Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Bank Regulator Issues New Guidance on Third-Party Risks

Joe Mont | October 30, 2013

The Office of the Comptroller of the Currency on Wednesday updated its risk management guidance for the third-party relationships of national banks and federal savings associations. The use of third parties, contractual or otherwise, does not diminish the responsibility of the board and management to ensure that all activities conform to sound banking practices and applicable laws,warns OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance."

The guidance notes that banks face new or increased operational, compliance, reputation, strategic, and credit risks when they engage in third-party relationships. The OCC advises them to adopt risk management processes commensurate with the inherent risk and complexity of their third-party relationships. As such, it expects more comprehensive oversight and management of third-party relationships that involve critical bank activities.

To manage risks from third-party relationships, the guidance says banks should:

  • Develop a plan that outlines the bank's strategy, identifies the inherent risks of those activities, and details how it will select, assess, and oversee third parties.
  • Perform proper due diligence to identify risks when selecting the services of a third-party provider.
  • Negotiate written contracts that clearly outline the rights and responsibilities of all parties.
  • Conduct ongoing monitoring of the third party's activities and performance.
  • Execute a plan to terminate the relationship in a manner that allows the bank to transition services to another third party, bring the activities in-house, or discontinue them altogether.
  • Assign clear roles and responsibilities for overseeing and managing third-party relationships.
  • Maintain proper documentation and reporting to facilitate oversight, accountability, and monitoring.
  • Conduct independent reviews of the risk management process and management of third-party relationships.

“We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks' third-party relationships, both foreign and domestic,” Comptroller of the Currency Thomas Curry said in a statement. “This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.”