Comptroller Curry Comments On Outsourcing Risks

OCC Vendors

On March 4, Comptroller of the Currency Thomas Curry addressed the annual meeting of the Independent Community Bankers Association where he stressed the need for banks to effectively manage risk presented by the outsourcing of data security and information technology. The Comptroller explained that “[t]hird parties can be the weak link in [a bank’s] information systems security and resiliency; and especially where that third party is providing security services.” Referencing guidance the OCC issued last year, the Comptroller described the OCC’s due diligence expectations for banks’ third-party relationships as “substantial” and stressed that a bank’s due diligence needs to cover not only the vendor, but the vendor’s own third-party relationships. Mr. Curry also focused on other concerns he has about third-party relationships, including: (i) consolidation of service providers, which can increase the number of banks impacted when deficiencies occur at a single vendor; (ii) increased reliance by banks on foreign-based service providers; and (iii) third parties’ access to “large amounts of sensitive bank or customer data.”