In June, the Office of the Comptroller of the Currency (OCC), the regulator of national banks, federal savings associations, and federal savings banks, issued additional guidance on the oversight and risk management of third-party relationships (Bulletin 2017-21). The guidance takes the form of responses to fourteen “frequently asked questions” about the OCC’s prior guidance in its Bulletin 2013-29. In that Bulletin, the OCC required banks to adopt risk management and oversight procedures for third-party relationships based on the level of risk and complexity of the applicable relationship. OCC Bulletin 2013-29 also outlined a recommended risk management process consisting of: (i) management planning, (ii) due diligence on third-party service providers, (iii) effective contract negotiation, (iv) ongoing monitoring, (v) contingency planning, (vi) oversight and accountability, (vii) proper documentation and reporting, and (viii) independent reviews.
In issuing the updated guidance, the OCC wished to call attention to the increased frequency and complexity of bank third-party relationships, including developments involving financial technology (Fintech) companies, and it addressed several areas of focus. The OCC’s guidance focuses on the responsibilities of bank boards and senior management in undertaking and overseeing risk management, special issues posed by Fintech companies, the ability of banks – particularly, community banks – to collaborate with respect to risk management and oversight obligations, and outsourcing compliance obligations.
Board and Senior Management Duties
Bulletin 2013-29 stressed the importance of a bank’s board and senior management implementing a comprehensive and rigorous risk management and oversight program for third-party service providers that support “critical activities” – defined as significant bank functions, shared services, or other bank activities that could cause significant risks or customer effects, require significant investments, or have a major impact on bank operations on termination of the relationship. A key portion of such programs is robust due diligence and ongoing monitoring, reviewed by both senior management and the board.
Noting the difficulty certain banks have had in receiving all information necessary to conduct the type of due diligence review necessary when critical activities are at issue, particularly for new companies, Bulletin 2017-21 states that, in such a situation, the OCC expects a bank’s board and management to:
- develop alternative ways to assess such critical third-party service providers;
- establish appropriate mitigating controls;
- make appropriate preparations for potential interruptions in service;
- make risk-based decisions that such service providers are the correct choice notwithstanding the unavailability of certain information;
- retain appropriate documentation regarding the efforts to obtain relevant information and related decisions; and
- ensure that the contracts with the service providers appropriately address the bank’s needs.
In terms of how banks should structure their risk-management process, the OCC re-iterated that there was no one way to do so, and the process should be commensurate with the level of risk and complexity of the particular relationship. The OCC noted that some banks have dispersed accountability for the process among business lines, whereas others had centralized the process under compliance, information security, procurement, or risk management functions. The OCC did state, however, that “personnel in control functions such as audit, risk management, and compliance programs” should be involved. Moreover, the OCC emphasized that a bank’s board is ultimately responsible for the development of an effective risk management process, and that “periodic board reporting is essential to ensure that board responsibilities are fulfilled.”
Due to increased collaboration between Fintech companies and banks, Bulletin 2017-21 addresses the applicability of the OCC’s third-party risk management guidance to such companies. It states that Fintech companies (including third-party service providers in mobile payment environments) performing services for, or providing services to, or on behalf of, a bank are considered third-party service providers under Bulletin 2013-19 and, accordingly, subject to the third-party risk management process.
In complying with Bulletin 2013-19, banks should ensure that they are appropriately assessing the financial condition of Fintech companies, including, in certain circumstances, by an evaluation of such companies’ earnings, cash flow, access to funding sources, expected growth and potential borrowing capacity. The OCC also stated that, due to the limited financial information that may be available for certain Fintech companies, banks should ensure that appropriate contingency plans are developed to address interruptions or failures in service. In addition, if a bank’s board and management determine that a relationship with a Fintech company involves “critical activities,” the board and management should ensure that the bank complies with the comprehensive risk management process put in place for such critical activities. The OCC did indicate, however, that there is no express prohibition on entering relationships with Fintech companies that do not meet a bank’s lending criteria.
Bulletin 2017-21 also includes a lengthy response to a FAQ on banks’ relationships with marketplace lenders. The response states that a bank’s board and management should understand the relationships among the bank, the marketplace lender and borrowers, as well as the variety of risks – legal, strategic, reputational, operational – posed by the arrangements, and also evaluate the lender’s practices for compliance with applicable laws and regulations. The Bulletin warns that banks should have in place adequate loan underwriting guidelines, and that management should ensure that loans are underwritten to those guidelines. To address risks, banks’ due diligence on marketplace lenders should include consulting with appropriate business units – credit, compliance, finance, audit, operations, accounting, legal and information technology.
Recognizing the challenges that community banks face when complying with Bulletin 2013-29, Bulletin 2017-21 clarifies that banks may collaborate to meet certain risk management expectations including due diligence, contract negotiation and ongoing monitoring if such banks are using the same service providers for similar products or services. This collaboration can include alliances to create standardized contracts with common third-party service providers or standardized approaches to due diligence and monitoring, such as common security, privacy, and internal controls questionnaires.
Although the OCC does not intend to discourage collaboration, it stated that certain products and services may pose different levels of risk for individual banks and, accordingly, collaboration should not viewed as sufficient to meet the totality of a bank’s responsibilities under Bulletin 2013-29. Individual bank-specific responsibilities include defining the requirements for planning and termination (e.g., plans to manage the third-party service provider relationship and development of contingency plans in response to termination of service), as well as:
- integrating the use of product and delivery channels into the bank’s strategic planning process and ensuring consistency with the bank’s internal controls, corporate governance, business plan, and risk appetite;
- assessing the quantity of risk posed to the bank through the third-party service provider and the ability of the bank to monitor and control the risk;
- implementing information technology controls at the bank;
- ongoing benchmarking of service provider performance against the contract or service-level agreement;
- evaluating the third party’s fee structure to determine if it creates incentives that encourage inappropriate risk taking;
- monitoring the third party’s actions on behalf of the bank for compliance with applicable laws and regulations; and
- monitoring the third party’s disaster recovery and business continuity time frames for resuming activities and recovering data for consistency with the bank’s disaster recovery and business continuity plans.
In addition, the OCC stated that any bank collaboration should be conducted in accordance with the antitrust laws.
Finally, Bulletin 2017-21 provides that banks may use third-parties to assist with their compliance obligations by outsourcing aspects of their compliance programs to third-parties. Although outsourcing can be valuable, banks are required to monitor and ensure that the third-parties comply with applicable consumer laws and regulations. Banks may use third-party service organization control reports prepared in accordance with AICPA’s SSAE 18 to evaluate the internal controls and policies of a third-party’s risk management program; at the same time, however, they should independently determine whether such reports are sufficient.
The issuance of Bulletin 2017-21 demonstrates that the OCC is attaching increased significance to the risk management issues created by third-party relationships – matching the increased use of third-parties by banks themselves. In keeping with the general post-Financial Crisis emphasis on risk governance, the OCC is showing that in this context, too, it expects bank management and boards of directors to manage risk proactively. National banks, federal savings associations, and federal savings banks that do find the use of third-parties and Fintech companies advantageous as a business matter should not forget that the OCC will expect them to identify clearly and manage prudently the risks created by such relationships.
This post comes to us from Gibson Dunn & Cutcher LLP. It is based on the firm’s client alert, “Office of Comptroller of Currency Provides More Guidance On Third-Party Business Relationships, Including Fintech Firms,” dated July 5, 2017, and available here.