The Office of the Comptroller of the Currency’s (OCC) Committee on Bank Supervision (CBS) released its annual operating plan setting forth the agency’s supervision priorities and objectives for the fiscal year (FY) 2018; October 1, 2017 to September 30, 2018. You can find a direct link to the operating plan at the bottom of this post.
New year, new focus right? New priorities. New objectives. Well‚Ä¶ not exactly.
If you’re familiar with the OCC’s past FY operating plans, it’s likely that you will experience d√©j√† vu reading through the OCC’s FY 2018 operating plan. But just because this plan echoes prior years doesn’t mean it should be disregarded. The OCC hasn’t much shifted its focus or priorities, and that means we shouldn’t either.
Once again, if risk management is the target, third party relationships are at the bullseye.
The Midsize and Community Bank Supervision (MCBS) Department for FY 2018 is focused on operational risk. This means assessing information security, data protection, and third party risk management including risks associated with third party relationships (as defined in the OCC’s Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance”). Specifically, examiners will be evaluating bank management’s plans to respond to increasing operational risk as a result of third party relationships, including outsourcing providers.
Furthermore, midsize and community banks will be assessed on enterprise data governance, including vendor and third party management, which typically influences systems capacity, testing, security, sharing, monitoring, and retention.
One piece of the operating plan that is particularly interesting is the section about service providers‚Ä¶ particularly their pending evaluation of interconnectivity and third party risk management. This means that while your bank is being assessed on third party vendor risk management, your third party vendors will be assessed on their third party vendor relationships (aka, your fourth party vendor relationships). This is likely in response to the SSAE 18 standard for fourth party vendor relationships that went into effect May 1, 2017.
This much is certain: the OCC has and continues to express concern for interconnectivity and interdependency of third party vendor relationships. Banks will need to demonstrate a resilient and well-defined program for identifying, assessing, and managing third and fourth party risk. They will need to be aware and proactively working to prevent any gaps in the planning, due diligence, oversight, and control of their vendor relationships.
FY 2018’s operating plan priorities and focus might not be too different from past years, but that means that if your bank’s vendor management program has slid under the OCC’s radar in past years, 2018 is the year to tighten up your vendor management program before they (inevitably) do come knocking. The best way to ensure you’re in compliance with the latest regulatory guidance? A professional, automated vendor management solution.
VendorInsight® helps banks by providing a centralized, easy to use platform for all of your vendor management needs. We give you the tools to help automate your vendor management process and strengthen your program. VendorInsight® due diligence services provide annual updates to your SSAE18/SOC reviews, financial reviews, OFAC verifications and more.
To talk with a VendorInsight® team member about how we can help strengthen your vendor management program in preparation for the OCC’s 2018 examination priorities, follow the link below: