- About Us
- Request Demo
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 might garner the most headlines, but it is hardly the only federal regulation deserving the attention of U.S. banks.
Two other federal regulations are increasing the pressure on banks and other financial institutions to monitor and manage third parties. A third party is any outside entity doing work for a bank, regardless of whether the third party is an individual, partnership, or corporation, and regardless of whether the work is done under contract or on a more casual basis.
These two regulations are:
Bulletin 2013-29 from the Office of the Comptroller of the Currency (OCC)
OCC Bulletin 2013-29 provides risk management guidance regarding banks and other financial institutions’ use of third parties. It mandates that institutions adopt a risk management lifecycle for assessing and monitoring the conduct of all their third parties.
The Foreign Corrupt Practices Act (FCPA) of 1977
The FCPA forbids companies trading securities in the U.S. and others from making illicit payments—bribes—to foreign officials. To make bribery easier to detect, the FCPA requires companies to maintain the transparent accounting practices mandated by the Securities Exchange Act of 1934. Critically, the FCPA holds companies responsible not only for the conduct of their own employees, but also for the conduct of their third parties.
Here’s an overview of each regulation, along with examples of the enforcement penalties that can result for compliance violations.
OCC 2013-29: Risk Management Guidance for Third-Party Relationships
The Office of the Comptroller of the Currency’s Bulletin 2013-29 begins by noting that the third-party relationships of banks and other financial institutions have become increasingly important and complex. Because institutions rely so much on third parties, it’s important that those third parties are carefully selected and routinely assessed and monitored.
The OCC bulletin directs banks to systematically manage risk involving third parties:
The OCC recognizes that not all third parties are equally important. Proper risk management includes assessing the disparate risks posed by various third parties. Banks should assess the potential risk a third party poses in the case of poor performance, a data security breach, or some other operational lapse.
To assess and monitor all its third parties, a bank should establish a risk management lifecycle that encompasses all aspects of the bank’s relationship with each third party, including:
The risk management lifecycle should also include evaluations of each third party’s financial condition, risks, and capabilities. Contracts should describe the nature of the terms and scope of the relationship between an institution and its third parties.
To implement a risk management solution this broadly requires discipline, rigorous attention to detail, and a technological approach that can scale easily across markets and regions.
OCC Enforcement Actions
Failure to implement a risk management lifecycle and prevent improper conduct by third parties can be costly.
Since issuing Bulletin 2013-29, the OCC has assessed multi-million dollar fines against banks and other financial institutions for failure to manage their third parties properly. For example:
The Foreign Corrupt Practices Act of 1977
The Foreign Corrupt Practices Act (FCPA) of 1977 forbids publicly traded U.S. companies and their subsidiaries and third parties from bribing foreign officials in order to grow or retain business. The FCPA also requires companies to maintain transparent accounting practices so that instances of bribery can be easily detected.
Even if a bank is not a publicly traded company, it may find itself subject to the FCPA for any of the following reasons:
Penalties for violating the FCPA can be onerous. Fines can reach up to $25 million per violation. Individuals can be fined up to $5 million per violation and imprisoned up to 20 years. Regulators may also order companies to disgorge profits. Regulators might also disbar or suspend a company from doing business with the U.S. government.
FCPA Enforcement Actions
In the past five years, DOJ and SEC investigations of FCPA violations have broadened to include financial services organizations. In 2011, the SEC sent letters of inquiry to several financial institutions, including banks, asking about corrupt payments made to help institutions obtain investments from sovereign wealth funds. (A sovereign wealth fund is a government-owned investment fund derived from fiscal surpluses and other government sources.)
Recent FCPA penalties against financial institutions include: