Banks will have to decide for themselves what their critical third-party activities are The US Office of the Comptroller of the Currency (OCC) will not be developing a list of critical activities that banks should be monitoring in their relationship with third parties, delegates at the OpRisk North America conference in New York heard yesterday. John Eckert, director for operational risk and core policy at the OCC, told delegates that despite the OCC's most recent guidelines on third-party relationships emphasising the need to monitor and risk-manage critical activities with third parties, financial institutions are not going to be told what those critical activities actually are. "One thing I want stress to you – and this is really why we didn't come up with a checklist – is that one bank may consider an activity critical and it may not be to another," Eckert told delegates. "We don't have a checklist. I've been asked if we are going to come up with a checklist: we don't have one and we're not going to develop one. What we want to see is you develop the decisioning process." Audience members expressed concerns about this, with one saying that trying to assess how to categorise something as 'critical' without any real guidance from the OCC was a challenge when trying to risk-manage third-party relationships. In response, Eckert told delegates they should look to their own management for guidance and decisions as to what is a critical activity with a third party. "It's up to the board of directors or the risk committee and management to identify the critical activities and the third-party relationships to those activities. What are we, the OCC, looking for here? As a collective group we're looking for policies and processes in place to identify those activities." Eckert also stressed the point that banks need to look at the guidance – released in October 2013 – and adjust it according to their institution and the level of risk they are exposed to from third-party relationships. The OCC expects banks to have risk management processes that are commensurate with the level of risk and complexity of their third-party relationships and organisational structures. "I want to set the ground on this. The guidance is written to cover all facets of our banks from community banks all the way up. We want to make it clear to all of you when you look at the guidance – and it is guidance, not a final rule – that you need to take a look at that and adjust and measure it to your level of activities and the size and complexity of your bank." He told delegates that banks must obtain as much information as they need to make their decisions when carrying out their due diligence on third parties, reiterating that banks need to be responsible for making the right choices when picking third parties to work with. "The key is obtaining the right amount of information to make the determination," he said. "Use the common sense approach here. This is guidance, not a one-size-fits-all, so manage according to the level of risk in terms of how you do your due diligence and then negotiating contracts. Outline the rights and responsibilities of all parties, which means the bank, the third party and their possible contractors. Make sure those are all included." Eckert also warned that with any third-party relationship, an exit strategy must be in place right from the very start. "Banks need to have a plan in place for relationships that terminate – expectedly or unexpectedly."...
Start a FREE trial or subscribe to continue reading:
Start a 4 week free trial
Try Risk.net's premium content for a limited period. Register now for your FREE trial to one of our leading brands.
*not available to previous trialists or subscribers.
Log In or Subscribe Now
Subscribe to Risk.net Business now to access all our premium news & features content for 1 year.
Pay by Credit Card for immediate access.