…but will it become the new standard for institutions with other regulators? UPDATE – The answer is yes, at least for the Federal Reserve. Readers of this blog know that I’ve been predicting an increase in vendor management program scrutiny since early 2010. And although the FFIEC has been very active in this area, issuing multiple updates to outsourcing guidance in the past 2 years, it appears that the OCC is the first primary federal regulator (PFR) to formalize it into a prescriptive methodology.
So if you are a national bank or S&L regulated by the OCC, what you’ll want to know is “what changed”? They’ve been looking at your vendor management program for years as part of your safety & soundness exams, exactly what changes will they expect you to make going forward? The last time the OCC updated their vendor management guidance was back in 2001, so chances are you haven’t made many substantial changes in a while. That will change.
However if you are regulated by the FDIC or the Federal Reserve or the NCUA, so what? Nothing has changed, right? Well no…not yet anyway. Except for a change adding a “Vendor Management and Service Provider Oversight” section in the IT Officer’s Questionnaire back in 2007, the FDIC hasn’t issued any new or updated guidance since 2001. Similarly, the NCUA last issued guidance in 2007 but it was really a re-statement of existing guidance that was first issued in 2001. So considering the proliferation of outsourcing in the last 10 years, I believe all of the other regulators are overdue for updates. Furthermore, I believe the OCC did a very good job with this guidance, and all financial institutions regardless of regulator would be wise to take a close look.
So what’s changed? I compared the original 2001 bulletin (OCC 2001-47) side-by-side with the new one (OCC 2013-29), and although most of the content was very similar, there were some significant differences. Initially they both start out the same way; stating that banks are increasing both the number and the complexity of outsourced relationships. But the updated guidance goes on to state that…
“The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.”
They specifically cited failure to assess the direct and indirect costs, failure to perform adequate due diligence and monitoring, and multiple contract issues, as troublesome trends.
Conceptually, the new guidance focuses around a 5-phase “life-cycle” process of risk management. The life-cycle consists of:
- Due diligence and third-party selection,
- Contract negotiation,
- Ongoing monitoring, and
First of all, a “cycle” concept strongly suggests that a once-a-year approach to program updates is not sufficient. Secondly, I think the planning, or pre-vendor, phase is potentially the most significant in terms of the changes that regulators will expect going forward. For one thing, beginning the vendor management process BEFORE beginning the relationship (i.e. before the vendor becomes a vendor) seems like a contradiction in terms (although it is not entirely new to readers of this blog), so many institutions may have skipped this phase entirely. But it is at this planning stage that elements like strategic justification and complexity and impact on existing customers are assessed. Those are only a few of the considerations in the planning phase, the guidance lists 13 in all.
The due diligence and contract phases are clearly defined and also expanded, but fairly consistent with existing guidance*. And although termination is now defined as a separate phase, the expectations really haven’t changed much there either.
On-going monitoring (the traditional oversight phase) has been greatly expanded however. The original guidance had 3 oversight activities; the third party’s financial condition, its controls, and the quality of its service and support. The new guidance still has those 3…and adds 11 more. Everything from insurance coverage, to regulatory compliance, to business continuity and managing customer complaints.
But perhaps the biggest expansion of expectations in the new guidance is the banks’ responsibility to understand how the vendor manages their subcontractors. Banks are expected to…
“Evaluate the third party’s ability to assess, monitor, and mitigate risks from its use of subcontractors and to ensure that the same level of quality and controls exists no matter where the subcontractors’ operations reside.” (Bold added)
Shorter version: “Know your vendor…and your vendor’s vendor”. And this expectation impacts all phases of the risk management life-cycle. Subcontractor concerns start in the planning stage, continue through due diligence and contract considerations, add control expectations to on-going monitoring, and even impact termination considerations.
In summary, everything expands. Your pre-vendor & pre-contract due diligence expands, oversight requirements (and the associated controls) increase, and of course everything must be documented…which also expands! The original guidance listed 5 items typically contained in proper documentation, the updated guidance lists 8 items. But it’s the very first item on the list that caught my attention because it would appear to actually re-define a vendor. Originally the vendor listing was expected to consist of simply “a list of significant vendors or other third parties”, which, depending on the definition of “significant”, was a fairly short list for most institutions. Now it must consist of “a current inventory of all third-party relationships”, which leaves nothing to interpretation and expands your vendor list considerably.**
So if you are regulated by the OCC you can expect these new requirements to be incorporated into the examination process fairly soon. If not, use this as a wake-up call. I think you can expect the other federal regulators to follow suit with their own revised guidance. The OCC has just set the gold standard. Use this opportunity to get ahead of your regulator by revisiting and enhancing your vendor management program now.
* Safe Systems customers can get updated due diligence and contract checklists from their account manager.
** All vendors on the list must be risk assessed, and although the risk categories didn’t change (operational, compliance, reputation, strategic and credit) some of the risk elements did. Matt Gunn pointed out one of the more interesting changes in his recent TechComply post. I’ll cover that and others in a future post.