On October 30, 2013, the Office of the Comptroller of the Currency (“OCC”) released OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” (“Third-Party Guidance”). Whether your financial institution is regulated by the OCC or not, a detailed review of the Third Party Guidance is highly recommended to all financial institutions and third-party vendors.
The Third-Party Guidance rescinds and replaces OCC Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles”- which has always been the most detailed and useful regulator-provided roadmap on the subject of vendor management. The Third-Party Guidance is equally detailed and provides a glance into the future of examinations relating to vendor management. More importantly, the Third-Party Guidance evidences the OCC’s intent to seek enforcement actions relating to deficiencies in a financial institution’s vendor management.
While financial institutions have been told that third-party vendor management is, and will continue to be, a hot topic for regulators, the Third-Party Guidance sends several clear signals that the regulators are serious.
- First, the Third-Party Guidance’s title itself (replacing the word “Principles” with “Guidance”), closely aligns with the phrase “compliance with all applicable Legal Requirements and OCC supervisory guidance” - language frequently used in Cease and Desist Orders.
- Second, the final section of the Third-Party Guidance, entitled Supervisory Reviews of Third-Party Relationships plainly states: “A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.”
- Third, the Third Party Guidance makes it clear that the OCC has the power to examine third party-vendors, and to charge the financial institution with a special examination or investigation fee for the OCC’s examination of a third party for the bank.
- And finally, for community banks, the Third-Party Guidance makes it clear that regulatory expectations have increased. While OCC Bulletin 2001-47 stated: “community banks may be able to adopt this guidance in a less formal and systematic manner…”, the Third-Party Guidance, instead, states:
This guidance applies to all banks with third-party relationships. A community bank should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships. A community bank’s board and management should identify those third-party relationships that involve critical activities and ensure the bank has risk management practices in place to assess, monitor, and manage the risks.
The bottom line is that vendor management is a significant regulatory concern under heightened examination scrutiny; and financial institutions must comply with the expectations of regulators or face enforcement actions and the possibility of significant civil money penalties. The Consumer Financial Protection Bureau (“CFPB”) has also issued guidance related to third-party vendors has been actively seeking public enforcement actions against several institutions with vendor management issues, including:
- JPMorgan Chase, N.A., and Chase Bank USA, N.A., ($300 million to customers and $20 million to the CFPB Penalty Fund);
- Capital One Bank, N.A.,($140 million to consumers and a $25 million civil penalty);
- Discover Bank, ($200 million to consumers and $14 million civil penalty); and
- American Express, FSB, ($85 million to consumers and a $27.5 million civil monetary penalty - with $500,000 paid to the OCC).
These recent enforcement actions make it very clear: failing to have an effective vendor management program in place can be very expensive proposition.