'No plans' for further guidance on third-party risk – OCC

Calls for regulators to provide further guidance on third-party risk management appear to have fallen on deaf ears, with a senior regulator insisting the responsibility for developing an effective and efficient monitoring process for vendors performing critical functions rests with senior managers at financial firms.

"There is some discussion the OCC is coming out with additional guidance or a bulletin addendum on third-party risk management. I've also received enquiries about the development or existence of an OCC third-party risk management assessment tool," said John Eckert, director for operational risk and core policy at the US Office of the Comptroller of the Currency (OCC).

"I want to let everyone know our bulletin stands as is. We do not have any plans to develop an addendum and we're not working on an assessment tool."

Eckert was speaking at the OpRisk North America conference in New York on March 24.

In October 2013, the OCC issued Bulletin 2013-29, which sets standards for managing relationships with third parties involved in "critical activities" and requires banks to "adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships".

The OCC has since been inundated with enquiries about the bulletin, which does not identify "critical activities" or specify appropriate risk management processes -leading to speculation the regulator would offer additional guidance and clarification on the matter or offer a regulator-approved tool to perform risk assessments.

Eckert ruled that out and also dismissed the possibility of granting any exemptions from the sorts of activities covered in the bulletin.

For instance, one bank requested an exemption from the bulletin's due diligence requirements with respect to a third-party service provider that was highly regulated by multiple agencies and examiners.

"Our guidance does not provide any exemption for any of the lifecycle components," Eckert said. "Bank management needs to determine the extent of each of the lifecycle components needed for each activity."

However, Eckert did caution firms against going "way overboard" with their ongoing third-party risk monitoring. He gave the example of one bank that that wanted to perform a full ongoing monitoring assessment of its courier service - to the extent of requesting details of the courier's security procedures, which it declined to provide. "That's an example of going way overboard. Does that bank really understand what is a critical activity?"

Eckert advised banks to address any specific queries about the bulletin to the examiners covering their firms. "If you have questions regarding specific bank situations, your first point of contact should be with the resident examination teams at large banks, while mid-size banks should be talking to their functional examiners," he said.

He also cautioned firms on the use of third-party tools for vendor risk management. "We're not aware of any application or tool that really covers the full lifecycle," he said.

Banks will have to decide for themselves whether to adopt such tools. "It can be an effective part of your third-party risk management framework. But in and of itself, a tool should not be solely used to manage the process," said Eckert. "It still comes down to using your subject matter expertise and common sense. You have to look for the red flags."

Eckert also warned against adopting a "checklist mentality" to third-party risk management, which some of the tools on the market may promote. "It could lead to people who don't understand the concept doing the ongoing monitoring. The subject matter expertise is what we hope your staff has to go out and effectively manage the risk," he said.