Banks accustomed to thinking of risk management as a point-by-point checklist should take note of the OCC’s Semiannual Risk Perspective for Fall 2016.
Released in January, the document reinforces the agency’s enterprise wide approach to risk management, particularly when it comes to vendor management. Third-party risk management made cameos in several discussions of risk including:
Operational risk. Vendor consolidation is contributing to elevated levels of operational risk for banks, according to the OCC. As the ecosystem of vendors shrinks, banks have fewer options and more of them are relying on the same third-party vendors to support critical operations, the OCC observes. This includes merchant card processing, denial of service mitigation and trust accounting systems.
The result is concentration risk for the industry. Should a major third-party provider encounter difficulty, it could interrupt operations for a large portion of the industry, making oversight essential, the OCC says.
Fourth-party risk. Fourth-party risk occurs when a bank’s critical vendor relies on other vendors. The OCC addresses fourth-party risk under its supervisory priorities for the next 12 months, emphasizing that it will assess third-party risk management when conducting exams of services by “significant technology providers.”
Compliance and reputation risk. Some banks have been falling short when it comes to change management, particularly with recent changes to the integrated mortgage disclosures under the Truth in Lending Act (TILA) and Real Estate Settlement Procedures Act (RESPA). Numerous institutions had issues with third-party vendors that weren’t ready, the OCC says.
Strong due diligence processes and ongoing monitoring for critical third-party vendors is a must, the agency notes, citing TILA-RESPA and recent changes to the Military Lending Act (MLA) as examples where institutions rely on vendors for loan application processing, disclosures, underwriting and closing.
Vendor relationships continue to grow more numerous and complex and so does risk management. Make sure you have a system in place that connects your compliance and risk management tools so your institution has a full picture of every type of risk it faces. That includes analyzing data and communicating the combined results to the board and management.
If you’re working in silos, you’ll miss the big picture, and regulators are making it clear that they’ll notice.