Banks – whether or not they are regulated by the OCC – should review their own approach to third-party risk in light of this new guidance, and begin to implement people, processes, and technology systems accordingly. It’s clear that regulators are broadening and deepening their understanding of the risks posed by third-party relationships, and so financial institutions will need to as well.
Financial services regulators look to be raising the intensity of their gaze on third-party relationships again. At the end of January 2017, the US Office of the Comptroller of the Currency issued Supplemental Examination Procedures for Third Party Relationships. This new release – others from other regulators will certainly follow – will challenge the financial services industry to raise its game when it comes to managing third-party relationships and risk in the coming months.
This document is more than just an update – it sets new, higher expectations for the banks that the OCC regulates, around the management of third-party relationship risks. The previous OCC document on the topic, “Risk Management Guidance” was issued in 2013 and took a more tactical approach, reflecting the way banks were approaching these relationships. In that document, each third party relationship was to be put into the context of a “risk management life cycle.” (see page 2-3 for an overview of the 2013 release).
In the new, 2017 document, it’s clear the OCC expects banks to take a much more strategic approach to manage third-party relationships and third-party risk. It expects the financial institutions it supervises to:
- Have a third party relationship (and within that a risk management) strategy that applies to all of its relationships
- Use technology to supply a wide range of different kinds of business, risk, compliance, and control information to all relevant stakeholders involved with the third party relationships – including independent reviewers and regulators
- Have an involved Board – a Board that sets third-party strategy and monitors the success of that strategy. No longer is the Board meant to deal primarily with escalations and crises
- Embed understanding of different kinds of risks – including concentration risk and credit risk – directly within the third party risk management strategy
- Understand that third-party subcontractors must be monitored and reviewed at nearly the same level of scrutiny as the third parties themselves. These so-called “fourth parties” are now viewed as a significant potential source of risk
- Treat independent reviews of third-party relationships as an essential “check and balance” – and resource these activities appropriately
- Ensure the talent that manages the third party relationships within the bank is adequately skilled, resourced, and empowered, but also that it’s incentivized in a risk-appropriate way.