The Office of the Comptroller of the Currency (OCC) recently issued supplemental guidance(Bulletin 2017-21) on third-party risk management. Responding to questions raised by banks and federal savings associations since the release of the OCC’s Bulletin 2013-19 on vendor management issues, the OCC provided additional insight on topics in the 2013 Bulletin and the application of certain vendor oversight principles to recent developments. Notably, in the four years since the OCC’s 2013 guidance, the relationship between banks and financial technology (fintech) start-ups has matured and more banks than ever are partnering with fintech companies to offer competitive digital products and services. As a result, the OCC specifically addressed third-party relationships with fintech companies in its supplemental guidance. Highlights of the new guidance include:
Third-Party Relationships: Those business arrangements that fall under the OCC’s definition of a third-party relationship are subject to the OCC’s expectations for vendor management. The OCC defines third-party relationships broadly. Any business arrangement between a bank and another entity may qualify as a third-party relationship, such as providers of services and products, consultants, and any relationship in which the bank maintains responsibility for the associated business records.
While relationships with fintech firms are often achieved through joint ventures and other forms of partially or fully owned affiliates, the OCC has made clear that if a fintech company performs services or delivers products on behalf of a bank or banks, the relationship meets the definition of a third-party relationship. As a result, the OCC expects bank management to include fintech companies in the bank’s third-party risk management process.
Due Diligence for Third-Party Relationships: Banks are expected to maintain robust third-party risk management programs. These programs should include detailed due diligence efforts for new and ongoing relationships. OCC Bulletin 2013-29 states that banks should consider the financial condition of their third parties during the due diligence stage of the life cycle before the banks select or enter into contracts or relationships with third parties. However, fintech companies or start-ups often have limited financial information. Realizing that the economic and time pressures of the modern business environment may mean that certain information is unavailable, the OCC addressed efforts to fill the void. When a bank is unable to obtain all the detailed information it desires, the bank should retain documentation of its efforts to obtain such information and related decisions. The bank should consider a company’s access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect the third party’s overall financial stability. These factors should be monitored through the life cycle of the third party.
The bank should have contingency plans and create risk mitigation controls and anticipate service interruptions. For example, vendors could be required to provide multiple lines of communication, back-up servers in multiple locations, and power generators to ensure continued operations.
Saving Money on Vendor Management: The OCC is not oblivious that banks are interested in finding opportunities to reduce vendor management costs. Thus, the guidance addresses the fact that not every third-party relationship will be a critical relationship with equal levels of risk. A bank’s relationship with a fintech company may or may not involve critical bank activities. OCC Bulletin 2013-29 provides criteria that a bank’s board and management may use to determine what critical activities are. The bank’s board and management must identify the critical activities of the bank and the corresponding fintech relationships involving those critical activities.
Under OCC Bulletin 2013-29, critical activities can include significant bank functions, significant shared services, or other activities that:
- Could cause the bank to face significant risk if a third party fails to meet expectations;
- Could have significant bank customer impact;
- Require significant investment in resources to implement third-party relationships and manage risks; or
- Could have major impact on bank operations if the bank has to find an alternative third party or if the outsourced activities have to be brought in-house.
If a bank determines that a third-party relationship involves a critical activity, the OCC expects the bank to more comprehensively and rigorously manage those relationships. Accordingly, a vendor management program should be tailored to provide oversight commensurate with the vendor’s risk level. While critical vendors should receive the highest level of oversight, vendors with lower risk levels may be subject to certain streamlined processes. Regardless of the level of risk, however, the OCC expects banks to periodically reevaluate the level of risk and to perform ongoing due diligence on all vendors.
Sharing the Burden of Vendor Oversight: When multiple banks use the same third-party providers, collaboration allows those banks to share the burden of due diligence and ongoing monitoring programs. Common functions such as information security, privacy, and business recovery assessments are good candidates to consider using collaborative tools. The OCC does not prohibit this collaboration, but warns that it may not be used to meet all oversight responsibilities. This is because each vendor poses a different risk level to each bank, based upon the level of reliance on the vendor. The OCC stresses that individual banks should retain individual responsibility for issues such as monitoring legal and regulatory compliance, termination plans, and risk assessments.