The guidance, OCC Bulletin 2013-29, dated October 30, 2013, notes that US national banks and federal savings associations (collectively, banks) continue to increase the number and complexity of relationships with both foreign and domestic third parties. The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.
In the guidance, the OCC requires banks to have effective risk management processes regardless of whether the bank performs an activity internally or through a third party. To be effective, the OCC states that the third-party risk management process should follow a continuous life cycle for all relationships and include the following phases: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.
Of note, OCC 2013-29 also requires senior management to ensure that periodic independent reviews are conducted on the third-party risk management process, particularly when a bank involves third parties in critical activities. The bank’s internal auditor or an independent third party may perform the reviews, and senior management should ensure the results are reported to the board.
Banks should assess their current third-party risk management process against the requirements of OCC 2013-29, including the independent review requirement.
KPMG can assist our bank clients with an “OCC 2013-29 readiness assessment” as well as help develop plans for and executing periodic independent reviews on the third-party risk management process. KPMG has a wealth of experience assisting financial services clients evaluate their third-party management programs to meet heightened supervisory requirements, including the linkage to the OCC’s “Get to Strong” principles.
For further information, please contact John Ivanoski, Hugh Kelly or Greg Matthews
1A third-party relationship is defined as any business arrangement between a bank and another entity, by contract or otherwise. Third-party relationships include activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records.