News Updates by Bradley Martin


FRB Announces Guidance on Outsourcing Risk

Reposting the Press Release from December 5.... 


Press Release:

The Federal Reserve Board on Thursday released guidance reminding financial institutions it supervises to exercise appropriate risk management and oversight when using service providers.


The guidance describes factors financial institutions should consider when choosing a service provider and how service providers should be overseen. A service provider is defined as any organization or entity--such as a consultant--that enters into a contractual relationship with a financial institution to provide business functions or activities, such as accounting, auditing, loan review, compliance, and risk management.


The guidance does not discourage financial institutions from outsourcing activities to service providers, but says firms should be aware of the potential risks. If service provider relationships are not managed effectively, they may expose financial institutions to risks that can result in reputational problems, financial loss, or regulatory actions, according to the guidance.


Furthermore, the guidance states that the use of service providers does not relieve a financial institution's board of directors or senior managers of responsibility for the activities performed by service providers. Financial institutions are responsible for ensuring that all activities conducted by service providers comply with applicable laws and regulations and are consistent with safe and sound banking practices.


The guidance is applicable to state-chartered banks that are members of the Federal Reserve System, bank and savings and loan holding companies and their nonbank subsidiaries, and U.S. operations of foreign banking organizations. 


The OCC 3rd Party Relationship Guidance

On October 30, 2013 the Office of the Comptroller of the Currency (OCC) released new guidance regarding third party relationships and outlined firm guidance regarding the risk management of these third parties.  The bulletin rescinds the 12 year old 2001-47 bulletin, which most FI Vendor Management Organizations (VMO) credit as the foundation and creation of their department.  This is a significant update and every FI should be watching for the FRB and/or FDIC reaction, as it will likely light a fire under most VMO teams.

Prior to November 2001 most FIs did not have a vendor management group/person.  Contracts and 3rd party relationships were typically managed by the business units with the support of legal.  Simply put 3rd party risk was not a focus.  

The new guidance specifically addresses areas the OCC felt banks were not properly addressing “the risks and direct and indirect costs involved in third-party relationships.”  The OCC outlined concerns of inadequate due diligence and ongoing monitoring, explicitly calling out failures, such as not properly reviewing the “third party’s risk management practices.”   The OCC continued to be heavily critical of bank’s contracting practices which “incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party’s revenues.”   And they also raised concerns about banks not having a formal contract in place, relying on informal agreements with third-parties. 

Overall the OCC’s guidance puts a strong framework forward, replacing the general guidance they provided 12 years ago in OCC 2001-47.  
The new guidance outlines: 
  • Risk Management Life Cycle 
  • Planning
  • Due Diligence and Third-Party Selection
  • Contract Negotiations
  • Ongoing Monitoring 
  • Termination 
  • Oversight and Accountability
  • Documentation and Reporting
  • Independent Reviews
  • Supervisory Reviews of Third-Party Relationships
It is my expectation that the Federal Reserve Board (FRB) will be issuing something similar; if not specifically reference this OCC bulletin as a “Best Practice.”  Vendor Management Organizations should consider adopting this bulletin as their guidance, regardless of which Federal or State organization they are governed by.  The practices outlined are direct and do represent a best practice for any VMO.   One should review their current policy and procedures to determine if there are gaps. 




Page 1 ... 1 2 3 4