For anyone who has been following the Office of the Comptroller of the Currency for several years, you know that the OCC, as the prudential regulator for national banks, is known to have set the gold standard for third party risk management. While other agencies seem to be in flux, with the Bureau of Consumer Financial Protection (BCFP or CFPB) halting any new guidance and limiting enforcement actions for the time being and state regulatory agencies lining up to step in, the OCC continues its drum beat of caution as it pertains to third party risk management.
In fact, one needs to look no further than page 17 of the semiannual report to see the stark statement that “operation risk remains elevated partly because of increasing cyber threats and use of third-party service providers”. This statement certainly makes it seem like they’re not going to relax standards any time soon.
In the executive summary alone, third party concerns are mentioned five different times, largely in conjunction with concentration risk and a reliance on outsourced services to replace key bank functions.
Excerpt from the OCC Spring 2018 Semiannual Risk Report
Rather than parrot their words, I found the following section to be particularly important, excerpted verbatim from the report:
“Use of Third-Party Service Providers Is Increasing, and Critical Operations Are Increasingly Concentrated in a Few Large Service Providers
Banks increasingly rely on third-party service providers. Reliance on third parties for payments, transaction processing, and other important functions creates a high level of risk for the banking industry. Banks’ implementation of effective risk management processes to manage third-party risk mitigates this exposure and results in a stable environment. Banks’ focus on third-party risk management has resulted in fewer open concerns and MRAs related to this area. Continued effective due diligence, change management, and ongoing monitoring are essential for banks to effectively manage risks associated with (1) the use of third-party service providers for critical services, (2) increasing interdependencies and interconnectivity, and (3) the implementation of new products and services offered through emerging financial technology firms that leverage innovative technologies and delivery channels.
Consolidation has increased among significant service providers. The consolidation has concentrated reliance on a smaller group of third parties providing critical services, resulting in large numbers of banks, especially community banks, relying on a few large service providers for core systems and operations support.”
If there’s any doubt that third parties will be a focus in the upcoming examination cycle and in daily management activities, that should remove the uncertainty. As published by J.D. Supra here, a recent analysis of the risk report by Ballard Spahr echoed many of these same concerns, notes in particular the concentration risk referenced above, as well as the increasing concerns over cybersecurity related to new innovative products and services.
5 Vendor Risk Management Things to Do Next
So, what should we all be doing? Let’s think about five important takeaways:
- Even if you’re not an OCC bank, it’s worth taking note of these observations in order to keep your third party practices up to best-in-class specifications.
- Brief your risk committee and board on the concerns raised in the report and invite discussion of what steps are prudent.
- Noting their specific mention of due diligence and ongoing monitoring in the report, it’s a great time to make sure that your practices are thorough, sound and can be evidenced through ample work product.
- Engage your information security group and discuss where your institution is in its use of the cybersecurity assessment tool (CAT), if applicable, and other steps you’re taking to address cyber concerns (pro tip: document the conversation – always good to be able to evidence it in writing).
- Take a back-to-basics approach and be sure that your program documents are up-to-date and that you feel comfortable with the timeliness of your due diligence, risk assessment, ongoing monitoring and board reporting. If you do not, now is definitely the time to play “catch up”.
The spring report reflects many of the same concerns as raised last fall – so perhaps that’s good, but I look at it a slightly different way - as a second warning. The OCC is known for its in-depth requirements from a lifecycle management perspective as it pertains to third party risk management; this report is no different. It’s both timely and gives terrific insight into their specific concerns. The report, at only 29 pages in length, can be easily read and viewed in line with your current program documentation. Take the time needed to see how your program stacks up and heed the concerns raised in the report.
Check out our infographic for a fun way to make sure you're keeping up with the golden standard of vendor risk management.