November 26, 2013
Authored by: Bryan Cave Leighton Paisner
On October 30th, the OCC issued new guidance on third-party relationships and associated risk management. The Bulletin, OCC 2013-29, rescinded and replaced prior guidance on this subject (OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9) but specifically retained numerous other OCC and interagency issues on third-party relationships as listed in Appendix B to the Bulletin.
The Bulletin states that the OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of the relationship. It details the expected management of all aspects of third-party relationships and is more specific than prior guidance about the responsibility of a bank’s board of directors for overseeing the management processes. For example, the board must ensure an effective process is in place, approve the bank’s risk-based policies governing third-party management, review and approve plans for using third parties, approve contracts with third parties, review management’s ongoing monitoring of the relationships and hold accountable those employees who manage the relationships.
While the Bulletin focuses on third-party relationships that involve “critical activities,” a bank’s judgment of what is critical could be subject to second guessing, particularly if the bank experiences difficulties with consumers or the examiner otherwise believes that the bank’s risk management process is weak.