The Office of the Comptroller of the Currency (OCC) legislates that a financial institution’s “use of third parties does not diminish the bank’s responsibility to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations.” But the OCC’s bulletins on third-party risk management (TPRM) have led to confusion, partly due to the industry evolution which has fueled the need for clarification over the years.
Released on March 5, Bulletin 2020-10 republishes items issued in Bulletin 2017-21. That 2017 Bulletin was itself a clarification of the seminal industry third-party risk management guidance given by the OCC in Bulletin 2013-29. The latest Bulletin 2020-10 is again formatted in a frequently asked questions (FAQs) style in an attempt to clarify existing guidance and describe evolving industry trends and regulations.
Key takeaways from the new Bulletin are clarifications on a broader definition of third-party vendors, expectations of vendor review and alternative evaluation methods to achieve adequate oversight of third-party risk. How can you keep up with these new requirements and ensure your third-party risk management program is in compliance with the OCC?
Critical Themes in the Bulletin 2020-10
The recurring theme throughout the update is that you need to widen your scope in assessing third parties and that all vendors need to be financially evaluated, says Jay Fitzhugh, Chief Regulatory Officer for CMPG Risk Solutions.
The definition of third-party vendors has become very broad. “Now it is being interpreted to encompass relationships that might not even involve contracts,” says Fitzhugh, including:
- Referral arrangements
- Appraisers and appraisal management companies
- Professional service providers, such as attorneys
- Maintenance, catering and custodial service companies
- Data aggregators
With regards to expanded review requirements, “In our experience, 98 out of 100 organizations have a risk-based approach to third-party financial evaluations,” he says. “They aren’t evaluating the financial condition of small, low risk or insignificant vendors, but per the Bulletin, this could lead to program criticism.”
The OCC’s clarifying language on financial evaluations and vendor requirements indicate that many organizations have struggled with previous guidance. How can you make sure you’re gathering the necessary data to go above and beyond the OCC’s standards? VendorInsight® has the vendor due diligence capabilities to help you evaluate your vendors’ finances and track vendors of any size.
VendorInsight® is Uniquely Prepared for OCC Guidelines
VendorInsight® has the tools and functionalities you need to meet the requirements of Bulletin 2020-10:
- The Bulletin states in point 4 that data aggregators are still the financial institution’s responsibility even if there is no direct service or business arrangement.
“The problem is financial institutions don’t always know who these data aggregators are,” says Fitzhugh. “These aggregators work independently with an institution’s clients to access and export a client’s financial information.”
To address this lack of visibility to these providers, VendorInsight® is currently finalizing a vendor due diligence content bundle that allows financial institutions to evaluate industry-leading data aggregators in one centralized place.
- In the Bulletin point 17, “This segment of clarification defines that all third-party vendors require an evaluation of financial condition that must be performed during vendor due diligence and in ongoing continuous monitoring,” says Fitzhugh. “The explicit expansion of the vendor portfolio for appraisers, attorneys and consultants, coupled with the requirement of the financial condition evaluation, is likely an expansion of existing vendor risk management efforts for most banks.”
The Bulletin goes on to define alternative methods in evaluating factors that may affect a third party’s overall financial stability, such as their:
- Access to funds
- Funding sources
- Net cash flow
- Expected growth
- Projected borrowing capacity
The OCC’s new interpretation sets a high bar for financial evaluations that can be met through VendorInsight®‘s Vendor Due Diligence and Evaluation capabilities and the flexibility of the VendorInsight® solution to define required third-party vendor review components.
- VendorInsight® is uniquely prepared for the Bulletin’s guidelines for third-party assessment services.
“It has been our experience that shared vendor due diligence information from the vendor population is protected and often guarded,” says Fitzhugh. “As such, we focus on specific information released for our clients’ utilization and review. The VendorInsight® Vendor Evaluation comprehensive suite of due diligence content and associated evaluation templates lead the industry and allow our clients to assess vendor documentation on a consistent basis.”
VendorInsight® prides itself on being 100% compliant with OCC guidance. Bulletin 2020-10 defines expanded regulatory expectations that VendorInsight® is foundationally prepared to support.
Request a demo today to see a demonstration of VendorInsight®’s vendor due diligence and continuous ongoing monitoring capabilities.