Alert November 12, 2013

OCC Releases Guidance on Third-Party Relationships

The OCC issued guidance to national banks and federal savings associations in assessing and managing risks related to third-party relationships. The OCC defines a third-party relationship as “any business arrangement between a bank and another entity, by contract or otherwise.” In the guidance, the OCC states that a bank’s failure to have an effective risk management process that is “commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.” Specifically, the OCC’s supervisory expectation is that a bank will (throughout the life cycle of each third-party relationship) manage its third-party relationship risks by taking the certain actions, including developing a plan that outlines the bank’s strategy, identifies the inherent risks of the activity, and details how the bank will select, assess, and oversee the third party; performing proper due diligence to identify risks and select a third-party provider; conducting ongoing monitoring of the third party’s activities and performance; and conducting independent reviews of the risk management process to enable management to assess that the Bank’s process aligns with its strategy and effectively manages risks from third-party relationships, among other things.