Collaboration among financial institutions is how many banks today are enhancing their third-party risk management programs.

Although collaboration is not a new concept among banks, the Office of the Comptroller of the Currency (OCC) recently endorsed it as an acceptable means for banks to alleviate the significant cost burdens associated with a third-party risk management (TPRM) program. That endorsement came in the form of a supplemental guidance (Bulletin 2017-21) the OCC issued in June, which discussed, among other areas, the use of collaboration for managing third-party relationships.

The OCC guidance should come as a welcome development for compliance and risk officers in the financial services industry, as it provides banks substantial flexibility to enhance their own individual third-party risk management programs. “They’re really embracing a best-practices approach and one that gives us all more guidance and instruction on what we need to be doing to make sure the regulators are happy,” Brad Keller, senior director of third-party strategy at Prevalent, said during a recent Compliance Week Webinar on the OCC guidance.

OCC Bulletin 2017-21 was issued in response to questions submitted by banks as a follow-up to OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance.” Issued in 2013, Bulletin 2013-29 provides a comprehensive framework for banks for assessing and managing risks associated with third-party relationships.

In Bulletin 2017-21, in response to questions about collaboration, the OCC responded that when banks use the same service providers to secure or obtain like products or services, they may collaborate to meet certain expectations described in OCC Bulletin 2013-29—such as performing due diligence, contract negotiation, and ongoing monitoring responsibilities. “Collaboration can leverage resources by distributing costs across multiple banks,” the OCC stated.

The OCC further stated that banks may take advantage of various tools designed to help them evaluate third-party service provider controls. In general, these types of tools offer standardized approaches to perform due diligence and ongoing monitoring of third-party service providers by having participating third parties complete common security, privacy, and business resiliency control assessment questionnaires. Once third parties complete the questionnaires, the results can be shared with banks.

To gauge how banks are embracing collaboration as outlined in Bulletin 2017-21, Compliance Week conducted an online poll during the Webinar. In that poll, the plurality of respondents (44 percent) said their institution “fully understands the benefits of a more collaborative approach and is investigating how to leverage them in our TPRM program.”

The second highest number of respondents (33 percent) said that their “institution is unsure how to utilize/execute a collaborative approach in our TPRM program,” while another 15 percent answered that their institution is “actively engaged in collaboration with other banks with whom we share common third-party service providers.” Nine percent said their institution is “unsure of the actual benefits from a collaborative approach.”

Executing collaborative efforts. Compliance officers and risk officers at banks seeking guidance on how to execute a collaborative approach in their TPRM program may want to check out a policy paper issued by the OCC in 2015. That policy paper described a variety of ways that banks currently collaborate, including through the exchange of information and ideas.

“They’re really embracing a best-practices approach and one that gives us all more guidance and instruction on what we need to be doing to make sure the regulators are happy.”
Brad Keller, Senior Director, Third-party Strategy, Prevalent

Other collaborative efforts used by banks, the OCC said, include:

Jointly purchasing materials or services;

Sharing back-office or other services;

Sharing a specialized staff member or team;

Jointly owning a service organization;

Participating in disaster mitigation agreements; and

Jointly providing/developing products and services.

OCC Bulletin 2017-21 also discussed collaboration opportunities to help mitigate cyber-threats to banks, as well as to their third-party relationships, including engaging with information-sharing organizations. “Banks participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyber-attacks on their systems,” the OCC noted. 

The OCC cited a variety of information-sharing organizations that help banks monitor cyber-threats and vulnerabilities and enhance risk management and internal controls. These organizations include the Financial Services Information Sharing and Analysis Center (FS-ISAC), the U.S. Computer Emergency Readiness Team (US-CERT), and InfraGard, among others. Banks also may use the FS-ISAC to share information with other banks, the OCC said.

Bank-specific responsibilities. The OCC has repeatedly warned, however, that collaboration cannot be used to satisfy all oversight responsibilities, particularly third-party risk management processes that must be tailored to each bank’s specific needs. Examples of individual bank-specific responsibilities include:

Integrating the use of product and delivery channels into the bank’s strategic planning process and ensuring consistency with the bank’s internal controls, corporate governance, business plan, and risk appetite.

Assessing the quantity of risk posed to the bank through the third-party service provider and the ability of the bank to monitor and control the risk.

Implementing information technology controls at the bank.

Ongoing benchmarking of service provider performance against the contract or service-level agreement.

Evaluating the third party’s fee structure to determine if it creates incentives that encourage inappropriate risk taking.

Monitoring the third party’s actions on behalf of the bank for compliance with applicable laws and regulations.

Monitoring the third party’s disaster recovery and business continuity time frames for resuming activities and recovering data for consistency with the bank’s disaster recovery and business continuity plans.

Furthermore, the OCC stressed that any collaborative activities among financial institutions must comply with antitrust laws, and that banks should take appropriate steps to ensure compliance with these laws. In this regard, financial institutions should review the Federal Trade Commission and U.S. Department of Justice’s joint “Antitrust Guidelines for Collaborations Among Competitors.”

Ongoing monitoring. Another focus area for examiners is what banks are doing from an ongoing monitoring standpoint for each of the bank’s third-party service providers that support critical activities, which Bulletin 2017-21 also discussed in broad detail.

OCC’s 2013 guidance provides specific criteria that a bank’s board and management may use to identify its critical activities, but some examples can include significant bank functions—such as payments, clearing, settlements, and custody—or significant shared services, such as information technology.


Below are the polling results from the Compliance Week webinar.
Polling Question #1: Please indicate which answer best describes your institution’s response to OCC Examination Procedures like OCC 2017-07:
My institution treats examination procedures the same as any other guidance or regulation that requires the bank’s compliance (52 percent)
My institution uses them as an indicator of what we need to have in place to prepare for examinations (32 percent)
My institution treats them as informational only as they dictate examiner activity, rather than bank compliance requirements (16 percent)
Polling Question #2: Please indicate which answer best describes your institution’s response to the third party risk recommendations for collaboration outlined in OCC 2017-21:
My institution fully understands the benefits of a more collaborative approach and is investigating how to leverage them in our TPRM program: (44 percent)
My institution is unsure how to utilize/execute a collaborative approach in our TPRM program (33 percent)
My institution is actively engaged in collaboration with other banks with whom we share common third-party service providers (15 percent)
My institution is unsure of the actual benefits from a collaborative approach (9 percent)
Source: Compliance Week

Other potential critical activities may be those that:

Could cause the bank to face significant risk if a third party fails to meet expectations;

Could have significant bank customer impact;

Require significant investment in resources to implement third-party relationships and manage risks; or that

Could majorly effect a bank’s operations if the bank must find an alternative third party or if the outsourced activities must be brought in-house.

When a bank does not receive all the information it seeks about third-party service providers that support the bank’s critical activities, the OCC said it expects the bank’s board of directors and management to:

Develop alternative ways to analyze these critical third-party service providers;

Establish risk-mitigating controls;

Be prepared to address interruptions in delivery—multiple payment systems and multiple telecommunications lines in and out of critical sites, for example;

Ensure that contracts meet the bank’s needs; and

Retain appropriate documentation of all related decisions and efforts to obtain information.

Ongoing monitoring involves looking at not just the bank’s third parties’ threat environments concerning areas outside of contractual requirements, but also the threat environment of the third parties’ sub-contractors. Areas to monitor could include legal activity that could impair the third party’s ability to deliver services; regulatory actions; financial viability; operational issues like a merger or acquisition or any senior-leadership changes; or brand and reputational issues.

“Ongoing monitoring lets you address issues before they become events,” said Keller, who has been developing and leading risk management programs for more than 25 years. For example, a third-party vendor doesn’t have to alert a bank to a data breach that occurred at a data center other than where the bank’s sensitive data is stored, but that’s something the financial institution ought to know, because both locations likely employ the same IT security controls, he said. Thus, the bank’s chief compliance or risk officer should have that conversation with that third-party vendor to determine what they’re doing to address that threat.

Another critical piece to ongoing monitoring is documentation. Examiners are going to want to see how the bank’s compliance function is executing ongoing monitoring and evaluating third parties’ processes against the bank’s specifically identified criteria, Keller said.

“No matter how robust the bank’s third-party risk management processes are, if those efforts are not documented and compliance cannot provide actual evidence of that process, the OCC, for all intents and purposes, will treat those efforts as non-existent.  “It becomes something they view more as aspirational on behalf of the institution, as opposed to something they can say the institution is, in fact, actually doing,” Keller said.

A third helpful guidance for compliance and risk professionals in financial services to peruse is OCC Bulletin 2017-07, because it describes what examination procedures OCC examiners may use during the examination of a bank’s risk management of third-party relationships. “If you haven’t looked at 2017-07, I would suggest you do, particularly if you think you’re up for an examination soon,” Keller said.

In another polling question provided during the Compliance Week Webinar, respondents were asked to describe their financial institution’s response to OCC examination procedures. Most (52 percent) said they treat them the same as any other regulation, while 32 percent said they treat them as an “indication of preparedness.”

Another 16 percent of respondents said they treat OCC examination procedures as informational, rather than as a regulatory requirement. “The best approach,” Keller said, “is to treat it as any other regulation.”