You Are Your Brother’s Keeper: OCC Guidance on Third-Party Vendors

February 13, 2014

Last week we notified you about In re Fundtech et. al., a joint FDIC/OCC enforcement action against financial services technology service providers. In the Fundtech action, the regulators found that the service providers operated without: (1) an internal auditor or an integrated risk-focused audit program; (2) a comprehensive due diligence program; (3) an enterprise-wide risk assessment program to determine related risks and vulnerabilities of assets; (4) an effective business continuity or disaster recovery plan; (e) effective patch management procedures to identify and address software vulnerabilities; or (f) an effective log review program to detect, identify and act on potential threats in a timely manner.

We believe In re Fundtech signals federal banking regulators’ increased focus on risk management and heralds the coming of further enforcement actions against community and midsize banks that do not quickly take steps to comply with the OCC’s Oct. 30, 2013, Guidance on Third-Party Relationships (“the Third-Party Guidance”). The Third-Party Guidance directs national banks and federal savings associations on how to assess and manage risks associated with third-party relationships.

The Third-Party Guidance requires comprehensive supervision through each phase of a bank’s relationship with third parties, including, but not limited to, loan servicers, underwriters, consultants, subsidiaries, payment processors, and computer network and security contractors. The guidance is not strictly prescriptive. Rather, in keeping with other regulatory guidance in this area issued by the FFIEC and the SEC, the guidance instructs banks to adopt risk-based processes proportionate with the level of risk inherent in the third-party relationship. This means detailed oversight of “critical activities” and less oversight of incidental activities.

The Third-Party Guidance is detailed and provides in-depth direction for monitoring third-party relationships. Effective third-party risk management programs will include the following phases:

  • Planning
  • Due Diligence and Third-Party Selection
  • Contract Negotiation
  • Ongoing Monitoring
  • Oversight and Accountability
  • Documentation and Reporting
  • Independent Review/Audit
  • Termination

We expect small to midsize banks will face increased pressure to meet these goals quickly and economically. McGuireWoods LLP’s community banking, data privacy and security, procurement and sourcing and regulatory lawyers have experience helping financial services clients create, implement and sustain risk-based third-party relationship monitoring programs efficiently, and we are prepared to help guide our clients through this era of increased regulatory burden.

Please contact the author or your regular McGuireWoods lawyer if you have any questions regarding the Third-Party Guidance.