Valentine’s Day was last month, but the Office of the Comptroller of the Currency (OCC) has answers for your burning relationship questions—at least the ones having to do with your FI’s third-party vendors.
The OCC released a Frequently Asked Questions (FAQ) supplement to OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance, last week. It replaces the version the agency released in 2017.
Looking at the new answers, a few themes emerge.
If you answered yes to one of the above questions, that third-party relationship is considered a vendor and should be subject to your FI’s vendor management process.
Another area of confusion is bank data aggregators. If an FI gets direct service from a data aggregator via a business arrangement, it’s a third-party vendor. Yet the OCC warns that even if FIs don’t have a direct relationship they should still perform due diligence on the aggregator’s business experience and reputation to ensure customer data will be safe. This includes “screen scraping,” or using customer login data with their permission to gather data. It can cause operational and reputation risk, the agency says.
The fact that the OCC felt the need clarify the definition of a vendor is a sign that some FIs are struggling to identify all their third-party vendors. Make sure that your FI is using a broad definition. You don’t want to accidentally omit a critical vendor.
Vendor management falls under the umbrella of risk management. It allows an FI to decide if the potential risks of working with a vendor align with the FI’s risk appetite and strategic goals. Vendor management follows the same lifecycle as risk management:
Recognizing that vendor management is risk management is especially important when it comes to mitigation. FIs engage in vendor due diligence to assess risk and the effectiveness of controls.
Read also: Fair Lending in the Time of COVID: Trends from the CFPB & OCC
The OCC makes a point of reminding banks that if they can’t get the due diligence documents they need, it’s important to risk assess the value of working with the vendor. Riskier activities may require additional risk controls. In the case of vendors, that can include backups.
From due diligence and ongoing monitoring to contract negotiation, FIs are welcome to use vendors to help management third-party vendor relationships. However, the final call of whether a vendor relationship falls within an FI’s risk tolerance must be made by the FI.
Every FI needs to tailor its third-party vendor management processes to its own needs based on its size, complexity and other unique attributes. The risk any given vendor poses differs from bank to bank and depends, in part, on the specific products and services that vendor provides.
It includes:
Vendor management vendors should also be risk assessed and managed.