A Closer Look at the OCC’s New Rule on Third-Party Risk Management

Office of the Comptroller of the CurrencyMatt Gunn, Managing Editor | TechComply

You can’t outsource responsibility, or so the adage goes. The Office of the Comptroller of the Currency reinforced the notion with its updated risk management guidance on third-party relationships.

Under the new guidance, financial institutions face new or increased scrutiny relating to their relationships — contract or otherwise — with outside partners. As the OCC’s press release points out, using a third party doesn’t ease the responsibility of the financial institutions, its board or its management when it comes to ensuring safe and compliant banking.

“We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic,” Comptroller of the Currency Thomas J. Curry said in a statement. “This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.”

Although the press release issued by the OCC says the update is for national and federal savings banks, the actual guidance goes on to state that it applies to all financial institutions with third-party relationships. And it could mean new or heightened operational, compliance, reputation, strategic or credit risks when working with a third-party, according to the OCC’s statement. Institutions should take appropriate steps, such as due diligence and ongoing monitoring, strategic planning, documentation and the development of clear contracts that explicitly define roles and responsibilities of all parties involved.

But the OCC’s new guidance doesn’t necessarily let banks and credit unions that choose to go it alone off the hook, either. In fact, it appears the agency is now taking a stance that institutions may be exposing themselves to strategic risk by not utilizing third-party providers:

Conversely, strategic risk can arise if a bank does not use third parties when it is prudent to do so. For example, a bank may introduce strategic risk when it does not leverage third parties that possess greater expertise than the bank does internally, when the third party can more cost effectively supplement internal expertise, or when the third party is more efficient at providing a service with better risk management than the bank can provide internally. 

In other words, those institutions that adopt the attitude that they can forge ahead with new technologies or services on its own could potentially be exposing themselves to increased risk in the eyes of the OCC if they have not done the due diligence and research to ensure that there isn’t a third-party provider that can do it better. Indeed, you can’t outsource risk and you can’t sweep it under the rug either. At least, not without demonstrating your internal operations are up to the standards defined by regulators and as good as, if not better, than the alternatives.

Risk management — particularly as it applies to outside vendors — has been among the hottest topics of the past year, says Tom Hinkel, Safe Systems VP of Compliance and author of the Compliance Guru blog. He adds that Safe Systems offers due diligence and contracts checklists to its clients as a way to help meet regulatory guidance such as this, and Hinkel is working to update those lists to reflect the latest changes. And be sure to read Compliance Guru for ongoing coverage of the new guidance.

RELATED: Catch Tom Hinkel and Safe Systems CTO Brendan McGowan’s Nov. 6 webinar, “Technology and Banking: The Good, the Bad and the Ugly”

Be the first to hear about regulatory guidance and industry trends