United States

Third-party risk management


Both the Federal Reserve and the OCC have recently issued guidance on third-party vendor management. The Agencies state the following in regard to third-party risk management programs:

Federal Reserve: A financial institution's service provider risk management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangements in which the financial institution is engaged

OCC: A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.   

The Federal Reserve issued guidance on “managing outsourcing risk” on Dec. 5, 2013 in response to seeing increased outsourcing and third party involvement in bank activities. The guidance supplements existing guidance from the Federal Reserve on technology service provider risk issued in June of 2004. The guidance defines the compliance risks, concentration risks, reputational risks, country risks, operational risks and legal risks associated with the use of service providers. The following excerpts are taken directly from the guidance:

  • The use of service providers does not relieve a financial institution's board of directors and senior management of their responsibility to ensure that outsourced activities are conducted in a safe-and-sound manner and in compliance with applicable laws and regulations.
  • The depth and formality of the service provider risk management program will depend on the criticality, complexity, and number of material business activities being outsourced.
  • While the activities necessary to implement an effective service provider risk management program can vary based on the scope and nature of a financial institution's outsourced activities, effective programs usually include the following core elements:
    • Risk assessments
    • Due diligence and selection of service providers
    • Contract provisions and considerations
    • Incentive compensation review
    • Oversight and monitoring of service providers
    • Business continuity and contingency plans

The guidance also describes the following additional risk considerations:

  • Suspicious Activity Report reporting functions
  • Foreign-based service providers
  • Internal audit
  • Risk management activities

The Federal Reserve guidance on managing outsourcing risk can be found here: http://www.federalreserve.gov/bankinforeg/srletters/sr1319a1.pdf

The OCC has also recognized that banks’ use of third parties is growing. The OCC’s risk management guidance for assessing risks associated with third-party relationships was issued on Oct. 30, 2013. The summary points out that this guidance (issued as a bulletin) rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles,” and OCC Advisory Letter 2000-9, “Third-Party Risk.” It also states that “this bulletin supplements and should be used in conjunction with other OCC and interagency issuances on third-party relationships and risk management listed in appendix B.” The guidance lays out the OCC’s expectations for an effective third-party risk management process. The process follows a continuous life cycle for all relationships and incorporates the following phases as noted in the guidance:

  • Planning: Developing a plan to manage the relationship is often the first step in the third-party risk management process. This step is helpful for many situations but is necessary when a bank is considering contracts with third parties that involve critical activities.
  • Due diligence and third-party selection: Conducting a review of a potential third party before signing a contract5 helps ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.
  • Contract negotiation: Developing a contract that clearly defines expectations and responsibilities of the third party helps to ensure the contract’s enforceability, limit the bank’s liability, and mitigate disputes about performance.
  • Ongoing monitoring: Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the bank’s ability to manage risk of the third-party relationship.
  • Termination: Developing a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.

In addition, a bank should perform the following throughout the life cycle of the relationship as part of its risk management process:

  • Oversight and accountability: Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-party risk management process with its enterprise risk management framework enables continuous oversight and accountability.
  • Documentation and reporting: Proper documentation and reporting facilitates oversight, accountability, monitoring, and risk management associated with third-party relationships.
  • Independent reviews: Conducting periodic independent reviews of the risk management process enables management to assess whether the process aligns with the bank’s strategy and effectively manages risk posed by third-party relationships.

To learn more about and for a full description of each phase noted above, please see the guidance which can be found here: http://occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html

5 Except for nondisclosure agreements that may be required in order for the bank to conduct due diligence.