OCC Releases New Third Party Guidance
On October 30, 2013, the OCC published a broad update of its guidance regarding national banks and their third-party relationships. The guidance also applies to federal savings associations ("FSAs") as well as extending coverage of various prior OCC releases to FSAs. In Bulletin 2013-29, the OCC maintains the central theme of its predecessor, Bulletin 2001-47 (now rescinded), published more than a decade ago, but updates the agency's guidance on planning, diligence, contracting, monitoring, and reporting in order to address increased reliance by national banks and FSAs on third parties to complete critical tasks and associated risks. (The 2013 Bulletin also expressly rescinds the OCC's 2000 advisory letter on third party risk (AL 2000-9)).
Specifically, the 2013 Bulletin adds the notion of a risk management lifecycle, a concept aimed at ensuring safety and soundness in the face of continual change and evolution of third-party service providers and the functions that they undertake on behalf of national banks and FSAs. Such third-party risk management lifecycle includes termination, oversight, and an independent review process. In addition, the 2013 Bulletin cautions that when outsourced processes are moved back in-house, or cancelled, institutions must consider the transitional impact to the safety and soundness of their operations. Institutions must set out clear management responsibilities and ensure that those responsibilities are being met. And institutions must maintain an independent review process in order to assess the third-party risks associated with their vendor relationships and whether their risk management process is adequate in maintaining vendor relationships in a sound manner.
CONTENTS OF REGULATORY GUIDANCE ON THIRD PARTY RELATIONSHIPS (2001 - 2013)
| OCC Oct. 2013 Guidance | FDIC June 2008 Guidance | OCC Nov. 2001 Guidance | |
| Third Party Risk Factors |
✓ |
✓ |
✓ |
| Planning/Assessment |
✓ |
✓ |
✓ |
| Due Diligence/Structuring |
✓ |
✓ |
✓ |
| Contract Issues |
✓ |
✓ |
✓ |
| Monitoring |
✓ |
✓ |
✓ |
| Documentation/Reporting |
✓ |
✓ |
✓ |
| Termination¹ |
✓ |
— |
— |
| Oversight Accountability² |
✓ |
— |
— |
| Independent Reviews³ |
✓ |
— |
— |
The 2013 Bulletin supplements prior OCC and other agency guidance on third-party relationships, which we have discussed in previous PLA posts, including the following:
FDIC Clarifies its Supervisory Approach to Payment Processor Relationships (Oct 2013)
FFIEC Releases New Booklet for the Supervision of Technology Service Providers (Nov 2012)
OCC Issues Guidance on the Mechanics of Third-Party Service Agreements for Prepaid Access Programs (Sept 2011)
¹ Focuses on efficient termination of third-party relationships and whether functions previously contracted out will be transitioned, internalized, or discontinued ² Guidance on responsibility of financial institution directors, management, and staff focusing on level specific oversight functions ³ Guidance on the process of reviewing third-party risk management processes throughout the relationship