OCC’s Third Party Relationship Guidance – Part-time Bank Board Members Need Not Apply
SPECIAL REPORT: AMERICAN ASSOCIATION OF BANK DIRECTORS ON THIRD-PARTY RELATIONSHIPS OCC 2013-29
'Third-Party Relationships: Risk Management Guidance'
October 30, 2013
EXECUTIVE DIRECTOR, AABD
In its seminal report last year entitled 'Bank Director Regulatory Burden Report', the American Association of Bank Directors detailed more than 800 provisions in federal law, regulations and banking agency guidance that impose obligations on bank directors.
The Report urged the federal banking agencies and Congress to take immediate action to begin to minimize the overwhelming burdens that these obligations place on bank directors and to consider existing burdens before adding to them.
Instead of making efforts to reduce board of director burdens, the federal banking agencies have continued to increase them.
The latest example is the OCC's new guidance on risk management of third party relationships, a subject of interest of the banking agencies for many years.
The Guidance in many respects provides a helpful roadmap for national banks to have a more robust and effective process involved in the evaluation and implementation of third party relationships.
The OCC 'expects a bank to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank's organizational structures.'
A key feature of the Guidance is the emphasis that banks apply 'more comprehensive and rigorous oversight and management' to 'critical activities.' The OCC expects that national banks and federal savings banks to revisit and update their risk management efforts as to all third parties. Failure to have a plan on an effective risk management process 'may be an unsafe or unsound banking practice.'
The Guidance sets out a 'life cycle' approach – planning, due diligence and third party selection, contract negotiation, ongoing monitoring, and termination.
But the Guidance also places additional burdens on boards of directors – in some respects, responsibilities that are management in character.
The Guidance also overstates the responsibilities of board members by suggesting that they are responsible for the results of management's implementation of the bank's risk management system and even for the behavior of third parties that contract with the bank.
The preface to the Guidance repeats what has practically become a bank regulatory mantra for board responsibilities in other contexts – Boards must ensure that an effective process is in place to manage risks related to third party relationships. To be effective, the process presumably must have positive results.
But results are not the responsibility of boards of directors. The process established by management and approved by the board of directors should be reasonable given the facts and circumstances, but ensuring that the process will effectively manage risks is the responsibility of management.
The Guidance also extends the responsibility of a board of directors to 'ensure that the [third party] activity is conducted in a safe and sound manner and in compliance with applicable laws…' This could be read to mean that the board is responsible for the actions of third parties under contract with the bank.
The Guidance defines 'third party relationships' broadly as 'any business arrangement between a bank and another entity by contract or otherwise.'
It sets forth two categories of third party relationships – those involving 'critical activities' and those that don't. For critical activities, risk management processes are expected to involve more comprehensive and rigorous oversight and management of third party relationships. For example, boards of directors are expected to review and approve contracts involving 'critical activities.'
But the definition of 'critical activities' appears to involve much more than what the word 'critical' connotes.
They involve 'significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that could cause a bank to face significant risk if the third party fails to meet expectations; could have significant customer impacts; require significant investment in resources to implement the third-party relationship and manage the risk; could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be bought in house.
Note that 'could' means possible, not probable or even likely. Also 'significant' is used instead of 'material', which has meaning from accounting literature and has a direct relationship to a bank's financial statements.
This open-ended and vague language creates problems for national banks and their boards of directors that in good faith attempt to meet the terms of the Guidance.
The concern is that to address the possible ('could'), boards and management will take a broad view of what constitute critical activities. As a result, they will apply more comprehensive and rigorous oversight and management of third party relationships than might otherwise be warranted. By exercising more oversight than appropriate, they will expend limited resources on less important sources of risk to the possible detriment of focusing on more important issues.
The Guidance lacks the balance required to understand the distinction and interplay between the board of directors and management. Bank directors are entitled under law to exercise their business judgment in good faith, delegate management duties to management, and reasonably rely on such management. But the Guidance does not say that.
AABD is asking the OCC for clarifications to its Guidance to reinforce the distinction between the role of the Board and the role of management.