Banks need to practice effective risk management regardless of whether the bank performs the activity internally or through a third party, the Office of the Comptroller of the Currency said Wednesday.
A banking institution’s use of third parties doesn’t diminish the responsibility of its senior management to ensure that the activity is performed in a safe and sound manner and in compliance with related laws.
Banks continue to increase the number and complexity of relationships with both foreign and third parties. As a result, the OCC is concerned that the quality of risk management over these relationships may not be keeping pace with the risks associated with third parties.
"We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic," said Comptroller of the Currency Thomas Curry.
He added, "This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner."
Consequently, a bank needs to adopt risk management processes in conjunction with the level of risks and complexity of its third-party relationships.
Third-party relationships include business arrangements between the bank and another entity, by contract or otherwise.
Additionally, institutions should ensure appropriate risk management and oversight of third parties involving critical activities.
An effective risk management process throughout the cycle of the entities relationship includes plans that outline the bank’s strategy, proper due diligence in third party selection and written contracts that outline the rights and responsibilities of all parties.
Furthermore, a bank should perform oversight and accountability, documentation and reporting and independent reviews throughout the life cycle of the relationship as part of its risk management process.
For instance, conducting periodic independent reviews of the process enables management to assess whether the process aligns with the bank’s strategy and effectively manages risk posed by third parties.
Banks also need to execute a plan to terminate the relationship that allows the bank to transition the activities to another third party, bringing the activities in-house, or discontinuing the activities.