OCC Vendor Management: What the OCC Really Wants

Update June 13, 2023: The OCC, FDIC and Federal Reserve released the Interagency Guidance on Third-Party Relationships in June 2023, replacing previous guidance.

We break down the new guidance in this blog post.

Third-party risk is a hot button issue for regulators. When a financial institution (FI) outsources an activity to an outside vendor, it can introduce all kinds of risk. Vendor management is all about identifying, measuring, monitoring and controlling those risks. Understanding OCC vendor management will keep regulators and your board happy.

Different regulators use different terms to talk about vendor management. While they all ultimately have the same goal, they go about it in different ways. Today we’re looking at the OCC’s approach to vendor management to better understand what the agency really wants from FIs.

The OCC views the failure to “engage in a robust analytics process” for vendor management as potentially “an unsafe and unsound banking practice,” according to OCC Bulletin 2013-29 – Third Party Relationships. Naturally risk-averse, the agency wants to ensure banks are aware of the amount of risk they are taking on and have processes to manage those risks commensurate with their size and complexity.

Critical Vendors

The OCC begins OCC Bulletin 2013-29 by warning banks that not all vendors are created equal. The OCC draws special attention to “critical,” or high-risk vendors. These are vendor relationships that involve critical activities such as “significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that

• could cause a bank to face significant risk if the third party fails to meet expectations;
• could have significant customer impacts;
• require significant investment in resources to implement the third-party relationship and manage the risk;
• could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.”

Critical vendors require strong oversight and controls that vary depending on the size and complexity of the risk they pose.

Vendor Management’s Three-Legged Stool

The OCC’s approach to overseeing and managing vendor risk is built on a three-legged stool:

1. Independent reviews. It’s not enough to have a vendor risk management process. The bank needs to be sure its process is effective and remains consistent with the bank’s overall business strategy. Every step of the process needs to work effectively, including policies, reporting, resources and controls. If a bank isn’t successfully identifying risks, responding to breaches, conducting appropriate due diligence and ongoing monitoring, or if it’s approaching its risk tolerance limits, senior management needs to tell the board so it can decide whether to deploy new resources, change vendors or consider a new approach, such as bringing an activity in-house or discontinuing it altogether.
2. Documentation. If it’s not written down, it didn’t happen. The bank should keep all in-house and vendor documentation organized. This includes everything produced in the planning, due diligence, contract, and monitoring phases. Examples include lists that identify all critical vendors and the risks they pose, contracts, cost analyses, and vendor-provided and internal audit reports. Documents should be up to date and readily available to facilitate "oversight, accountability, monitoring, and risk management."
3. Oversight and accountability. Vendor risk management is part of a bank’s overall enterprise risk management (ERM) program. Successfully managing it requires that “roles and responsibilities are clearly defined,” that individuals given tasks have the knowledge, authority and resources to complete them, and that there is a system in place to integrate ERM and vendor risk management. The board, senior management and staff each have a role to play, and there needs to be a way to track what each party is responsible for and what they have done to address it:
   • Board. The board is responsible for the bank’s overall ERM process. They set a bank’s risk tolerance and approve risk policies and plans for managing critical vendors. They review due diligence results, approve contracts with critical vendors, review ongoing monitoring, and ensure issues are remediated.
   • Management. Management develops plans and processes for managing critical vendor risk and presents them to the board. They conduct due diligence and report findings to the board. Management ensures controls are regularly tested, particularly those for critical vendors, remediates issues, and reports significant findings to the board.
   • Bank employees. Bank employees responsible for monitoring vendor relationships inform senior management if monitoring reveals problems, whether it’s an increase in risk, system failure or compliance issues.

The different elements of the stool repeat themselves across the five stages of the vendor risk management life cycle:

1. Planning. What the OCC calls planning might best be described as the risk assessment phase. This is when senior management considers an FI’s overall ERM strategy and applies it to vendor management, identifying the potential risks of an activity and then choosing an appropriate vendor. Areas to consider include:
   • Strategic plan and business strategy
   • Impact management
   • Financial benefits
   • Data security and business continuity
   • Compliance
   • Monitoring
2. Due Diligence. Management should conduct third-party vendor due diligence before a contract is signed and throughout the duration of the relationship. The more risk a vendor presents, the deeper the diligence should go. The goal is to understand the vendor’s financials, experience, legal and regulatory knowledge, reputation, operations and controls. Just because a bank has dealt with a vendor in the past doesn’t mean it can skimp on due diligence when taking on a new activity. The results should be reported to the board to inform their decision making.
   • Strategies and goals
   • Legal and regulatory compliance
   • Financial condition
   • Business experience and reputation
   • Fee structure and incentives
   • Principals
   • Risk management
   • Information security
   • Management of information systems
   • Resilience
   • Physical security
   • Human resource management
   • Subcontractors
   • Insurance coverage
   • Incident-reporting and management programs
3. Contract negotiation. The OCC Third Party Risk Management Guidance lists essential contract elements. More than a check list of must-haves in a written agreement, these are the items that should be easy to understand and track. They should be specific and detailed to provide measurable benchmarks. The board should sign off on contracts with critical vendors.  Contracts should outline the rights and responsibilities of both the vendor and the bank and address:
   • Nature and scope of arrangement
   • Performance measures and benchmarks
   • Reporting
   • Audit and remediation
   • Compliance
   • Cost and compensation
   • Ownership and license
   • Confidentiality and integrity
   • Indemnification, insurance & liability
   • Dispute resolution
   • Default
   • Termination
   • Customer complaints
   • Subcontracting
   • Foreign-based third parties
   • OCC supervision
   • Business resumption and contingency plans
4. Ongoing monitoring. Ongoing vendor monitoring serves many purposes. It ensures that a vendor is living up to its contractual obligations. It also helps senior management be aware when a vendor expands its focus and begins engaging in critical activities, requiring deeper scrutiny. That may mean different or more frequent reports."A bank should pay particular attention to the quality and sustainability of the third party's controls, and its ability to meet service-level agreements, performance metrics and other contractual terms, and to comply with legal and regulatory requirements," the OCC says. Every area touched on by initial due diligence can benefit from ongoing monitoring for changes. Controls should be regularly tested and significant findings should make their way up the oversight ladder.
5. Termination. Contracts end for many reasons. The contract can expire or a bank can choose a new vendor, bring the activity in house or stop engaging in it altogether. Sometimes it ends suddenly with a breach of contract.A bank should have a plan to end vendor relationship efficiently. Elements of this plan include:
   • Knowing how long the transition will take and what the bank will have to do with an eye towards “managing legal, regulatory, customer, and other impacts that might arise.”
   • Issues related to data and access control for IT systems and the risks they may pose.
   • What to do with joint intellectual property.
   • How the bank would handle the potential reputation fallout if termination were the result of a breach of contract.

Now that we know what the OCC is looking for, it’s important to understand what they tell us about the OCC’s overall approach to vendor management.

Ultimately, the OCC sees vendor risk management as an ongoing process, one that begins with planning and due diligence before a contract is signed and continues with monitoring throughout the length of the relationship and a careful transition in the event of termination. It emphasizes a system built around independent reviews, documentation and reporting, and oversight and management.

For the OCC, compliance is about more than lists of critical vendors and vendor reports. It’s about understanding the choices and decisions an FI made in selecting a vendor and in actively choosing to continue its relationship. The agency wants to know the reasons justifying a decision and see proof that the board reviewed and approved it. It wants to understand an institution’s approach to ERM and where a particular vendor fits. It wants FIs to have the necessary resources to analyze reports and carefully negotiate and track contracts. It wants to be confident that the board and management have the necessary tools and processes to ensure continued compliance and a plan to efficiently end the relationship if needed. It wants to be sure that the bank is aware of all changes in the relationship and how those changes impact risk.

For this to happen effectively and efficiently, FIs need a comprehensive, top-down approach to vendor management. There are too many moving pieces, including procedures and documentation, touching too many areas and departments to let vendor management casually languish. FIs need a robust analytics process that takes a broad view of ERM and vendor management, allowing an FI to leverage the risk assessment, measurement, control and mitigation work performed by departments throughout the institution to streamline and improve processes while ensuring major changes are noticed and addressed.

Learn more how Nvendor can help you align vendor management at your institution with FDIC examiner expectations.