Pub. 12 2017-2018 Issue 2

July/August 2017 15 Extraordinary Service for Extraordinary Members. For more information, contact Bryan Handlos at Kutak Rock LLP at (402) 346-6000 or bryan. handlos@kutakrock.com . Handlos is a member of Kutak Rock LLP’s banking practice group where he concentrates on bank regulatory matters. negotiation, ongoing monitoring, and termination and contingency planning. Examples of the sorts of things the OCC may seek to review include (but are not limited to): • the bank’s risk ranking methodology and how often risk rankings are re- viewed; • the process for escalating significant issues to the board; • whether the bank periodically re- views contracts after execution to check whether the contracts contin- ue to address pertinent risk controls and legal protections; 5 • several contract-specific issues (in- cluding a number of points on sub- contractors); • whether the bank processes include asking for the Interagency Examina- tion of Service Provider examination report, whether one was actually re- quested and how it was used; • whether ongoing monitoring as- sesses changes to the third party’s business strategies and reputation, compliance, key personnel, ability to manage risk by identifying risks be- fore they are cited in audit reports, and processes for adjusting policies, procedures, and controls in response to changing threats and new vulner- abilities; 6 • whether board minutes show that the board reviews and approves ap- propriate matters; and • how management holds em- ployees who manage relation- ships with third parties ac- countable for various issues. 7 Like much of the backroom world of banking, third party risk management is a largely thankless job. But when prob- lems with third party relationships occur, especially with critical relationships, the consequences can be significant. When such consequences have already mate- rialized, they are extremely difficult to address. At that point, third parties of- ten will have interests that vary from the bank’s interests. Thankless or not, pro- active monitoring and management to prevent the materialization of such con- sequences is crucial. Thoughtful consid- eration of the OCC’s new guidance may well help a bank stay on top of this ever evolving area.  1 OCC Bulletin 2017-21. 2 OCC Bulletin 2013-29. 3 Subject, of course, to compliance with antitrust laws. 4 For example: planning and ter mination requirements, integration into strategic planning, assuring consistency with internal controls, assessing quantity of risk to the bank, benchmarking performance against contractual requirements, monitoring for compliance with applicable law, and monitoring disaster recovery timeframes for consistency with the bank’s own plans. 5 Although not addressed by the OCC, this point raises an interesting question about what a bank is supposed to do if it determines that a contract, which it has already executed and is bound by, no longer sufficiently addresses these issues. There may be a number of answers to this question, but the bank will rarely, if ever, have the ability to fix such a problem unilaterally. 6 The ability to accomplish these things may well be dependent on adequate audit or similar provisions in the third party contract. 7 The procedures document also indicates that banks should design compensation programs to attract and retain qualified personnel, align with strategy, and appropriately balance risk-taking and reward.