuances. As a result, no third-party relationship remains categorically out of the Bulletin’s bounds.
Third, the Bulletin introduces the concept of third-party relationships that involve “critical activities.” It sets the expectation that banks will have more comprehensive and rigorous due diligence, management, and oversight of such relationships, including a substantial increase in board involvement.
Finally, the Bulletin explicitly establishes the overarching standard that a bank “should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.” This signals that the OCC will take a holistic approach to assessing banks’ risk management (in addition to applying specific standards) that will require banks to maintain a robust analytical process to identify, measure, monitor, and control the risks associated with third-party relationships. To underline the importance of meeting the overarching standard, the OCC warns that failure to adopt appropriate processes may be “an unsafe and unsound banking practice” resulting in matters requiring attention, enforcement actions, or an adverse impact on CAMELS ratings.
This Regulatory Brief provides key background information followed by our view of the Bulletin’s most significant highlights: (a) enhancing prior standards, (b) broadening the definition of third-party relationship, (c) establishing higher standards for third-party relationships involving “critical activities,” including an increase in board involvement, and (d) signalling the OCC’s holistic approach to assessing risk management. We also suggest how banks can adapt to the new third-party risk management requirements.