I was fortunate to sit on a panel hosted by the American Banker yesterday, April 24th, with two OCC representatives- – Kimberly Cahill, Acting Director for Bank Information Technology, and John Eckert, Director of Operational Risk. We, along with others, were discussing the OCC’s recent guidance on Third-Party Vendor Managment. Many financial institutions, especially communuity and regional banks have been concerned about just how to implement the guidance.
The first takeaway from the webinar was that banks must marry their purpose–banks’ raison d’etre- with risk managment of vendors that provide critical activities (think significant bank functions, services or activities that could have a major impact on the bank’s operations) for the bank. This must occur throughout the lifecycle of the relationship with the vendor. And the OCC expects boards of directors and management oversight that includes independent reviews of third-party risk involving critical activities. The OCC folks emphasized that “independent means independent,” as in, outside of the bank itself.
The guidance itself describes the lifecycle well.
But what are bank examiners looking for when they knock on the door? Cahill and Eckhert said that regulators conducting safety and soundness exams are asking themselves, among other things, the following quesitons:
- Does the bank have a good handle on the scope of its third-party risks?
- Do its contracts with its third-party vendors adequately deal with this risk?
- Does the CAMELS score reflect how the bank is managing vendor risk? Should it be lowered? Raised?
- Does the OCC need to excercise its authority to reach out and examine the vendor itself?
All of the speakers on the American Banker panel made clear that there are two keys to the kingdom here. The first is properly identifying your critical activities, i.e., those vendors that perform services that have the biggest impacts on customers and shareholders. The second is managing vendor relationships by ensuring that the bank has strong contracts with third-parties and by making sure those contracts are well-managed over their lifecycle. For this last part, smart banks will engage outside counsel that have a good handle on banking regulations, guidances and trends in the industry.