Transcription
OCC RISK MANAGEMENTGUIDANCE ONTHIRD-PARTYRELATIONSHIPSNICK SHAKARJIAN, DIRECTOR5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com1
TABLE OF CONTENTSIntroduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3Risk Management Life Cycle - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6Planning- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7Due Diligence - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9Contract Negotiation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12Ongoing Monitoring- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13Termination - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14Continuing Expectations- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15Conclusion - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16About Sageworks & the Author - - - - - - - - - - - - - - - - - - - - - - - - - - 18Endnotes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19Additional Resources - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 205565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com2
INTRODUCTIONExaminers have always expected banks and creditunions to perform appropriate vendor due diligenceprior to engaging a third party. But with October2013 guidance, Third-Party Relationships, the OCCprovided defined guidelines for OCC banks as a riskmanagement framework.In this paper, we look at some of the specificrequirements and how banks can meet expectationsduring forthcoming exams. This will include specificquestions to ask and criteria to consider during differentstages of the third-party relationship.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com3
INTRODUCTION (CONT.)As the announcement points out, banks face new and increased operational,THIRD PARTY?compliance, reputation, strategic and credit risks when entering into anIncludes activitiesthat involveoutsourcedproducts andservices, useof hant paymentprocessing services,services providedby affiliates andsubsidiaries, jointventures, andother businessarrangementswhere the bankhas an ongoingrelationship or mayhave responsibilityfor the associatedrecords.agreement with a third party, especially when the agreement covers “criticalactivities”. As such, the OCC asks banks to develop a risk management processproportionate to the level of risk within the relationship.“Critical activities” are described as significant bank functions, servicesor activities that could have a major impact on the bank’s operations.Comptroller of the Currency Thomas Curry explains: “We have concernsregarding the quality of risk management on the growing volume, diversity,and complexity of banks’ third-party relationships, both foreign and domestic.This guidance provides more comprehensive instruction for banks to ensurethese relationships and activities are conducted in a safe and sound manner.”1The new guidance set forth by the OCC supersedes prior Bulletin 2001-47,“Third Party Relationships: Risk Management Principles” and OCC AdvisoryLetter 2009-9, “Third-Party Risk”.Third-party relationships are defined as a business arrangement between abank and an outside entity, by contract or otherwise. Some examples are tax,legal, audit or information technology. By entering into agreements with thirdparties, it is the board members’ and senior management’s responsibility thatcontracted activities fall in line with regulatory guidance and uphold safetyand soundness for the institution.When circumstances warrant, the OCC will apply corrective measures toensure banks’ relationship management standards are appropriate, and thesemeasures could include enforcement actions, special examinations and theassessment of civil money penalties.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com4
INTRODUCTION (CONT.)On December 5, 2013, shortly after the OCC release, the Board of Governorsof the Federal Reserve System issued Guidance on Managing OutsourcingRisk2 to supplement guidance previously issued on technology serviceprovider risk.3 While the Federal Reserve’s guidance is less comprehensivethan the new guidance set forth by the OCC, many of the themes are similar.MADE THE MOVETO THE OCC?See what challengesbanks faced whentransitioning:Moving from theOTS to the OCC:Impact on the ALLL5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com5
RISK MANAGEMENT LIFE CYCLEAs banks continue to increase the number and complexity of third-partyrelationships, the OCC is concerned that the quality of risk management inthe relationship may not be commensurate with the level of inherent risk. Thisincludes proper due diligence when selecting a vendor, but it also extends intothe relationship.An effective risk management process includes a continuous life cycle for allthird-party relationships and covers: Planning Due diligence and third-party selection Contract negotiation Ongoing monitoring Termination5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com6
PLANNINGPrior to entering into a third-party relationship, management shoulddevelop a plan establishing the goal of the relationship and the scope of thecontract. This enables the bank to discuss inherent risks and evaluate how thecontracted activity relates to the bank’s overall strategic goals, objectives andrisk appetite—what impact would such a relationship have?Banks are also encouraged to perform a cost-benefit analysis at this stageto determine if the potential benefit (e.g. cost reductions, expanded bankoperations, increased efficiencies, heightened expertise) outweighs theestimated cost (e.g. integration and subscription fees, training, additionalstaffing, interruption to existing programs), and how it might impactinformation security. A detailed process as to how the bank will select, assessand oversee the third party must be presented to and approved by the bank’sboard of directors when contracting critical activities.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com7
DUE DILIGENCEAn in-depth assessment of the third party’s ability to perform the activitywhile complying with regulatory guidelines should be performed beforeDUE DILIGENCEentering into a contract or relationship. Banks should not rely on experienceThe OCC providesa comprehensivelist of criteria to useduring diligence; bewith or prior knowledge of the third party, and the level of due diligenceshould be equal to the risk and complexity of the relationship.sure to review thatIn practical terms, this means a core system that houses all the bank’s loan andlist before signing acontract.print deposit slips.customer data might require more attention than a relationship contracted toDue diligence recommendations from the OCC includes a whole host ofcriteria for assessing a third party, including:1. Corporate strategies: Do they conflict with the bank’s strategy, or willbusiness arrangements planned by the organization affect the bank?2. Legality: Does the third party have all necessary licenses and auditsaccording to the service agreement?4 THINGS TOCHECK3. Financial condition: Upon reviewing audited financial statements,does it appear the third party is in good financial health (i.e. growthBefore signing alevels, profitability, debt) to offer uninterrupted service?new supplier, checkthese four financial4. Experience: Does the third party have a history of satisfactorilymetrics.providing the service and with the level of expertise required?5. Fees: Does the license fee or cost structure create financial difficultiesfor the bank?5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com8
DUE DILIGENCE (CONT.)6. Principals of the company: Does the third party periodically check thebackground of senior management and personnel that will participate inthe relationship?7. Risk management: Does the organization have proper internal controlsand audit functions in place? A third party’s SOC 1 report is an excellentstarting point. A SAS 70 is no longer the relevant audit report. In 2011,the AICPA replaced the SAS 70 with the more comprehensive SSAE 16,also known as SOC 1.8. Information security: Do the controls at the third party adequatelykeep data safe and quickly address new threats or vulnerabilities onceidentified?9. Information management systems: The bank should understand howthe third-party application works and should have available the thirdparty’s performance metrics to understand weaknesses in the process andin the interaction of the third party with the bank’s technology, data orpersonnel.10. Resilience: Has the third party made disaster recovery plans forcontinued service in light of natural disasters, cyber or physical attacks orhuman error? Have these plans been effective in the past?11. Incident reporting: In the event of an incident, is the organizationequipped—through processes and accountability programs—to quicklyremedy the incident?5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com9
DUE DILIGENCE (CONT.)12. Physical security: Does the third party mitigate physical risk for itsemployees, data facilities and technology?13. HR policies: Are employees properly trained and held accountable?14. Use of subcontractors: If the organization uses another company(s)to help deliver the service, is that subcontractor relationship one thatmight introduce risk? And, should it be similarly assessed for risk to thebank?15. Appropriate insurance: Does the third-party organization have bondinsurance or other types of protection for IP rights and assets that are notgenerally covered by commercial policy?16. Agreements with other parties: In other agreements does theorganization indemnify itself, which might pass risk on to the bank?This list is meant to start the due diligence thought process but may not beconclusive; it’s recommended to read the guidance in its entirety to gauge howthe identified risks could apply to a bank’s specific relationship.A chief financial officer of a privately held bank in the Northeast commented,“The new OCC guidance forces banks to be more cognizant of therelationships they undertake and assess the risk involved with third parties. Asbanks recover from the financial crisis in 2008, it’s clear the OCC is promotinga more structured approach to mitigate risk.”5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com10
DUE DILIGENCE (CONT.)While this list may be onerous to administer, it does help bank managementand board members understand and execute a thorough vendor due diligenceprogram.It is management’s responsibility to review and determine whether or not thethird party meets expectations. If critical activities are part of the contract,senior management must present the due diligence results to the board forapproval when making recommendations on third-party relationships.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com11
CONTRACT NEGOTIATIONUpon selecting a third party, a bank’s management will likely negotiate orreview a contract detailing the responsibilities of each party. Contracts shouldfully describe compensation, fees and the circumstances under which thecost structure may be changed. Moreover, contracts need to specify whatconstitutes default and stipulate the conditions for termination. Banks shouldalso re-visit existing contracts to ensure they comply with risk controls andlegal protections.The contract should also cover performance expectations, and it’srecommended for a bank to use industry standards to evaluate the contract’sservice level agreement. For software, these standards might measure1. Service availability2. Responsiveness of support requests and/or3. Update or enhancement timelines.Again, senior management will need to get approval from the board on allcontracts, prior to execution, when critical activities are involved.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com12
ONGOING MONITORINGOnce a contract with a third party has been executed, bank managementshould dedicate staff with expertise and authority to oversee and monitor therelationship, especially if it involves critical activities. And the criticality of anactivity may change over time, making a relationship more or less of a sourceof risk.Consequently, banks will need to adapt its monitoring accordingly.Many of the due diligence criteria will extend throughout the contract’slifetime, so banks are expected to include these reviews as part of the ongoingmonitoring process. In instances where a discrepancy or issue is identified,senior management should take action and escalate significant issues to theboard.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com13
TERMINATIONThe termination phase of the risk management lifecycle is new to OCCguidance. Under the new guidance, banks are required to implement riskmanagement controls and maintain them through the termination phase, orthe end of the contract. Contracts with third parties may be terminated by thebank for several different reasons, including expiration, breach of contract,vendor change or the decision to bring the activity in-house.It’s management’s responsibility to have a plan in place and to be proactivein the event of a contract default or termination, ensuring compliancethroughout the entire relationship. A bank’s contingency plan should addressreputation risks, joint intellectual property, data retention and deconstructionin accordance with regulatory laws and guidelines.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com14
CONTINUING EXPECTATIONSThroughout the lifecycle, there are ongoing expectations laid out by regulators: Oversight and accountability Documentation and reporting Independent reviewsOversight and AccountabilityClearly defined roles for board members, senior management and bankemployees who directly manage third-party relationships are outlined in thenew OCC guidance.1. Senior management must establish and implement the bank’s thirdparty risk management process along with planning future engagementswith third parties and their ongoing monitoring.2. Bank employees must confirm that the third party complies withthe bank’s policies and, when needed, escalate significant issues tomanagement.3. The board of directors must approve contracts with third parties andthe bank’s risk-based policies with jurisdiction over third parties.Documentation and ReportingA bank should properly document and report on its current inventory ofthird-party relationships and identify those that involve critical activities.This will assist in sustaining accountability, monitoring and overall riskmanagement, and it will make exam-time easier with all the data in onecentral location. This list must be kept up to date, especially since examinersmay request it at any time.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com15
CONTINUING EXPECTATIONS(CONT.)Independent reviewsA bank’s senior management should ensure that periodic, independent reviewsare conducted on its third-party risk management process. An internal auditoror independent third party may perform the review, in which case seniormanagement is expected to present the results to the board of directors.These results will help management determine whether and how to adjust thebank’s risk management process, policy, reporting and controls. As the figurefrom the OCC guidance shows, it’s an iterative and repeated process that willbe refined through time.Chart from the OCC Guidance45565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com16
CONCLUSIONThe aforementioned criteria and expectations areindispensable when dealing with third parties.Under the new OCC guidance, it is the seniormanagement’s responsibility to develop and implementthe bank’s third-party risk management process;however, it is up to the board of directors to approveany of the bank’s risk-based policies and contractsencompassing critical activities.This OCC guidance does put more of the onus on theboard compared to recommendations put out by theFederal Reserve. But in both cases, there is a clear effortand expectation from the OCC and Federal Reserve forbanks to be more attentive to and proactive with thirdparty relationships and inherent risk.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com17
ABOUT SAGEWORKS & THEAUTHORSageworks (www.sageworks.com) is a financial information company workingwith financial institutions, accountants and private-company executives acrossNorth America to collect and interpret financial information. Thousands ofbankers rely on Sageworks’ credit risk management solutions to streamlinecredit analysis, risk rating, portfolio stress testing, loan administration and ALLLcalculation. Sageworks is also an industry thought leader, regularly publishingwhitepapers and hosting webinars on topics important to bankers.Sageworks ALLL is the premiereautomated solution for estimatingALLLa financial institution’s reserve. Ithelps bankers automate theirALLL process and increase consistency in their methodology, making itdefensible to auditors and examiners. Sageworks’ risk management consultantsalso assist clients with the implementation of their ALLL models and guidanceinterpretation. To find out more, visit www.sageworksanalyst.com.Nick Shakarjian is a director of financial markets at Sageworks, where he assistsfinancial institutions with credit and portfolio risk management solutions.Working with banks and credit unions across asset ranges, Nick is responsible forworking primarily with the allowance, helping financial institutions to minimizeregulatory and accounting risk. Nick is a graduate of the Alfred Lerner School ofBusiness at the University of Delaware, where he studied business marketing.5565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com18
ENDNOTES“Office of the Comptroller of the Currency Releases Guidance on Third-Party Relationships,” Officeof the Comptroller of the Currency. October 30, 2013. Accessed at 13/nr-occ-2013-167.html.1“Guidance on Managing Outsourcing Risk,” Board of Governors of the Federal Reserve System.December 5, 2013. Accessed at s/sr1319a1.pdf.2“Outsourcing Technology Services,” Federal Financial Institutions Examination Council. June 2004.Accessed at http://ithandbook.ffiec.gov/ITBooklets/FFIEC ITBooklet OutsourcingTechnologyServices.pdf.3“Third-Party Relationships,” Office of the Comptroller of the Currency. October 30, 2013. Accessed /bulletin-2013-29.html.45565 Centerview Drive Raleigh, NC 27606 866.603.7029 www.sageworksanalyst.com19
ADDITIONAL RESOURCES“e-Book: The Complete Guide to the ALLL,” ALLL-reserves/ALLL Forum for Bankers, -Bankers-4844399/aboutAppend
A SAS 70 is no longer the relevant audit report. In 2011, the AICPA replaced the SAS 70 with the more comprehensive SSAE 16, also known as SOC 1. 8. Information security: Do the controls at the third party adequately keep data saf
