Third Party Risk Management

Find Out About The Combined OCC Guidance July 2021

Updated and Combined

OCC Proposed Guidance July 2021

Executive Summary

 

This document is an Executive Summary, it is not meant to replace a thorough reading and understanding of the proposed updated and consolidated Federal guidance as it applies to your financial institution.

Involved agencies; The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC).

Federal Document Outline – page references refer to OCC document published on July 13, 2021.  Link to document at end of this summary.

I           Introduction (p 7)

II          Overview of Proposed Guidance on Third-Party Relationships (p 9)

III         Request for Comment (p 10)

IV         Text of Proposed Guidance on Third-Party Relationships (p 17)

  1. Summary (p 17)
  2. Background (p 19)
  3. Risk Management (p 20)
  1. Planning (p22)
  2. Due Diligence and Third-Party Selection (P 24)
  3. Contract Negotiation (p 33)
  4. Oversight and Accountability (p 45)
  5. Ongoing Monitoring (p 50)
  6. Termination (p 52)
  1. Supervisory Review of Third Parties (p 54)

V          OCC’s 2020 FAQs on Third-Party Relationships (p 56)

 

 

I              Introduction (p 7)

The use of third parties can offer banking organizations significant advantages, such as quicker and more efficient access to new technologies, human capital, delivery channels, products, services, and markets. To address these developments, many banking organizations, including smaller and less complex banking organizations, have adopted risk management practices commensurate with the level of risk and complexity of their third-party relationships.  Federal agencies seek to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management.  The proposed guidance is based on the OCC’s existing third-party risk management guidance from 2013 and includes changes to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies.

II             Overview of Proposed Guidance on Third-Party Relationships (p 9)

The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships.  third-party risk management life cycle and principles applicable to each stage of the life cycle, including:

Developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party Having the board of directors and management oversee the banking organization’s risk management processes maintaining documentation and reporting for oversight accountability, and engaging in independent reviews
Performing proper due diligence in selecting a third party Negotiating written contracts that articulate the rights and responsibilities of all parties
Conducting ongoing monitoring of the third party’s activities and performance Developing contingency plans for terminating the relationship in an effective manner

 

III           Request for Comment, due by September 12, 2021 (p 10)

  1. General Comments (p 11)

The agencies invite comment on all aspects of the proposed guidance and the OCC’s 2020 FAQs

  1. Scope (p 11)

A third-party relationship is “any business arrangement between a banking organization and another entity, by contract or otherwise.” The term “business arrangement” is meant to be interpreted broadly to enable banking organizations to identify all third-party relationships for which the proposed guidance is relevant. Neither a written contract nor a monetary exchange is necessary to establish a business arrangement.

  1. Tailored Approach to Third-Party Risk Management (p 12)

This guidance offers a framework based on sound risk management principles that banking organizations may use in developing practices appropriate for all stages in the risk management life cycle of a third-party relationship based on the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship. Banking organizations, including smaller and less complex banking organizations, should adopt risk management practices commensurate with the level of risk and complexity of their third-party relationships and the risk and complexity of the banking organization’s operations.

  1. Third-Party Relationships (p 13)

The agencies recognize the prevalence of the range of relationships between banking organizations and third parties These relationships could include partnerships, joint ventures, or other types of formal legal structures or informal arrangements

  1. Due Diligence and Collaborative Arrangements (p 14)

The proposed guidance notes that banking organizations may collaborate when they use the same third party, which can improve risk management and lower the costs among such banking organizations. Any collaborative activities among banks must comply with antitrust laws. Collaboration can also result in increased negotiating power and lower costs to banking organizations not only during contract negotiations but also for ongoing monitoring. Each banking organization, however, is ultimately accountable for managing the risks of its own third-party business arrangements

  1. Subcontractors/4th Parties (p 15)

Third-party business arrangements may involve subcontracting arrangements, which can create a chain of service providers for a banking organization. The absence of a direct relationship with a subcontractor can affect the banking organization’s ability to assess and control risks inherent in parts of the supply chain. In addition, the risks inherent in such a chain may be heightened when a banking organization uses third parties for critical activities.

  1. Information Security (p 16)

The proposed guidance provides that a banking organization should, commensurate with its risk profile and consistent with safety and soundness principles and applicable laws and regulations, assess the information security program of third parties, including identifying, assessing, and mitigating known and emerging threats and vulnerabilities

  1. OCC’s 2020 FAQs (p 17)

The agencies are seeking comment on the extent to which the concepts included in the OCC’s 2020 FAQs should be incorporated into the final version of the guidance.

IV           Text of Proposed Guidance on Third Party Relationships (p 17)

  1. Summary (p 17)

This guidance offers a framework based on sound risk management principles that banking organizations supervised by the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) together, the agencies may use when assessing and managing risks associated with third-party relationships. A third-party relationship is any business arrangement between a banking organization and another entity, by contract or otherwise.  A third-party relationship may exist despite a lack of a contract or remuneration. Whether activities are performed internally or outsourced to a third party, a banking organization is responsible for ensuring that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations

  1. Background (p 19)

The agencies seek to promote consistent third-party risk management guidance, better address use of, and services provided by, third parties, and more clearly articulate risk-based principles on third-party relationship risk management

  1. Risk Management (p 20)

A banking organization’s third-party risk management program should be commensurate with its size, complexity, and risk profile as well as with the level of risk and number of the banking organization’s third-party relationships. Not all relationships present the same level of risk to a banking organization. As part of sound risk management, banking organizations engage in more comprehensive and rigorous oversight and management of third-party relationships that support “critical activities.”

 

 

Stages of the Risk Management Life Cycle

 

  1. Planning (p22)

Before entering into a third-party relationship, banking organizations evaluate the types and nature of risks in the relationship and develop a plan to manage the relationship and its related risks. Certain third parties, particularly those providing critical services, typically warrant significantly greater planning and consideration.

 

 

A banking organization typically considers the following factors in planning for a third-party relationship
Identifying and assessing the risks associated with the business arrangement and commensurate steps for appropriate risk management Considering the complexity of the business arrangement, such as the volume of activity, potential for subcontractor(s), the technology needed, and the likely degree of foreign based third-party activities Evaluating whether the potential financial benefits outweigh the estimated costs (including estimated direct contractual costs as well as indirect costs to augment/alter banking organization processes, systems, or staffing to properly manage the third-party relationship)
Understanding the strategic purpose of the business arrangement and how the arrangement aligns with a banking organization’s overall strategic goals, objectives, risk appetite, and broader corporate policies Considering how the third-party relationship could affect other strategic banking organization initiatives, such as large technology projects, organizational changes, mergers, acquisitions, or divestitures Evaluating how the third-party relationship could affect banking

organization to manage the impacts when the activities currently conducted internally are outsourced

Assessing the nature of customer interaction with the third party and potential impact on the banking organization’s customers—including access to or use of those customers’ confidential information, joint marketing or franchising arrangements, and handling of customer complaints—and identifying possible steps needed to manage these impacts Understanding potential information security implications including access to the banking organization’s systems and to its confidential information Describing how the banking organization will select, assess, and oversee the third party, including monitoring the third party’s compliance with contractual provisions
Determining the banking organization’s ability to provide adequate oversight and management of the proposed third-party relationship on an ongoing basis (including whether staffing levels and expertise, risk management and compliance management systems, organizational structure, policies and procedures, or internal control systems need to be adapted for the banking organization to effectively address the business arrangement) Outlining the banking organization’s contingency plans in the event the banking

organization needs to transition the activity to another third party or bring it in-house.

 

 

 

 

  1. Due Diligence and Third-Party Selection (P 24)

Conducting due diligence on third parties before selecting and entering into contracts or relationships is an important risk management activity. Relying solely on experience with or prior knowledge of a third party is not an adequate proxy. The degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship. Due diligence will include assessing a third party’s ability to perform the activity as expected, adhere to a banking organization’s policies, comply with all applicable laws, regulations, and requirements, and operate in a safe and sound manner.

A banking organization typically considers the following factors during due

diligence of a third party

Strategies and Goals Legal and Regulatory Compliance Financial Condition Business Experience
Fee Structure and Incentives Qualifications and Backgrounds of Company Principals Risk Management Information Security
Management of Information Systems Operational Resilience Incident Reporting and Management Programs Physical Security
Human Resource Management Reliance on Subcontractors Insurance Coverage Conflicting Contractual Arrangements with Other Parties

 

  1. Contract Negotiation (p 33)

Once a banking organization selects a third party, it negotiates a contract that clearly specifies the rights and responsibilities of each party to the contract. The banking organization seeks to add provisions to satisfy its needs. While third parties may initially offer a standard contract, banks may seek to request additional contract provisions or addendums upon request. In situations where it is difficult for a banking organization to negotiate contract terms, it is important for the banking organization to understand any resulting limitations, determine whether the contract can still meet the banking organization’s needs, and determine whether the contract would result in increased risk to the banking organization. The board (or a designated committee reporting to the board) should be aware of and approve contracts involving critical activities before their execution. Legal counsel review may be necessary for significant contracts prior to finalization. As part of sound risk management, a banking organization reviews existing contracts periodically, particularly those involving critical activities Where problems are identified, the banking organization should seek to renegotiate at the earliest opportunity

 

 

 

A banking organization typically considers the following factors, among others, during contract

negotiations with a third party

Nature and Scope of Arrangement Performance Measures or Benchmarks Responsibilities for Providing, Receiving, and Retaining Information (see following page for additional guidance) The Right to Audit and Require Remediation Responsibility for Compliance with Applicable Laws and Regulations
Cost and Compensation Ownership and License Confidentiality and Integrity Operational Resilience and Business Continuity Indemnification
Insurance Dispute Resolution Limits on Liability Default and Termination (see following page for additional guidance) Customer Complaints
Subcontracting Foreign-Based Third Parties Regulatory Supervision

 

 

 

 

Additional Guidance: Responsibilities for Providing, Receiving, and Retaining Information.

Confirm that the contract sufficiently addresses

ability of the institution to have unrestricted access to its data responsibilities and methods to address failures to adhere to the agreement banking organization’s materiality thresholds and the third party’s procedures for

immediately notifying the banking organization whenever service disruptions, security

breaches, compliance lapses, enforcement actions, regulatory proceedings, or other events

Notification to the banking organization before making significant changes to the contracted activities Notification to the banking organization of significant strategic business changes, such as mergers, acquisitions, joint ventures, divestitures ability for the banking organization to access native data and to authorize and allow

other third parties to access its data

ability of the third party to resell, assign, or permit access to the banking organization’s

data, metadata, and systems to other entities

Expectations for the third party to notify the banking organization of significant operational changes or when the third party experiences significant incident Specification of the type and frequency of management information reports to be received from the third party

 

Additional Guidance: Default and Termination

Confirm that the contract stipulates what constitutes default

Includes a provision that enables the banking organization to terminate the relationship in a timely manner without prohibitive expense Includes termination and notification provisions with reasonable time frames to allow the orderly conversion to another third party Provides for the timely return or destruction of the banking organization’s data and other

resources

Provides for ongoing monitoring of the third party after the contract terms are satisfied, as necessary Clearly assigns all costs and obligations associated with transition and termination

 

  1. Oversight and Accountability (p 45)

The banking organization’s board of directors (or a designated board committee) and management are responsible for overseeing the banking organization’s overall risk management processes. Banking organization management is responsible for implementing third-party risk management. An effective board oversees risk management implementation and holds management accountable. Effective management teams should establish responsibility and accountability for managing third parties commensurate with the level of risk and complexity of the relationship.

Board of Directors

In overseeing the management of risks associated with third-party relationships, Boards of

Directors (or Directors) typically consider the following factors

Confirming that risks related to third-party relationships are managed in a manner consistent with the banking organization’s strategic goals and risk appetite; Approving the banking organization’s policies that govern third-party risk management Approving, or delegating to, an appropriate committee reporting to the board, approval of contracts with third parties that involve critical activities
Reviewing the results of management’s ongoing monitoring of third-party relationships involving critical activities Confirming that management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring Reviewing results of periodic independent reviews of the banking organization’s third-party risk management process

 

Management

When executing and implementing third-party relationship risk management strategies and

policies, Management typically considers

Developing and implementing the banking organization’s third-party risk management process Confirming that appropriate due diligence and ongoing monitoring is conducted on third parties and presenting results to the board when making recommendations to use third parties that involve critical activities Reviewing and approving contracts with third parties
Providing appropriate organizational structures, management, and staffing (level and expertise) Confirming that third parties comply with the banking organization’s policies and

reporting requirements

Providing that third parties be notified of significant operational issues at the banking organization that may affect the third party
Confirming that the banking organization has an appropriate system of internal controls

and regularly tests the controls to manage risks associated with third-party relationships

Confirming that the banking organization’s compliance management system is

appropriate to the nature, size, complexity, and scope of its third-party business arrangements

Providing that third parties regularly test and implement agreed-upon remediation when

issues arise

Escalating significant issues to the board Terminating business arrangements with third parties that do not meet expectations or no longer align with the banking organization’s strategic goals, objectives, or risk appetite Maintaining appropriate documentation throughout the life cycle

 

Independent Reviews

Independent Reviews include assessing the

adequacy of the banking organization’s process for

Confirming third-party relationships align with the banking organization’s business strategy Identifying, measuring, monitoring, and controlling risks of third-party relationships Understanding and monitoring concentration risks that may arise from relying on a single third party for multiple activities or from geographic concentrations of business
Responding to material breaches, service disruptions, or other material issues Involving multiple disciplines across the banking organization as appropriate during each phase of the third-party risk management life cycle Confirming appropriate staffing and expertise to perform risk assessment, due diligence,

contract negotiation, and ongoing monitoring and management of third parties

Confirming oversight and accountability for managing third-party relationships (i.e. whether roles and responsibilities are clearly defined and assigned and whether the individuals possess the requisite expertise resources, and authority) Confirming that conflicts of interest or appearances of conflicts of interest do not exist when selecting or overseeing third parties

 

Documenting and Reporting

It is important that banking organization management properly document and report on its third party risk management process and specific business arrangements throughout their life cycle
A current inventory of all third-party relationships, which clearly identifies those relationships that involve critical activities and delineates the risks posed by those relationships across the banking organization Approved plans for the use of third-party relationships Risk assessments
Due diligence results, findings, and recommendations Analysis of costs associated with each activity or third-party relationship, including any indirect costs assumed by the banking organization Executed contracts
Regular risk management and performance reports required and received from the third party Reports from third parties of service disruptions, security breaches, or other events

 

  1. Ongoing Monitoring (p 50)

Ongoing monitoring is an essential component of third-party risk management, occurring throughout the duration of a third-party relationship. Ongoing monitoring occurs after the third-party relationship is established and often leverages processes similar to due diligence. Because both the level and types of risks may change over the lifetime of third-party relationships, banking organizations adapt their ongoing monitoring practices accordingly. As part of sound risk management, banking organizations dedicate sufficient staffing with the necessary expertise, authority, and accountability to perform ongoing monitoring

A banking organization typically considers the following factors, among others, for ongoing

monitoring of a third party

Evaluate the overall effectiveness of the third-party relationship and the consistency of the relationship Assess changes to the third party’s business strategy, legal risk, and its agreements with other entities that may pose conflicting interests, introduce risks, or impact the third party’s ability to meet contractual obligations Evaluate the third party’s financial condition and changes in the third party’s financial obligations
Review the adequacy of the third party’s insurance coverage Review relevant audits and other reports from the third party, and consider whether the results indicate an ability to meet contractual obligations and effectively manage risk Monitor for compliance with applicable legal and regulatory requirements
Assess the effect of any changes in key third party personnel involved in the relationship with the banking organization Monitor the third party’s reliance on, exposure to, performance of, and use of subcontractors Determine the adequacy of any training provided to employees of the banking organization and the third party
Review processes for adjusting policies, procedures, and controls in response to changing threats and new vulnerabilities and material breaches or other serious incidents Monitor the third party’s ability to maintain the confidentiality and integrity of the banking organization’s systems and information Review the third party’s business resumption contingency planning and testing and evaluate the third party’s ability to respond to and recover
Evaluate the volume, nature, and trends of consumer inquiries and complaints and assess the third party’s ability to appropriately address and remediate inquiries and complaints

 

 

 

 

  1. Termination (p 52)

A banking organization may terminate a relationship for various reasons specified in the contract When this occurs, it is important for management to terminate relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued.

In planning for

termination, a banking organization typically considers the following factors, among others

Capabilities, resources, and the time frame required to transition the activity while still

managing legal, regulatory, customer, and other impacts that might arise

Potential third-party service providers to which the services could be transitioned; Risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and

monitoring during and after the end of the third-party relationship

Handling of joint intellectual property developed during the course of the business arrangement Risks to the banking organization if the termination happens as a result of the third party’s inability to meet expectations

 

  1. Supervisory Review of Third Parties (p 54)

A banking organization’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the banking organization may be an unsafe or unsound practice.

When reviewing third party risk management, examiners typically
Assess the banking organization’s ability to oversee and manage its relationships; Highlight and discuss material risks and any deficiencies in the banking organization’s risk

management process with the board of directors and senior management;

Carefully review the banking organization’s plans for appropriate and sustainable remediation of such deficiencies, particularly those associated with the oversight of third parties that involve critical activities
Identify and report deficiencies in supervisory findings and reports of examination and

recommend appropriate supervisory actions. These actions may include issuing Matters Requiring Attention, issuing Matters Requiring Board Attention, and recommending formal enforcement actions

Consider the findings when assigning the management component of the Federal Financial Institutions Examination Council’s Uniform Financial Institutions Rating System. Serious deficiencies may result in management being deemed less than satisfactory Reflect the associated risks in the overall assessment of the banking organization’s risk profile

 

V            OCC’s 2020 FAQs on Third-Party Relationships (p 56)

The agencies are including the OCC’s 2020 FAQs, released in March 2020, as an exhibit, separate from the proposed guidance. The OCC issued the 2020 FAQs to clarify the OCC’s 2013 third-party risk management guidance. The agencies seek public comment on the extent to which the concepts discussed in the OCC’s 2020 FAQs should be incorporated into the final version of the guidance. More specifically, the agencies seek public comment on whether:

(1) any of these concepts should be incorporated into the final guidance; and

(2) there are additional concepts that would be helpful to include.

Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29

Summary

The Office of the Comptroller of the Currency (OCC) issued frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance.” These FAQs were intended to clarify the OCC’s existing guidance and reflect evolving industry trends.

Contact us today to learn more!

Note for Community Banks – This bulletin applies to community banks

Link to OCC

https://www.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-74a.pdf