Yesterday, the Office of the Comptroller of the Currency issued OCC Bulletin 2013-29 on Third-Party Relationships. Found here: http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html
The document rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, both of which had served as the basis for supplier management practices and inspections for many years.
OCC Bulletin Highlights Include:
- A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
- A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
- An effective risk management process throughout the life cycle of the relationship includes:
- plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
- proper due diligence in selecting a third party.
- written contracts that outline the rights and responsibilities of all parties.
- ongoing monitoring of the third party’s activities and performance.
- contingency plans for terminating the relationship in an effective manner.
- clear roles and responsibilities for overseeing and managing the relationship and risk management process.
- Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
- Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
“We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic,” said Comptroller of the Currency Thomas Curry. He added, “This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.”
Are your Vendor Management processes and software up to snuff?
View our Vendor Management Resources: