Pub. 12 2017-2018 Issue 2

www.nebankers.org 12 Extraordinary Service for Extraordinary Members. COUNSELOR’S CORNER Update on Risk Management of Third Party Relationships Bryan Handlos, Kutak Rock LLP “N O MAN IS AN ISLAND . . .” Banks, at least as much as any other business, are heavily dependent on a web of supporting third party rela- tionships. Third party risk management is nothing new to banking, but contin- ues to evolve and become a more so- phisticated affair than its earliest days of checklists and risk management basics. The OCC’s most recent contributions in this field, both issued this year, are a set of Frequently Asked Questions (FAQs) and its Supplemental Examination Pro- cedures for Risk Management of Third Party Relationships. Frequently Asked Questions On June 7, 2017, the OCC issued FAQs on risk management of third party re- lationships. 1 The FAQs supplement the OCC’s existing guidance. 2 Experienced bank risk management teams may not find many huge surprises here. Surprises or not, risk managers and responsible se- nior management may wish to take this opportunity to evaluate whether their bank’s third party risk management should be updated on some of the topics addressed by the FAQs: Scope & Structure Issues The OCC makes clear that banks must manage the risks of a broad range of third party relationships. Third party risk management is more than just vendor management. “Third party rela- tionships” cover “any business arrange- ment between the bank and another entity, by contract or otherwise.” This in- cludes, among other things, outsourced products and services, networking ar- rangements, merchant payment pro- cessing services, services provided by affiliates, and joint ventures. The Supple- mental Examination Procedures issued by the OCC earlier this year (discussed further below) list some examples that banks may mistakenly fail to consider in this area, such as services provided by or to other banks, financial market utilities (e.g., DTC, CHIPS, SWIFT, Fedwire and FedACH, Mastercard, and Visa), debt originators (e.g., mortgages and auto dealers), government-sponsored enter- prises (GSEs) like Fannie and Freddie, attorneys, and referral arrangements. “Third party relationships” generally do not include customer relationships. Low-risk relationships are not excluded. In response to a question about lower- ing costs for low risk relationships, the OCC indicates that the level of diligence and monitoring may differ for each third party relationship; that level should be consistent with the level of risk and com- plexity posed by the relationship. Board- established policies should be followed for low risk relationships. Risk assess- ments should be periodically updated, and not just performed once at the start of the relationship. In a similar vein, the OCC confirms there is not just one way to structure third party risk management. For example, some banks have dispersed responsibil- ity among their individual business lines. Others have centralized management under compliance, information secu- rity, procurement, or risk management functions. Regardless of where account- ability may reside, the relevant business lines can provide valuable input. Person- nel in control functions such as audit, risk management, and compliance also should be involved. The board, of course, retains ultimate responsibility, and peri- odic board reporting remains essential. Collaboration Banks are permitted to collaborate 3 on diligence, monitoring, and contract

RkJQdWJsaXNoZXIy OTM0Njg2