REQUEST A DEMO
venminder_eBook_resources_Mini_Vendor_Management_Handbook
New Call-to-action
New Call-to-action
Post-Hero.jpg

Venminder Blog

Subscribe--Bg.jpg

Subscribe to the Venminder Blog

Best Practices

OCC Spring 2018 Semiannual Risk Report Affects Third Party Risk Management

Jun 11, 2018 by Branan Cooper

The OCC recently released its semi-annual risk report for the spring of 2018. You can read the full report here.

For anyone who has been following the Office of the Comptroller of the Currency for several years, you know that the OCC, as the prudential regulator for national banks, is known to have set the gold standard for third party risk management. While other agencies seem to be in flux, with the Bureau of Consumer Financial Protection (BCFP or CFPB) halting any new guidance and limiting enforcement actions for the time being and state regulatory agencies lining up to step in, the OCC continues its drum beat of caution as it pertains to third party risk management.

In fact, one needs to look no further than page 17 of the semiannual report to see the stark statement that “operation risk remains elevated partly because of increasing cyber threats and use of third-party service providers”. This statement certainly makes it seem like they’re not going to relax standards any time soon.

In the executive summary alone, third party concerns are mentioned five different times, largely in conjunction with concentration risk and a reliance on outsourced services to replace key bank functions.

Excerpt from the OCC Spring 2018 Semiannual Risk Report

Rather than parrot their words, I found the following section to be particularly important, excerpted verbatim from the report:

Use of Third-Party Service Providers Is Increasing, and Critical Operations Are Increasingly Concentrated in a Few Large Service Providers

Banks increasingly rely on third-party service providers. Reliance on third parties for payments, transaction processing, and other important functions creates a high level of risk for the banking industry. Banks’ implementation of effective risk management processes to manage third-party risk mitigates this exposure and results in a stable environment. Banks’ focus on third-party risk management has resulted in fewer open concerns and MRAs related to this area. Continued effective due diligence, change management, and ongoing monitoring are essential for banks to effectively manage risks associated with (1) the use of third-party service providers for critical services, (2) increasing interdependencies and interconnectivity, and (3) the implementation of new products and services offered through emerging financial technology firms that leverage innovative technologies and delivery channels.

Consolidation has increased among significant service providers. The consolidation has concentrated reliance on a smaller group of third parties providing critical services, resulting in large numbers of banks, especially community banks, relying on a few large service providers for core systems and operations support.”

If there’s any doubt that third parties will be a focus in the upcoming examination cycle and in daily management activities, that should remove the uncertainty. As published by J.D. Supra here, a recent analysis of the risk report by Ballard Spahr echoed many of these same concerns, notes in particular the concentration risk referenced above, as well as the increasing concerns over cybersecurity related to new innovative products and services.

5 Vendor Risk Management Things to Do Next

So, what should we all be doing? Let’s think about five important takeaways:

  1. Even if you’re not an OCC bank, it’s worth taking note of these observations in order to keep your third party practices up to best-in-class specifications.

  2. Brief your risk committee and board on the concerns raised in the report and invite discussion of what steps are prudent.

  3. Noting their specific mention of due diligence and ongoing monitoring in the report, it’s a great time to make sure that your practices are thorough, sound and can be evidenced through ample work product.

  4. Engage your information security group and discuss where your institution is in its use of the cybersecurity assessment tool (CAT), if applicable, and other steps you’re taking to address cyber concerns (pro tip: document the conversation – always good to be able to evidence it in writing).

  5. Take a back-to-basics approach and be sure that your program documents are up-to-date and that you feel comfortable with the timeliness of your due diligence, risk assessment, ongoing monitoring and board reporting. If you do not, now is definitely the time to play “catch up”.

The spring report reflects many of the same concerns as raised last fall – so perhaps that’s good, but I look at it a slightly different way - as a second warning. The OCC is known for its in-depth requirements from a lifecycle management perspective as it pertains to third party risk management; this report is no different. It’s both timely and gives terrific insight into their specific concerns. The report, at only 29 pages in length, can be easily read and viewed in line with your current program documentation. Take the time needed to see how your program stacks up and heed the concerns raised in the report.

Check out our infographic for a fun way to make sure you're keeping up with the golden standard of vendor risk management.

occ vendor lifecycle

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has more than 25 years of experience in the financial services industry with a focus on the management of internal processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan joined Venminder from the Bancorp Bank where he held the position of Senior Vice President and Director of Third Party Risk Management. He was instrumental in creating their Third Party Risk Management Program and implementing numerous enterprise-wide initiatives. Branan has held similar positions with PartnersFirst, the credit card division of Western Alliance Bancorp, and at MBNA America, as an Executive Vice President working as part of the risk management/ compliance integration team as the company was acquired by Bank of America. Branan is frequently featured as a speaker at industry events, addressing topics on operational and compliance aspects of third party risk. Branan received his undergraduate degree from Duke University, and he completed the Graduate School of Retail Bank Management (CBA) and the Graduate School of Compliance Management (ABA).

Follow Branan Cooper