OCC Supplements Exam Procedures Covering Third-Party Relationships: Risk Management Guidance
On January 24, the OCC released Bulletin 2017-7 advising national banks, federal savings associations and technology service providers of examination procedures issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. As previously summarized in BuckleySandler’s Special Alert, Bulletin 2013-29 requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, and warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” Bulletin 2013-29 outlined a “life cycle” approach and provided detailed descriptions of steps that a bank should consider taking at five important stages of third-party relationships: (i) planning; (ii) due diligence and third party selection; (iii) contract negotiation; (iv) ongoing monitoring; and (v) termination. Following the OCC's issuance of Bulletin 2013-29, the Federal Reserve Board, on December 5, 2013, issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk (SR 13-19). The FRB Guidance is substantially similar to Bulletin 2013-29.
Bulletin 2017-7 outlines procedures designed to help prudential bank examiners: (i) tailor supervisory examinations of each bank commensurate with the level of risk and complexity of the bank’s third-party relationships; (ii) assess the quantity of the bank’s risk associated with its third-party relationships; (iii) assess the quality of the bank’s risk management of third-party relationships involving critical activities; and (iv) determine whether there is an effective risk management process throughout the life cycle of the third-party relationship. Consistent with the life cycle approach established in Bulletin 2013-29, the examination procedures identify steps examiners should take in requesting information relevant to assessing the banks’ third-party relationship risk management relative to each phase of the life cycle.
For additional background, please see our Spotlight Series: Vendor Management in 2015 and Beyond.