• Industry: Financial Services
  • Type: Regulatory update
  • Date: 11/19/2013

New risk management guidance for third-party relationships 

The Office of the Comptroller of the Currency (OCC) released new risk management guidance on assessing and managing risks associated with third-party relationships.1

The guidance, OCC Bulletin 2013-29, dated October 30, 2013, notes that US national banks and federal savings associations (collectively, banks) continue to increase the number and complexity of relationships with both foreign and domestic third parties. The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.

In the guidance, the OCC requires banks to have effective risk management processes regardless of whether the bank performs an activity internally or through a third party. To be effective, the OCC states that the third-party risk management process should follow a continuous life cycle for all relationships and include the following phases: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.

Of note, OCC 2013-29 also requires senior management to ensure that periodic independent reviews are conducted on the third-party risk management process, particularly when a bank involves third parties in critical activities. The bank’s internal auditor or an independent third party may perform the reviews, and senior management should ensure the results are reported to the board.

Key Takeaway – Banks should assess their current third-party risk management process against the requirements of OCC 2013-29, including the independent review requirement.

KPMG can assist our bank clients with an “OCC 2013-29 readiness assessment” as well as help develop plans for and executing periodic independent reviews on the third-party risk management process. KPMG has a wealth of experience assisting financial services clients evaluate their third-party management programs to meet heightened supervisory requirements, including the linkage to the OCC’s “Get to Strong” principles.

For further information, please contact John Ivanoski, Hugh Kelly or Greg Matthews

1A third-party relationship is defined as any business arrangement between a bank and another entity, by contract or otherwise. Third-party relationships include activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records.

 Related Governance and supervision articles

Frontiers in finance - A regular publication from KPMG's Financial Services practice. 

Share this

Share this

Sign up now

Subscribe to receive the latest Financial Services Regulatory updates (you must select the option for FS regulatory updates)

Already a member? Log in

Not a member? Register