U.S. banks need to be extra cautious when contracting with vendors to ensure that these third-party relationships are “safe and sound,” regulators warned Wednesday.
Regulators have been cautioning banks about their contracts with vendors and other business arrangements with outside firms — U.S. and foreign — for more than a year.
The Office of the Comptroller of the Currency Wednesday issued an “updated risk management guidance” for national banks and federal savings associations on third-party relationships.
“We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic,” said Comptroller of the Currency Thomas J. Curry. “This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.”
Third-party arrangements include those between the bank and another entity, “by contract or otherwise.”
In June 2012, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau fined Capital One Financial after third-party call center employees allegedly misled consumers about some credit card add-on products.
To manage risks from third-party relationships, the OCC said that banks should:
- Develop a plan that outlines the bank’s strategy, identifies the inherent risks of the activity, and details how the bank will select, assess, and oversee the third party;
- Perform proper due diligence to identify risks and select a third-party provider;
- Negotiate written contracts that clearly outline the rights and responsibilities of all parties;
- Conduct ongoing monitoring of the third party’s activities and performance;
- Execute a plan to terminate the relationship in a manner that allows the bank to transition the activities to another third party, bring the activities in-house, or discontinue the activities;
- Assign clear roles and responsibilities for overseeing and managing third-party relationships and the risk management process;
- Maintain proper documentation and reporting to facilitate oversight, accountability, monitoring, and risk management; and
- Conduct independent reviews of the risk management process to enable management to assess that the bank’s process aligns with its strategy and effectively manages risks from third-party relationships.