On October 30, the OCC issued updated risk management guidance for national banks and federal savings associations related to third-party relationships. The banks should:
- Develop a plan that outlines the bank’s strategy, identifies the inherent risks of the activity and details how the bank will select, assess and oversee the third party;
- Perform proper due diligence to identify risks and select a third-party provider;
- Negotiate written contracts that clearly outline the rights and responsibilities of all parties;
- Conduct ongoing monitoring of the third party’s activities and performance;
- Execute a plan to terminate the relationship in a manner that allows the bank to transition the activities to another third party, bring the activities in-house or discontinue the activities;
- Provide for clear responsibilities for overseeing and managing third-party relationships and the risk management process;
- Maintain proper documentation and reporting to encourage oversight, accountability, monitoring and risk management; and
- Independently review the risk management process to enable management to assess that the bank’s process aligns with its strategy and effectively manages risks from third-party relationships.
The guidance rescinds OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles,” and OCC Advisory Letter 2000-9, “Third-Party Risk.” Release. Guidance.