Yesterday, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective (the “Semiannual Risk Perspective”). The Semiannual Risk Perspective covers “key issues facing banks, focusing on those that pose threats to the safety and soundness of banks and their compliance with applicable laws and regulations.” While the OCC identifies four main areas of risk, those working in the vendor management space should take note of the OCC’s specific identification of third party service provider risk:
Regulatory amendments and reliance on third parties continue to create challenges for bank consumer compliance functions. Bank Secrecy Act (BSA) risk also continues to increase as criminal behaviors evolve and criminals leverage technology innovations. (emphasis added).
Additionally, the OCC highlights in the Semiannual Risk Perspective fair lending risks associated with use of third parties in the application or underwriting processes or to make decisions regarding terms or pricing. Other regulatory agencies—such as the CFPB—have long looked to OCC guidance as foundational in the area of vendor management and will likely do so with regard to this report.
More specifically, according to the OCC, one of the “key risks” facing large banks is “use of third-party relationships without appropriate oversight and controls to monitor risks within those relationships” (emphasis added). Community and mid-size banks face, in the OCC’s opinion, similar risks: “increasing reliance on third-party relationships to provide products and services and perform operational and business functions.”
Raising third party risk allows the OCC to remind regulated entities of the continued vitality of OCC 2013-29 (“Third-Party Relationships: Risk Management Guidance” (October 30, 2013)). OCC 2013-29, which is the OCC’s fundamental third-party risk management guidance, rescinded previous OCC guidance—most notably: OCC 2001-47 (Nov. 1, 2001) and OCC Advisory Letter 2000-9 (Aug. 29, 2009). Effectively elaborating upon this existing body of guidance, the Semiannual Risk Perspective focuses specific attention on cybersecurity: “Banks and their employees, customers, and third-party relationships remain vulnerable to cyber attacks, including attacks that involve extortion and those that can compromise, disrupt, or destroy data and systems.” Perhaps more tellingly the OCC tacitly expresses concern about increased use of third party providers in the market: “The number, nature, and complexity of domestic and foreign third-party relationships continue to expand, increasing concentration and risk management challenges.”
Given this background, it is not surprising that the OCC’s message in the Semiannual Risk Perspective is quite clear:
- The use of third-party relationships to conduct all or a portion of consumer credit-related product development, implementation, and fulfillment can increase the risk of unfair or deceptive practices. In recent years, a number of banks failed to exercise adequate risk management and controls when developing and offering various add-on products to customers. These banks were the subject of OCC enforcement actions (EA), including the imposition of civil money penalties, for engaging in a range of activities that violated section 5 of the Federal Trade Commission Act.
- Fair lending risk also increases when banks engage a third party to conduct all or a portion of the application or underwriting processes or make decisions regarding terms or pricing.
- Some banks will face operational and compliance challenges meeting the integrated mortgage disclosure requirements, which apply to loan applications for most closed-end consumer credit transactions secured by real property received on or after October 3, 2015. In implementing the new integrated mortgage disclosure requirements in Regulations Z and X, compliance risk management should include revisions to policies and processes, technological changes, training, testing, and effective third-party risk management.
Ultimately, the message of the Semiannual Risk Perspective is clear: banks must develop and implement comprehensive vendor risk management programs. Additionally, as banks leverage the increasing range of technology products, those banks must ensure their vendor management programs are sufficiently nimble to grow with those markets. There is no question that the OCC is looking to the future. Among the OCC’s top 12 priorities is:
Operational risk: Assessing information security and data protection, model risk management, and third-party risk management, including risks associated with third-party relationships. OCC supervisory staff are evaluating bank management plans to respond to increasing operational risk resulting from the introduction of new or revised business products, processes, delivery channels, or third-party relationships. (footnote omitted).
With 2016 on the horizon, there is every indication that the use and oversight of third party service providers by financial institutions will continue to be a primary area of focus by governmental regulators.