OCC offers detailed view of third-party risk exams

Compliance and legal teams have been given insight into what regulators will be looking for when they assess how banks handle potential risks raised by dealing with outside entities, an area that has gained greater prominence with the growth of cyber-attacks.

The Office of the Comptroller of the Currency (OCC) late last month released supplemental exam procedures designed to promote consistency when its staffers examine national banks and federal savings associations’ risk management of third-party relationships.

According to the office, the procedures are designed to help examiners:

• Tailor the examination of each bank based on the level of risk and complexity of its third-party relationships
• Assess the quantity of the bank’s risk associated with its third-party relationships
• Assess the quality of the bank’s risk management of third-party relationships involving key activities
• Determine whether there is an effective risk-management process throughout the life cycle of the third-party relationship.

Dealing with third parties can create problems in many ways, but has become a more high-profile issue of late. For example, the SEC and US Department of Justice have in recent years placed greater emphasis on compliance with the FCPA – and have imposed several penalties costing hundreds of millions of dollars each.

The FCPA is intended to stamp out bribery and corruption by US companies operating around the globe. As a result of the regulatory focus, companies have paid greater attention to their dealings with outside entities overseas, particularly with regard to working with foreign governments and state-owned enterprises.

The rapid emergence of cyber-threats has also shone a spotlight on companies’ relationships with each other, in terms of both regulatory compliance and security. Among other things, corporations are paying more attention to contractual arrangements and oversight of vendors to ensure they are following best practices.

The OCC press office did not respond immediately to a request for comment.


TYPES OF RISK
Writing in the OCC’s new paper, officials say that determining the scope of an exam should take into account work performed in related areas by internal and external auditors, risk and compliance functions and examiners. Under the procedures, banks can expect OCC officials to discuss with management whether there have been or will be any material changes in third-party relationships or the third-party risk-management process.

Examiners will also seek to obtain and review a wide variety of information including board of directors or designated board committee meeting minutes; lists of key people, organizational charts, committees and governance structures supporting the third-party risk-management process; and policies and procedures.

The 20-page procedure document considers a number of types of risk. In terms of assessing the quantity of operational risk associated with a bank’s use of third parties, OCC officials will, for example, determine whether there are any concentrations among such relationships by:

• Reviewing the bank’s methodology for identifying concentrations among third-party relationships
• Determining whether there are concentrations due to the bank’s reliance on a single third party for multiple activities
• Determining whether there are geographic concentrations where the bank’s own operations, the operations of its third parties or the operations of third parties’ subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.

Compliance risk is among the other areas identified. The procedures state that, to determine the quantity of compliance risk associated with the use of third parties, examiners will take steps such as determining:

• Whether any of the bank’s third-party relationships are with affiliates
• Whether any concerns are identified in a report by internal audit or an independent third party that regularly reviews the bank’s products, services, transactions or systems associated with third-party relationships for compliance with all applicable laws and regulations, including US economic sanctions
• Whether the bank conducts sufficient research to assess that a license or technology used by the bank does not violate third parties’ intellectual property rights
• Whether and how often the bank reviews third parties’ policies, procedures and independent audit reports for compliance with all applicable laws and regulations.

With regard to the quality of a bank’s risk management, OCC officials will seek to determine whether the board has adopted effective policies that are consistent with safe and sound banking practices and are appropriate to the size, nature and scope of the bank’s third-party relationships. Among other things, examiners will consider whether policies regarding its third-party relationships establish responsibilities and accountability, risk limits and actions to be taken if limits are breached, and criteria for defining critical third parties.

In terms of risk-management processes, officials will determine, among other things:

• How the bank identifies all of its third-party relationships
• How often the bank reviews the risk ranking of third-party relationships
• Whether management has a process for escalating significant issues or concerns to the board
• Whether management has appropriately integrated the third-party risk-management process into the bank’s enterprise risk-management framework
• Whether the bank has an effective third-party risk-management process throughout the life cycle of each third-party relationship.