OCC Guidance is Latest in Heightened Regulatory Scrutiny of Vendor Management
On October 30, 2013, the Office of the Comptroller of the Currency (the “OCC”) issued updated guidance for national banks and federal savings associations, including community banks, on assessing and managing risks associated with third-party relationships. This is the latest step in a series of efforts by federal bank regulatory agencies to set standards for banks and bank holding companies related to their use of vendors to outsource internal operations. This area is becoming highly regulated as banks and bank holding companies are contracting out an increasing amount of services to vendors in an attempt to be more efficient and save money.
In the view of the OCC and other federal bank regulatory agencies, the use of a vendor for a particular activity does not lessen the responsibility of a bank’s board of directors and senior management to ensure that such activity conforms to sound banking practices and applicable law. Therefore, boards of directors and senior management have a duty to identify, monitor, manage and control the risks associated with these third-party relationships using a process that includes the following phases: (i) planning (develop a plan to manage third-party relationships); (ii) due diligence and third-party selection (conduct due diligence on all third parties prior to selection, even if the bank has prior experiences or knowledge of such third party); (iii) contract negotiation (negotiate contracts that set forth the responsibilities of the third parties and limit the bank’s liability); (iv) ongoing monitoring (monitor the third-party relationship to assist in the management of the risk); and (v) termination (ensure that third-party relationships terminate in a way that allows the activity to be transitioned or discontinued efficiently). Additionally, throughout the third-party relationship, banks should exercise oversight and accountability over third-party relationships, ensure appropriate documentation and reporting is performed for such relationships, and perform periodic independent reviews of the risk management process to ensure conformity with the bank’s strategy and to determine whether the management of the risk is adequate.
Given the focus on risk management, we expect continued heightened scrutiny of these third-party relationships and more guidance to be issued by federal bank regulatory agencies in the future related to vendor management. Prior guidance released from bank regulatory agencies on this topic includes “Outsourcing Financial Services Activities” issued by the Federal Reserve Bank of New York (October 1999); OCC Bulletin 2001-47; FDIC Financial Institution Letter FIL-44-2008; FDIC Financial Institution Letters FIL-127-2008; and CFPB Bulletin 2012-13. In light of the forgoing, banks should consider the adoption of a comprehensive vendor management policy.
The foregoing is only a summary of the updated risk management guidance issued by the OCC. If you have any questions about the foregoing or about other financial institution issues, please direct them to your regular contact at Troutman Sanders LLP or to any of the persons listed in this release.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result. Follow Troutman Sanders on Twitter.