Recently we have seen a focus on vendor management during exams. Regulators have been concerned the quality of third-party risk management practices may not be keeping pace with the increasing level of risk and complexity of these relationships. As a result of this concern and new focus, the OCC released a Bulletin titled "Third-Party Relationships: Risk Management Guidance" on October 30, 2013. The bulletin provides guidance for assessing and managing risks associated with third-party relationships.
Risk Management Life Cycle
The guidance describes a Risk Management Life Cycle as a way to effectively manage third-party risk, see figure 1. This continuous life cycle process incorporates the following phases and practices:
Planning
Before entering into a relationship with a third-party, banks should develop a plan to manage the relationship. The plan should be based on risk and complexity and may include considerations in the following areas:
- How it fits into the overall strategic plan
- An outline of the strategic purposes
- Assessment of complexity, activity, technology, and support
- Cost/benefit analysis
- Effects of the relationship
- Interaction and impact with customers
- Information security
- Business continuity
- Assessment of activities subject to specific laws or regulations
- Evaluation of the third party's alignment with bank policies and practices
- Vendor oversight activities
- Ensuring board approval for critical activities
Due Diligence and Third-Party Selection
The guidance suggests banks conduct due diligence on all potential third parties before entering into contracts or relationships. The due diligence should be based on the risk and complexity of the relationship, and should consider the following:
- Strategies and Goals
- Legal and Regulatory Compliance
- Business Experience and Reputation
- Financial Condition
- Qualifications, Backgrounds, and Reputations of Company Principals
- Fee Structure and Incentives
- Risk Management
- Information Security
- Management of Information Systems
- Resilience
- Incident-Reporting and Management Programs
- Physical Security
- Human Resources Management
- Reliance on Subcontractors
- Insurance Coverage
- Conflicting Contractual Arrangements With Other Parties
Contract Negotiation
After a third party has been selected and periodically thereafter, the bank should review contracts to ensure they address pertinent risk controls and legal protections. The guidance suggests contracts should generally address the following:
- Nature and Scope of Arrangement
- Performance Measures or Benchmarks
- Responsibilities for Providing, Receiving, and Retaining Information
- The Right to Audit and Require Remediation
- Responsibility for Compliance With Applicable Laws and Regulations
- Cost and Compensation
- Ownership and License
- Confidentiality and Integrity
- Business Resumption and Contingency Plans
- Indemnification
- Insurance
- Dispute Resolution
- Limits on Liability
- Default and Termination
- Customer Complaints
- Subcontracting
- Foreign-Based Third Parties
Ongoing Monitoring
After entering into a contract with a third party, the bank should dedicate appropriate staff to oversee and monitor the vendor. As part of continuous monitoring, the guidance suggests regularly assessing:
- Business strategies
- Compliance with legal and regulatory requirements
- Financial condition
- Insurance
- Key personnel
- Risk management
- Information technology
- Business continuity
- Subcontractors
- Conflicts of interests
- Information security
- Consumer complaints
Termination
Bank management should have a plan for termination in the event activities are transitioned to another third party, brought in-house, or discontinued. The plan should ensure the bank has the capabilities, resources, and the time required to transition activities while still managing legal, regulatory, customer, and other impacts that might arise as a result of termination. In addition, the bank should be prepared to handle potential reputation risk, data retention and destruction, joint intellectual property, technology issues, or other risks during and after the end of the relationship.
Oversight and Accountability
Assigning clear roles and responsibilities is critical to ensure an effective third-party risk management process. The guidance suggests the following roles and responsibilities to ensure relationships and activities are managed effectively:
- Board of Directors – The Board should ensure an effective process is in place to manage risks related to third-party relationships, including approving policies, reviewing and approving plans, reviewing summary due diligence and ongoing monitoring reports, and approving contracts with critical vendors.
- Senior Bank Management – Senior management should develop and implement the bank's third-party risk management process, including establishing policies, developing plans, ensuring due diligence is conducted, reviewing and approving contracts, ensuring relationships are continuously monitored and reviewed, ensuring accountability of bank employees who manage third-parties, and terminating relationships as appropriate.
- Bank Employees Who Directly Manage Third-Party Relationships – Bank employees who directly manage third-party relationships should conduct due diligence, ensure vendors comply with bank policies, continuously monitor relationships, oversee vendors, escalate issues, respond to issues, and recommend termination if needed.
Documentation and Reporting
Proper documentation and reporting should be conducted throughout the relationship life cycle to facilitate oversight, accountability, monitoring, and risk management practices.
Independent Reviews
The bank's third-party risk management processes should be reviewed by the internal auditor or an independent party periodically and reported to the Board to ensure risk management practices are appropriate.
In summary, risk management of third-parties is becoming more and more critical as relationships become more risky and complex; therefore, a strong risk management process must be in place to manage and control third-party relationships.
