Pub. 12 2017-2018 Issue 2

www.nebankers.org 14 Extraordinary Service for Extraordinary Members. The examination procedures are structured to determine both the quantity and quality of the bank’s third party risks. Interagency technology service provider reports of examina- tion may be available to banks with respect to significant service providers. Because such reports are available only to banks that have a contract with the service provider at the time of the ex- amination, this will typically be more useful for ongoing moni- toring purposes rather than upfront diligence. Banks may review a third party’s Service Organization Control (SOC) report prepared in accordance with AICPA SSAE 18 to evaluate the effectiveness of the third party’s risk management program. The OCC indicates that banks may find this particu- larly useful when dealing with third parties that use subcontrac- tors because the report will address whether there is effective oversight of subcontractors. The bank should still consider whether the report is sufficient to properly address the third party’s control environment. Supplemental Examination Procedures In January 2017, the OCC issued Supplemental Examination Procedures for Risk Management of Third Party Relationships. The procedures contain numerous objectives and examina- tion procedures. An initial scope determination must be made (based on certain objectives spelled out by the OCC) and the OCC indicates that “[s]eldom will every objective or step of the expanded procedures be necessary.” The examination procedures are structured to determine both the quantity and quality of the bank’s third party risks. Quantity of Risk Quantity of risk examination procedures begin with an assess- ment of whether the bank has a full inventory of its third party relationships. This may include an assessment of whether the bank identifies third party relationships that involve critical activities, subcontractors, affiliates, foreign-based entities, do- mestic entities that engage in foreign transactions, and technol- ogy-based services storing bank data. Quantity of risk determi- nations are then broken down into procedures for operational, compliance, reputation, strategic, and credit risk. Although not every objective or procedure may be relevant in each examina- tion, banks may wish to consider the full set of these objectives and procedures to evaluate any deficiencies if examined in any one of those particular areas. Examples of the sorts of things the OCC may seek to review include (but are not limited to): • the bank’s methodology for identifying concentrations of risk, whether there is reliance on a single third party for multiple activities (particularly critical activities) and whether there are geographic concentration risks; • the method for determining whether third parties are for- eign-based; • whether legal advice has been sought on enforcement of contracts with foreign based third parties; • whether the bank researched country risks (stability, gov- ernment, legal structure, applicable law, economic situa- tion) and risks of natural disasters and disasters of human origin in that country and whether the bank does this re- search on an ongoing basis; • the bank’s methodology for determining whether third par- ties use subcontractors; • whether a contract has a limitation of liability provision and documentation of an analysis of whether the limitation is proportional to the risks the bank might experience; • whether the bank conducts sufficient research to assess in- tellectual property infringement risks; • whether the bank has conducted due diligence as to the existence of publicly known outstanding issues with regulators or law enforcement that pertain to the third party; • appropriate contract provisions on customer complaints as well as the bank’s ongoing monitoring in that area, includ- ing whether the bank periodically reviews online activity, publicity, public reports, or social media for adverse events; • the bank’s ability to effectively monitor third parties; • comparison of costs between outsourcing and internal pro- vision and estimated return on investment in relation to risk; and • controls tomaintain lending volumewithin thebank’splans. Quality of Risk Quality of risk examination procedures address policies, pro- cesses, personnel, and control systems. Process considerations are broken down according to the OCC’s life cycle phases of planning, due diligence and third party selection, contract ■ Counselor’s Corner — continued from page 13