On October 30, 2013, the Office of the Comptroller of the Currency (the “OCC”) issued updated guidance to national banks and federal savings associations on assessing and managing risks associated with third-party relationships, which include all business arrangements between a bank and another entity (by contract or otherwise).  The new guidance introduces a “life cycle” approach to third-party risk management, requiring comprehensive oversight throughout each phase of a bank’s business arrangement with consultants, joint ventures, affiliates, subsidiaries, payment processors, computer network and security providers, and other third parties. Rather than mandating a uniform set of rules, however, the guidance instructs banks to adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships. Accordingly, the OCC expects especially rigorous oversight of third-party relationships that involve certain “critical activities.”
The revamped guidance reflects the OCC’s concern that the increasing risk and complexity of third-party relationships is outpacing the quality of banks’ risk management over these outsourcing arrangements. The guidance cautions that a bank’s failure to implement appropriate third-party risk management processes may constitute an unsafe and unsound banking practice, and could prompt formal enforcement actions or a downgrade in a bank’s CAMELS management rating to less than satisfactory. The severity of these consequences suggests that third-party risk management practices are becoming an increasingly important focus of OCC supervisory efforts.