On January 24, 2017, the Office of the Comptroller of the Currency (the “OCC”) issued examination procedures to supplement its 2013 guidance Third-Party Relationships: Risk Management Guidance. The examination procedures establish expanded procedures for OCC examiners to employ when assessing a national bank’s or federal savings association’s (collectively, “bank’s”) risk management of third-party relationships.
- The procedures reflect the OCC’s continued interest in and monitoring of banks’ third-party relationships.
- As expected, the procedures incorporate most if not all of the elements of the OCC’s existing third-party relationship guidance into its examiner objectives. In some places the procedures are more detailed than the guidance in specifying bank practices that examiners should look for in making their determinations, particularly with respect to third-party lenders, risk ranking of third-party relationships, and internal control systems. In addition, unlike the guidance, the procedures emphasize in several places the importance of determining whether a bank maintains a full inventory of its third-party relationships and has applied its risk management processes to them, thus suggesting that this aspect may have been found lacking during prior examinations.
- The OCC released the supplemental examination procedures four days after the White House released a Presidential Memorandum in which Reince Priebus, Chief of Staff, directed the heads of federal executive departments and agencies to cease issuing new regulations, subject to certain exceptions. The “regulatory freeze” applies to agency “guidance documents” as defined in Executive Order 13422. Executive Order 13422 defines “guidance document” as “an agency statement of general applicability and future effect, other than a regulatory action, that sets forth a policy on a statutory, regulatory, or technical issue or an interpretation of a statutory or regulatory issue.” 72 Fed. Reg. 2763 (Jan. 18, 2007). To the extent that the OCC’s guidance constitutes a “guidance document,” the expanded examination procedures may conflict with the Memorandum. However, due to the significant overlap between the guidance and the examination procedures, the practical effect of any withdrawal or nullification of the procedures would presumably be minimal.
Specifically, the procedures are designed to assist examiners:
- Tailor the examination of each bank commensurate with the level of risk and complexity of the bank’s third-party relationships;
- Assess the quantity of the bank’s risk associated with its third-party relationships; and
- Assess the quality of the bank’s risk management of third-party relationships involving critical activities and determine whether there is an effective risk management process throughout the life cycle of the third-party relationship.
- Tailor the Examination
- Review information related to the bank’s third-party risk management process requiring follow-up by the examiner, such as supervisory strategy and examination scope, or previous examination reports, enforcement actions and MRAs;
- Discuss with bank management any material changes (actual or planned) in third-party relationships or the third-party risk management process;
- Obtain and review information related to all phases of the bank’s third-party risk management life cycle; and
- Review findings from other examination areas and identify issues relating to third-party risk management process, third-party relationships, or the products, processes, systems, and services supported by third parties.
- Assess Quantity of Risk
- Whether the bank keeps a full inventory of third-party relationships and identifies key due diligence factors affecting the risk of and complexity of such relationships.
- Operational risk, compliance risk, reputation risk, and credit risk associated with the use of third parties, and due diligence and mitigating steps taken by the bank.
- Assess Quality of Risk Management and Evaluate Life Cycle of Third-Party Relationships
- Whether the bank’s board has adopted effective policies that are consistent with safe and sound banking practices and are appropriate to the size, nature, and scope of the bank’s third-party relationships.
- Whether such policies establish oversight and accountability over third parties that involve critical activities and are appropriately communicated to persons with supervisory responsibility.
- Whether the bank has procedures, programs and practices in place to manage the risk of its third-party relationships.
- Whether the processes incorporate all phases of the risk management life cycle (e., planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, termination and contingency planning) for each third-party relationship, including maintaining and updating inventories and risk rankings of each such relationship.
- To determine bank personnel’s ability to supervise third-party relationships in a safe and sound manner, the OCC instructs examiners to review board, management and staff processes to find whether the oversight and accountability requirements in the guidance are being implemented in an effective and satisfactory manner.
- Control Systems
- The procedures introduce the term “control systems” that should be used by bank managers to measure performance, make decisions about risk, and assess the effectiveness of processes and personnel.
- The discussion of control systems in the procedures appears to clarify OCC expectations how ongoing monitoring of third-party relationships should be structured.
Upon finishing the review, examiners must determine, document, and communicate the examiner’s overall findings and conclusions in accordance with the OCC’s risk assessment system.
CFPB Third-Party Relationship Guidance
During the last quarter of 2016, the Consumer Financial Protection Bureau (the “Bureau”) also issued guidance regarding banks’ third-party relationships. On October 26, 2016, the Bureau reissued its guidance regarding the Bureau’s supervision of service providers providing services to supervised financial institutions: Compliance Bulletin and Policy Guidance; 2016-02, Service Providers. This reissued guidance, formerly titled CFPB Bulletin 2012–03, Service Providers, clarifies “that the depth and formality of a supervised entity’s risk management program may vary depending upon the service being performed . . . and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations.”
On April 13, 2012, the Bureau issued CFPB Bulletin 2012-03 to advise large insured depository institutions and certain types of ‘nonbank’ entities (e.g., a mortgage lender or mortgage servicer) about the Bureau’s expectations for oversight in connection with the use of service providers by such financial institutions. In CFPB Bulletin 2012-03, the Bureau put financial institutions on notice that the Bureau expects “supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships.” The Bureau further stated that “supervised banks and nonbanks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers”, including:
- “conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law;
- requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
- establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; and
- taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.”
The Bureau’s updated guidance maintains its expectation that a supervised financial institution must have a risk-management program in place for its service providers. However, the Bureau clarified that supervised banks and nonbanks have the flexibility to incorporate appropriate risk assessment in connection with establishing and administering such risk-management programs. Specifically, the Bureau stated that:
The Bureau expects that the depth and formality of the entity’s risk management program for service providers may vary depending upon the service being performed—its size, scope, complexity, importance and potential for consumer harm—and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. While due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable.
In our view, the Bureau’s reissued guidance providing a supervised entity with increased flexibility better aligns the Bureau’s expectations for service provider oversight with the risk-based standards adopted by the Office of the Comptroller of the Currency (e.g., “The OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank’s organizational structures.”); Federal Reserve Board (e.g., “A financial institution’s service provider risk management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangements in which the financial institution is engaged.”); and Federal Deposit Insurance Corporation (e.g., “Management should . . . ensure that appropriate procedures are in place, taking into account the complexity and risk potential for each of its third-party relationships. The precise use of a risk management process is dependent upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risk identified.”). Nevertheless, entities regulated by multiple banking agencies will still need to navigate the subtle differences of the risk-based standards adopted by such agencies.