OCC: You can’t outsource responsibility

The Office of the Comptroller of the Currency (OCC) recently updated its risk-management guidelines for third-party relationships, and the new guidelines give banks more responsibility than ever.

According to the new guidelines, financial institutions have many of the same responsibilities for managing risk from vendors as they do from their own operations.

“We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic,” Comptroller of the Currency Thomas J. Curry said in a statement. “This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.”

The OCC press release that highlights the new guidelines says the update is for national and federal institutions, but the guidance itself says it applies to all financial institutions with third-party relationships.

What the new guidance means

For the vendors who are most critical to a bank’s operations, the OCC expects banks to use a new Risk Management Life Cycle model that covers the following areas:

  • Planning
  • Due diligence and third-party selection
  • Contract negotiation
  • Ongoing monitoring
  • Termination
  • Oversight and accountability
  • Documentation and reporting
  • Independent reviews

In the OCC’s eyes, not all risks and relationships are created equal. According to the guidelines, “The OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank’s organizational structures.”

Banks must also document the costs and benefits of outsourcing various functions, and show how every vendor is in compliance with Gramm Leach Bliley, Dodd Frank, and other major banking legislation. Banks will have to demonstrate that the vendor’s services are cost-effective, as well as compliant, on an ongoing basis.

Financial institutions need to document every aspect of the relationship and shared operations in writing. For the most critical activities, plans should be reviewed and approved by the most senior level management, or even the board of directors.

The best starting point is to review existing Service Level Agreements, as well as potential agreements, to ensure that risk management strategies and ongoing due diligence are integral parts of the relationship. Discussions with potential vendors must include shared risk management processes.

This shouldn’t dissuade banks from working with third parties. In fact, the OCC expects banks to use vendors when that third-party possesses greater expertise than the bank’s internal resources, or has a more robust risk management model. Banks should pay particular attention when third parties are better able to meet certain critical standards than the bank’s internal operations.

In short, according to the OCC, a financial institution may outsource the task, but it can’t outsource the responsibility.

For more information on the OCC guidelines, or to learn how Baker Tilly banking specialists can help, contact our team.