Background
Nationally-chartered federal savings banks are subject to the prudential regulation of the Office of the Comptroller of the Currency (the “OCC”). National banks may engage in activities that are part of, or incidental to, the business of banking, or are otherwise authorized for a national bank. The business of banking is an evolving concept and the permissible activities of national banks similarly evolve over time.1 But when your bank’s senior management decides to outsource a critical function—especially a consumer-facing function like mortgage loan origination or servicing—you truly become your “brother’s keeper.” No Chief Executive Officer or Chief Compliance Officer wishes to find himself or herself targeted by the OCC for failure to conduct adequate third-party vendor due diligence or ongoing monitoring.
It had been historically understood that when employing third-party entities to conduct all or part of a critical banking function, by not fully understanding the nature of the risks being introduced to the bank and by not ensuring appropriate risk controls, senior management and boards of directors breach their most fundamental fiduciary responsibility to depositors and shareholders.2 The Federal Financial Institutions Examination Council (the “FFIEC”) very aptly highlights that although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue.3
Long-standing OCC guidance
A national bank and its operating subsidiaries may make, purchase, sell, service, or warehouse house loans or other extensions of credit for its own or another’s account, including residential mortgage loans.4 A bank may conduct its mortgage operations in conjunction with a third-party not owned by the bank or bank holding company. Vendors, brokers, dealers, and agents can offer banks a variety of legitimate and safe opportunities to enhance product offerings, improve earnings, diversify assets and revenues, or reduce costs. In most instances the fundamental risks associated with activities introduced by third parties are no greater or less than the bank would have incurred had the bank performed the activity on its own.5
Historically, the OCC had very explicitly decreed that bank management cannot rely solely on third-party assertions, representations, or warranties when entering such relationships.6 Specifically, the OCC has long required that:
- Before entering into a major relationship with a third party, a bank should establish a comprehensive program for managing the relationship.
- Such programs should be documented and include front-end management planning, appropriate due diligence selecting a vendor, and performance monitoring.7
The requirements above were not merely satisfied by a bank relying solely upon its own internal Vendor Management Policy. The OCC expressly contemplated that the bank’s negotiators and signatories to the vendor contract would tailor the program to the specific vendor, and that the documentation would reflect the criteria and validation specific to that vendor with regard to the services for which the bank sought to contract.
OCC activity in the wake of Bulletin 2013-29
OCC treatment of third-party vendor risk management was recently further clarified when the agency issued Bulletin 2013-29: Third-Party Relationships - Risk Management Guidance on October 30, 2013.8 Among the OCC’s explicit guidance, the Agency deemed that an effective risk management process throughout the life cycle of the relationship includes:
· plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party;
· proper due diligence in selecting a third party;
· written contracts that outline the rights and responsibilities of all parties;
· ongoing monitoring of the third party’s activities and performance;
· contingency plans for terminating the relationship in an effective manner;
· clear roles and responsibilities for overseeing and managing the relationship and risk management process;
· documentation and reporting that facilitates oversight, accountability, monitoring, and risk management; and
· independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
The OCC has wasted no time applying those third-party risk management principles immediately before and since the issuance of Bulletin 2013-29. On September 19, 2013, the OCC assessed a $60 million penalty against JPMorgan Chase and ordered the bank to reimburse consumers for unfair billing practices.9 In the JPMorgan Chase matter, the OCC order also requires the bank to take a number of corrective measures that include:
· ensuring compliance with the FTC Act;
· improving governance of third-party vendors associated with certain consumer products;
· developing an enterprise-wide risk management program for such consumer products marketed or sold by the bank or its vendors; and
· improving its consumer compliance internal audit program.
American Express Bank received an early Christmas present, when the OCC announced on December 24, 2013 that it would assess a $3 million penalty against the bank and order restitution to customers for unfair billing and deceptive marketing practices.10 The OCC order, whose restitution payments also satisfied related Consumer Financial Protection Bureau (CFPB) obligations, requires the bank to:
· improve governance of third-party vendors associated with “add-on” consumer products;
· develop a risk management program for “add-on” consumer products marketed or sold by the bank or its vendors; and
· conduct an “add-on” product review to, among other things, identify and remediate consumer harm and any program weaknesses.
The OCC has clearly communicated that it intends to aggressively protect consumers from harmful activities resulting from a bank’s use of third-party vendors, and that it will hold a bank fully responsible for that third party’s missteps.
Critical Attention to Pre-Contractual Due Diligence
Every activity undertaken by bank management and its agents should accord with OCC requirements, and support subsequent examination by the OCC, the internal audit function, and external auditors. The contemplation of a significant third-party business relationship that contributes directly to a bank’s growth plan should be disclosed in sufficient detail by bank management to the bank’s board of directors to facilitate the board’s fiduciary responsibility. Negotiators of a third-party business relationship (inclusive of bank management, holding company management, and legal counsel) are in the best position to review, inquire, and edit contract provisions accordingly prior to execution to ensure that all contract provisions directly address OCC compliance requirements, including those relating directly to third-party risk and due diligence.
With reliance upon bank management and its agents who engage directly in the planning, negotiation, and execution of the third-party agreement, one should reasonably be able to conclude that those parties have conducted their activities in accordance with OCC Bulletin 2013-29.11 In advance of executing an agreement, bank management and its agents would have engaged in and fully documented both management planning and due diligence in selecting a vendor. The agreement would further have documented the ongoing performance monitoring required to evaluate the ongoing vendor risk management posture. To have failed to faithfully adhere to the details of the Bulletin by simply relying upon professional relationships or contractual representations and warranties would be both imprudent and discordant with explicit OCC guidance.
Ongoing Risk Assessment and Improved Governance
If a CEO or CCO had not been involved in contract negotiations with a third-party vendor, then that leader may not be able to independently confirm whether or not bank management and its agents adhered to OCC requirements during the pre-contractual due diligence period. Once that leader becomes aware that such a gap may have occurred, it becomes incumbent upon that leader to undertake an independent risk assessment of the third-party vendor relationship. This obligation becomes critically important when the third-party vendor is providing consumer mortgage loan services.
The auditors assigned to conduct the independent third-party risk management review should be able to request, obtain and evaluate pre-contractual documentation, and supplement their initial conclusions with interviews with the individuals directly engaged in the planning, negotiation, and execution of the third-party vendor agreement. As with any audit, should the auditors identify exceptions to the OCC’s third-party risk management guidelines that present a material risk of non-compliance or future financial loss, then in accordance with the Chief Audit Executive, you would advise that bank management and the bank board be so advised that subsequent remedial measures be undertaken.
Conclusion
It is evident that the OCC expects governance, risk management, and controls (GRC) to be in place prior to and at the inception of third-party mortgage vendor relationships. Even as bank management remediates the existing relationship with a consumer mortgage vendor, all stakeholders should take note of the lessons learned from a less-than-thorough due diligence; explicit contractual role definition; and contractual provisions for detailed oversight, accountability, and monitoring. Future third-party vendor relationships must incorporate those onboarding elements as standard requirements of a larger enterprise-wide risk management process, lest the OCC surmise that your bank’s governance practices are insufficient to take heed of Bulletin 2013-29.
References
2 Third-Party Risk, OCC ADVISORY LETTER AL 2000–9, Comptroller of the Currency, Administrator of National Banks, August 29, 2000. (Subsequently rescinded by OCC Bulletin 2013-29)
6 Ibid.
7 Ibid.
8 Bulletin 2013-29: Third-Party Relationships - Risk Management Guidance, Office of the Comptroller of the Currency, October 30, 2013.
8 Bulletin 2013-29: Third-Party Relationships - Risk Management Guidance, Office of the Comptroller of the Currency, October 30, 2013.
Thank you for more detailed information very well written Vendor Risk Management Software. especially about the features or benefits a Vendor Risk Management Software should provide Improve business productivity while mitigating the risk and costs of growing volumes of content.
ReplyDelete