Viewpoint: They Mean It—They Really, Really Mean It! (November 2013)
By Karen Garrett, Stinson Morrison Hecker LLP
On Oct. 30, the Office of the Comptroller of the Currency released a new Risk Management Guidance (OCC 2013-29) that rescinds and replaces third-party risk management guidance from 2000 and 2009. The new guidance doesn’t break new ground in requiring that banks regulated by the OCC must manage third-party risk, but does provide more specificity than the earlier guidance. Fundamentally, the new guidance presses home the point that banks have been hearing in speeches from the Comptroller and other regulators, experiencing in examinations and observing in public enforcement orders: Even when a bank uses third parties to perform services, the bank’s board of directors and senior management have the responsibility to ensure that those services are performed in compliance with law and in a safe and sound manner.
While the guidance is issued by the OCC and technically applies only to national banks and federal thrifts, it is consistent with the requirements of the other bank regulators, including the Consumer Financial Protection Bureau (CFPB). Therefore, the guidance is instructive for all types of financial institutions and their service providers and should be read closely. In short, the guidance is further proof that the regulators really, really expect and will really, really require robust, well-planned and well-documented third–party risk management programs at the banks they regulate. And that means that service providers must be prepared to accept the consequences of these risk management requirements.
|“Even when a bank uses third parties to perform services, the bank’s board of directors and senior management have the responsibility to ensure that those services are performed in compliance with law and in a safe and sound manner.”|
The guidance discusses five phases in the life cycle of risk management—adding “termination” to the four phases that have been included in previous guidance. These phases, some highlights of the OCC’s discussion and some thoughts about how the guidance may affect banks and their service providers involved in prepaid are discussed below.
Strategy and Planning
This phase of risk management is often bypassed—or banks back into the strategy after already committing to a product or a counterparty. The guidance suggests that before entering into a third-party relationship, a bank’s senior management should develop a plan to manage the relationship. The management plan should be presented to and approved by the bank’s board of directors if “critical activities” (defined in the guidance) are involved. The management plan should include a laundry list of items set forth in the guidance, a few of which are:
- A discussion of the strategic purposes of the activity and how the arrangement aligns with the bank’s strategic goals, objectives and risk appetite. Assessing the complexity of the arrangement, including the potential for subcontractors and the likely degree of foreign-based support.
- A discussion of the potential financial benefits of the proposed activity and the estimated costs to control the risks (including direct and indirect costs, such as costs to augment or alter bank processes or systems, and, importantly, the cost of staffing to properly manage the third-party relationship).
- Assessment of how customers will interact with the third party and the potential impact the relationship with the third party will have on customers, specifically including consideration of the use of the customers’ confidential information, joint marketing and handling of customer complaints. The management plan should include plans to manage these impacts.
- Assessment of whether and how the activities are subject to specific laws and regulations (such as privacy, information security, Bank Secrecy Act/anti-money laundering).
- Detail how the third party will be selected, assessed and overseen, including monitoring for compliance with the contract.
It is important to understand that these details are to be addressed by the bank’s management before engaging a third party. For banks, this means that the decision to enter into an activity and engage a third party must be clearly documented—including a clear understanding of what the bank’s goals for the activity actually are and how those goals meet the bank’s overall business plan. The bank must document that it fully understands the risks in an activity or service. For program managers, processors and other service providers, this means that bank issuers are likely to have a clearer strategy and a clearer understanding of the risks of the activity or service and of the bank’s tolerance for risks—and will require more documentation and communication from the service provider about how the service provider’s operations will meet the bank’s objectives.
Due Diligence and Third–Party Selection
The requirement that a bank must engage in appropriate due diligence before doing business with a critical third party is old news. The guidance does make clear that the expected due diligence goes beyond objective questions of financial condition and operational capability. Some of the specific provisions in the guidance addressing the subjective considerations that should be considered in the due diligence process include the following requirements for the bank:
- Confirm that the strategy and goals of the third party do not conflict with the bank’s.
- Evaluate the third party’s legal and compliance program, expertise, processes and controls, and reputation. This means that the bank will make subjective decisions about whether the third party’s internal systems, compliance function and expertise are sufficient for the risks evidenced by the program. The bank also will subjectively analyze the third party’s reputation.
- Review the third party’s management and training of employees to determine if it is adequate, including whether and how it conducts background checks on employees and senior management and whether the company’s succession planning is adequate.
- Evaluate the third party’s ability to assess, monitor and mitigate risk from the use of subcontractors, wherever subcontractors are located.
|“The guidance is further proof that the regulators really, really expect and will really, really require robust, well-planned and well-documented third-party risk management programs at the banks they regulate.”|
The due diligence provisions included in the guidance require the banks to document a deeper, focused dive into a prospective third party’s operations. The real impact, however, is on the service providers that are facing such a review. If it is important for a bank to understand whether its strategy and goals are consistent with a service provider’s, it is therefore essential for a prospective third party to understand what its strategy and goals actually are, to articulate this strategy and to operate the business consistently with that strategy. Merely stating that the goals of a company are to “operate in compliance with law” is meaningless if those goals are not implemented operationally and culturally. For example, representing that a company intends to ensure the security of customer information but not conducting background checks on employees or adopting internal control processes to monitor access to information renders the representation meaningless. Service providers should expect that due diligence will reach beyond the company’s stated goals and will include confirmation that the company is taking appropriate steps to achieve those goals.
The guidance provides clear and specific information about issues that should be addressed in the contract between a bank and a critical third party. Most of these requirements have appeared in one form or another in many other regulatory publications. Some additional detail is provided in the guidance in a few areas, particularly around default and termination rights, customer complaint management and subcontracting. These details make clear that the contract should address:
- If the OCC directs the bank to terminate the contract, the contract may be terminated without penalty upon reasonable notice. The bank generally should be able to terminate the contract in a timely manner and “without prohibitive expense.”
- The allocation of responsibility for resolving customer complaints. Even if that responsibility is the third party’s, the bank should be provided a copy of each complaint and response as well as sufficient reporting information for the bank to analyze customer complaint activity. In short, complaint information is key.
- How and when subcontractors may be used, when the bank should be notified of the use of subcontractors and what activities should not be subcontracted. The language of the guidance reinforces concerns previously expressed by regulators concerning the use of subcontractors and requires the contract to detail the third party’s responsibility for managing and overseeing the subcontractors. The guidance also reiterates the regulatory concern for contracts with foreign-based third parties, pointing out that even with a choice of law provision, such contracts (and enforcement of the contracts) are still subject to the interpretation of foreign courts.
The requirements of the guidance with respect to contracts and contract terms are designed to directly address the concern of the OCC that operational risk—the risk of loss from the failure of people, processes, systems and external events—is the top safety and soundness concern at the OCC. Banks and their counsel must ensure that the interests of the bank and its customers are clearly protected in the contract terms. Termination rights (including in contracts with processors) are increasingly important—how can the bank exit a contract when the counterparty is not performing adequately—and how can that be measured? Service providers should see an increased focus on measurable service levels and clear consequences for failure to meet those service levels. To the extent a service provider uses subcontractors, the service provider needs to upgrade its downstream contracts to meet the requirements of the guidance and ensure that it has the systems, personnel and controls in place to adequately manage the risks of the bank’s services that are further outsourced—and can prove to the bank that it is in fact managing those risks.
The guidance requires that the bank must monitor the third party’s performance under the contract and should also, throughout the term of the relationship, monitor all of the due diligence activities that were performed prior to entering into the contract. Of course, the monitoring requirements are meaningless without adequate and appropriate termination rights or penalties if the third party is not performing or if due diligence reveals undue risk in continuing to do business with the third party. Among the items that should be reviewed are:
- The third party’s business strategy and reputation.
- The third party’s internal practices in identifying and addressing issues before the bank or outside auditors identify the issues.
- The third party’s ability to monitor and control subcontractors.
The OCC added termination to the phases of risk management. This means that the difficulties in terminating critical relationships—how the activities can be terminated or transitioned—is a matter that must be planned, included in contracts and implemented appropriately.
|“Merely stating that the goals of a company are to ‘operate in compliance with law’ is meaningless if those goals are not implemented operationally and culturally.”|
Effect of the Guidance
In addition to the five phases of risk management, the OCC addresses the accountability of bank boards of directors, management and employees for the risk management process. Again, this is not news. The regulators have been increasingly clear that bank boards of directors and senior management are directly accountable for third-party risk management. The guidance does rather specifically allocate responsibilities among a bank’s board of directors, senior bank management and bank employees who directly manage third-party risk. Clearly, however, the bank’s board is ultimately responsible for ensuring that an appropriate process is in place to manage third–party risks.
The effect on service providers also should be becoming clear: A third-party service provider that develops processes and controls designed to implement risk management processes and is able to document those processes and controls in a manner that improves the efficiency of a bank’s oversight function will be in a far better position as a service provider to banks than one that operates without this kind of documentation. The bottom line for a service provider is this: To do business with banks, its strategic objectives (both stated and unstated) need to align with a bank’s risk appetite, and its actual operations also should meet those objectives.
The OCC points out that failure to appropriately manage third-party risk can result in a violation of laws or unsafe and unsound practices. They will take all necessary corrective action in that event, including enforcement proceedings.
They really, really mean it.
Karen L. Garrett is a partner in the law firm of Stinson Morrison Hecker LLP in Kansas City, Mo. Karen’s practice includes representing financial institutions, program managers and other participants in payment and credit programs in addressing regulatory and compliance issues. She has been practicing in the financial services legal space for so long that she remembers the days before mobile phones, computers and the Internet—when payment products meant checks and debit cards were new. Karen can be reached at [email protected].
For example, Remarks by the Comptroller of the Currency, Institute of International Bankers Annual Washington Conference, March 4, 2013.