U.S. Office of the Comptroller of the Currency Updates Third-Party Relationships Risk Management Guidance
On March 5, 2020, the Office of the Comptroller of the Currency (OCC) issued an updated set of answers to frequently asked questions (FAQs)1 regarding risk management in national bank relationships with third parties to further supplement its 2013 guidance, OCC Bulletin 2013-29 (the Bulletin),2 and its 2017 FAQs (Prior FAQs) on the topic.3 Twelve of the 27 FAQs are new and elaborate on a wide range of topics, including the broad intended scope of third-party risk management obligations, obligations of banks where negotiating power or access to information is limited, oversight of cloud computing providers and data aggregators and use of third parties in model development or delivery of alternative data for credit underwriting.
Reaffirming the Broad Scope of Third-Party Risk Management Obligations (FAQ #2)
The Bulletin broadly defined covered third-party relationships as “any business arrangement between a bank and another entity, by contract or otherwise” and subjected those third-party relationships that involve “critical activities” to more robust due diligence, monitoring and management requirements. In an unhelpful tautology, the FAQs indicate that the term “business arrangement” is meant to be synonymous with the term “third-party relationship.” However, the FAQs do provide some further description of the wide-ranging intent of this reference. Critically, the FAQs make clear that the traditional terms “vendors” — described as individuals or companies offering something for sale — and “outsourcing” of bank functions or tasks to other entities are mere subsets of the universe of business relationships. In fact, neither a written contract nor monetary exchange between the bank and a third party is required to establish a business relationship.
Moreover, after reiterating the original examples of third-party arrangements from the Bulletin (“activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which the bank has an ongoing relationship or may have responsibility for the associated records”), the OCC provides additional examples to help elucidate both the scope of coverage of the Bulletin and the relative risk levels associated with different types of arrangements:
- Referral arrangements: Where a bank refers leads to another party for any compensation, including cross-marketing, the bank has a business arrangement with the party receiving the referrals.
- Appraisers and appraisal management companies: A bank establishes business relationships when entering into agreements with individual appraisers as well as with appraisal management companies when the process of engaging real estate appraisers is outsourced to such entities.
- Professional service providers: Banks receiving services from law firms, consultants, audit firms etc. have business relationships with these providers.
- Maintenance, catering and custodial service companies: Any entity that a bank or a line of business uses to provide a product or service either to the bank or to the bank’s customers establishes a business relationship.
The FAQs reiterate that while “OCC expects banks to perform due diligence and ongoing monitoring for all third-party relationships,” bank management should perform its due diligence, contract negotiation and ongoing monitoring responsibilities “consistent with the level of risk and complexity posed by each third-party relationship.” In short, catering contracts do not require the same review as core system outsourcing agreements.
Coverage of Relationships With Cloud Computing Providers (FAQ #3)
Mirroring the approach taken with other bank-financial technology (fintech) relationships, the OCC clarifies that risk management for cloud computing services is “fundamentally the same” as any other third-party relationship where the level of diligence and oversight should be commensurate with the risks associated with the particular cloud computing platform and the data to be housed or processed on that platform. In a reference likely driven by a reported cloud-based data security incident at Capital One, the OCC cautions banks to document the allocation of responsibility for security-related control settings between the bank and the third party, while noting that the bank retains ultimate responsibility for the effectiveness of the control environment.
Coverage of Relationships With Data Aggregators (FAQ #4)
The FAQs discuss different types of interactions banks may have with data aggregators and the associated third-party risk management expectations based on the nature of such relationships. “Data aggregators” are defined as “entities that access, aggregate, share, or store consumer financial account and transaction data that they acquire through connections” which are “often intermediaries between the financial technology (fintech) applications that consumers use to access their data and the sources of data at financial services companies.”
The FAQs divide bank relationships with data aggregators into three types, only two of which involve “business arrangements.” The most significant level involvement arises when a bank contracts to use the services of a data aggregator to populate information into bank products and services. Such relationships involve the full panoply of risks and oversight obligations addressed in the Bulletin.
The second involves circumstances where banks affirmatively share customer-permissioned data with data aggregators, such as through an application programming interface (API), but often without any direct benefit to the bank. Any such agreement, including the use of APIs, constitutes a business arrangement, and therefore the bank’s level of due diligence and ongoing monitoring should be commensurate with the risk, particularly the potential for exposure of sensitive customer information.
At the other end of the spectrum is screen scraping, a “common method” whereby the data aggregator uses customer-provided credentials to access bank data without any contractual arrangement between the data aggregator and the bank. While screen scraping will typically fail to even constitute a business relationship governed by the Bulletin, the OCC nonetheless places at least some of the risk management responsibility on the bank when it knows screen scraping is occurring. Because screen scraping may “pose operational and reputation risks,” banks must take action to manage the safety and soundness concerns by identifying large-scale screen scraping activities, taking reasonable steps to identify the source of such activities, conducting appropriate diligence when sources are identified and taking steps, including monitoring, to attempt to obtain comfort as to the security practices of the identified aggregators.
Risk Management in the Face of Limited Negotiating Power (FAQ #5)
For the first time, the OCC acknowledges in the FAQs that there are scenarios where banks have limited negotiating power to obtain certain information or make changes to standard contracts from certain third parties. Where “bank management is limited in its ability to conduct the type of due diligence, contract negotiation, and ongoing monitoring that it normally would,” banks must take “appropriate actions” to mitigate risk under the circumstances. Such steps may include assessing whether such limited negotiating power is within the bank’s risk appetite, finding alternative information sources, establishing contingencies for delivery disruptions, analyzing and documenting why the third party is nonetheless the most appropriate entity available to the bank, and confirming noncustomized contracts nonetheless meet bank needs.
Bank Responsibilities With Respect to Subcontractors (FAQ #11)
The FAQs expand on the Bulletin’s guidance related to subcontractors or so-called “fourth party providers.” Banks must identify which of their third parties use subcontractors and should (i) evaluate the volume and types of subcontracted activities and subcontractors’ geographic locations, (ii) determine each third party’s ability to identify and control risks from its use of subcontractors, (iii) contractually require notification of intent to use a subcontractor and (iv) specify the third party’s reporting obligations with respect to subcontractor legal and contractual compliance. In particular, banks often have third-party relationships with entities that in turn contract with cloud computing service providers. Bank management is specifically cautioned to approach diligence in this regard as it does subcontractor relationships generally — ultimately seeking to confirm the third party’s ability to oversee and monitor its cloud subcontractor.
Reliance on Third Party Reports, Certificates of Compliance and Audits (FAQs #14 & 25)
Consistent with discretion provided to banks in existing guidance, the FAQs allow banks to rely on reports, certificates of compliance and independent audits provided by entities with which it has a third-party relationship in conducting diligence and monitoring. For example, System and Organization Controls reports may be used for confirming that a third party can adequately oversee its cloud service subcontractor. In all cases, however, the bank remains responsible for determining whether the scope and detail of the relevant reports are sufficient to properly assess the third party’s control structure. The OCC also specifies that banks may rely on compliance disclosures published by financial market utilities consistent with international Principles for Financial Market Infrastructures. Banks may also rely on pooled audit reports created specifically for a customer group of a particular service provider. Similarly, banks may use third-party assessment service companies formed to provide more efficient due diligence and ongoing monitoring in connection with a third-party relationship. Because these “utilities” often rely on standardized practices and questionnaires, however, banks are responsible for evaluating whether the standardized product is appropriate for their circumstances, particularly when the underlying service is critical to bank operations.
Risk Management in Connection With Third-Party Involvement in Risk Models (FAQ #22)
When a bank uses a third-party model or uses a third party to assist with model risk management, those models should be incorporated into the bank’s third-party risk management and model risk management processes. Third parties may be employed to assist banks conduct model validation and compliance and to support internal audits. The FAQs clarify that the bank should conduct due diligence on the third-party relationship as well as on the model itself. Any bank customization of third-party models should be documented and justified as part of the model’s validation. Banks should have a contingency plan for instances when the third-party model is no longer available or cannot be supported by the third party. Independent certifications or validation reports of third-party models provided by the third party to the bank should be detailed, outlining key assumptions and limitations and “should not be taken at face value.”
Board Involvement in Approval of Contracts for Critical Activities (FAQ #26)
The Bulletin states that a bank’s board of directors should approve contracts with third parties involving critical activities. The FAQs clarify that this statement is not intended to mandate board involvement on the negotiation of each individual contract but rather to indicate that the board should receive sufficient information to understand the bank’s overall strategy for using third parties along with the significant “dependencies, costs, and limitations” the bank has with such third parties. Boards may rely on executive summaries of contracts and/or delegate actual approval of contracts with third parties involving critical activities to committees or senior management.
Additional New Topics
The new FAQs also address the following:
- guidance on determining which third-party relationships involve critical activities (#8)
- how banks should determine the risks associated with third-party relationships (#9)
- guidance on the level of diligence to apply to certain third parties such as fintechs, startups and small businesses that may have limited capacity to satisfy bank informational and diligence demands (#17)
- how banks should handle third-party risk management when obtaining alternative data from a third party (#27)
1 Office of the Comptroller of the Currency, Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29 (March 5, 2020), available at https://www.occ.treas.gov/news-issuances/bulletins/2020/bulletin-2020-10.html.
2 Office of the Comptroller of the Currency, OCC Bulletin 2013-29 (Oct. 30, 2013), available at https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.
3 See Office of the Comptroller of the Currency, Frequently Asked Questions to Supplement OCC Bulletin 2013-29 (June 7, 2017). For further information on the Prior FAQs, see Sidley’s earlier client alert available at https://www.sidley.com/en/insights/newsupdates/2017/06/occ-issues-third-party-relationship-faqs. Each of the Prior FAQs is included without revision in the FAQs, with its Prior FAQ number provided for reference. The lone exception is FAQ number 24 (Prior FAQ number 14), which was updated to reflect current American Institute of Certified Public Accountants Service Organization Control report information.