The Office of the Comptroller of the Currency (OCC) released guidance in October 2013 to national banks and federal savings associations on how to assess and manage risks of third parties. Concerns over how effectively banks are managing risks of their outsourced providers have increased along with their use. This increased use has consisted of both greater numbers of service organizations employed by banks and increased complexity in the services they provide. This, coupled with the fact that service organizations may also be domiciled in foreign countries, has raised concerns within the OCC and the banks themselves.
Given this enhanced focus on third parties providing services to banks, how should a third party best prepare to meet current and potential client risk management expectations? The OCC subdivides third party risk management into five phases called the risk management life cycle. These phases consist of:
Due diligence and third party selection
In addition to these five phases, the OCC also lists three additional activities that should be undertaken throughout the lifetime of the third party relationship. These include:
This article will provide a brief overview on steps a third party may take to prepare for potential changes in bank’s expectations in contracting with third parties.
The planning phase consists of management preparing a plan to manage the third party engagement. Some of the actions recommended by the OCC for banks to complete include, but are not limited to, defining a strategic purpose for the relationship, understanding the complexity of the relationship, determining the extent to which the third party will be interacting with customers, and clarifying the potential information security and confidentiality implications of the agreement.
Although some of these action items are exclusively areas that need to be completed by the bank client, there are proactive steps that third party service providers can take to assist banks in meeting the OCC recommendations. Third parties, for example, can conduct their own self-analysis of each of the questions and action items recommended by the OCC and develop a white paper or report documenting their current state. By being proactive, third parties are able to quickly answer the bank client’s questions and raise the bank’s confidence in selecting the third party to build a relationship.
Similar to many contractual agreements, the OCC recommends that banks conduct formal due diligence when considering which third party to select. The OCC also recommends that the level of due diligence be partially dictated based on the complexity of the work being shifted to the third party.
Third parties should be prepared for more stringent and comprehensive due diligence than they may have experienced in the past. Areas the bank may focus on include an evaluation of the third party’s strategic objectives, pending litigation, regulatory violations, current financial condition, industry reputation, risk management practices, information security standards, subcontractor reliance, and levels of insurance coverage. Anticipating these areas of focus and preparing a comprehensive response can put third parties in an advantageous position. Banks, for example, are increasingly asking third parties for their Service Organization Control (SOC) 1 (also known as an SSAE 16) or SOC 2 reports. A SOC 1 report addresses controls at a service organization which are relevant to the user entities’ (in this case the banks) internal control over financial reporting. The controls are examined by a third party auditor who issues an opinion on the design and operating effectiveness of the controls. In other words, if the services outsourced to the third party have an impact on the bank’s financial statements, the bank requests that the third party hire an independent auditor to examine the controls at the service provider. A SOC 2 report is focused on operational compliance and can cover the following principles: security, availability, processing integrity, confidentiality, and privacy. If a bank, for example, outsources their data center and they have contractually obligated a third party to conform to a certain level of up-time or physical security, a SOC 2 report can be utilized to independently examine these controls. Seeing this trend, third parties are increasingly procuring SOC reports in advance of bank requests so that prospective client negotiations are not unnecessarily delayed.
Creating a centralized area to store documentation related to these common focus areas can also decrease the time the third party needs to spend accumulating due diligence request support materials. The third party should also consider proactively inviting the prospective client to their location for a formal tour. This can go a long way in establishing rapport and decreasing concerns.
Although the OCC guidance was directed at banks, the contract negotiation phase can equitably be applied to third parties as well. First, contracts should be unambiguous in their language. When engaging a bank to be its service provider, the third party should keep a long-term win-win mindset. Complex or overly legalistic language is not good for anyone’s interests. If there is a misunderstanding due to unclear contract language and a lawsuit results, neither party truly wins.
The OCC recommends that the contract address several areas included in detail in the actual guidance. Some of these areas include clearly articulating the nature and scope of the engagement, performance measures or benchmarks, responsibilities around providing and retaining information, the right to audit, and confidentiality and integrity.
Prior to negotiating, third parties should carefully consider their position in regards to each portion of the contract and prioritize areas where they are less flexible compared to areas where they are more flexible. By having a clear outlook on what is acceptable in advance of the negotiations, third parties are less likely to accidentally accept terms that are unacceptable. Being prepared also allows the third party to look at the negotiations from a strategic perspective where lower priority areas of dissent can be given as a compromise to the bank and higher priority areas may be requested of the bank in return.
The OCC recommends that banks dedicate their efforts to conduct ongoing monitoring of the same topics reviewed during the due diligence phase. Things, obviously, can and do change. Confirming, for example, that the third party’s financial condition has kept stable or that they have an updated SOC 1 or SOC 2 report can reassure the client that risks have not materially increased.
Third parties should clearly understand the bank’s concerns and needs in regards to their ongoing monitoring efforts and consider providing ongoing status reports on key focus areas or metrics. This can also offer the third party an opportunity to highlight areas where they have added value or performed better than expected.
Companies generally don’t like to think about their customers terminating the relationship. Many business relationships, however, do come to an end eventually. The termination phase focuses on banks ensuring they have preparations and a process in place to terminate a third party relationship efficiently and transfer the activities either in-house or to another third party provider. The bank should clearly understand the full extent of activities completed by the third party and the level of difficulty in transitioning these responsibilities. The bank should also understand what data is being held by the third party, how that data will be transmitted to the new provider, who owns the data, and how it will be destroyed.
Third parties can increase a prospective or current client’s trust by clearly documenting how a relationship termination would proceed with the bank. It would also be in the third party’s interest to clearly understand expectations and accepted procedures in moving responsibilities back to the bank or to another third party if the relationship ends.
Many of the OCC recommendations are not new or revolutionary. Banks and their third parties have been negotiating business relationships for many years and the phases outlined by the OCC are commonly completed by many organizations. The guidance, however, does show that there is greater scrutiny and focus on banks extending their risk management practices to third party relationships. Third parties should not view this as just more documentation and administrative work for them, rather they should instead see this as an opportunity to be more prepared than their competitors for risk related bank requests. By helping banks meet the expectations of the OCC’s guidance, third parties can differentiate themselves as collaborative partners with a firm grasp on their risk management program.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.