February 7, 2023

Volume XIII, Number 38


February 06, 2023

Subscribe to Latest Legal News and Analysis

Managing Third Party Relationships: New Regulatory Guidance for Banks

The use of third-party relationships has allowed financial institutions to outsource key functions such as tax, legal, audit, information technology and loan servicing (among others). This allocation of banking functions can generate cost savings, increase efficiencies, refocus internal operations and can allow a financial institution to offer new products or services and access new markets. The outsourcing of banking functions can also expose financial institutions to certain risks, including operational, reputational, strategic, and compliance/legal risks.

In response to the increased desire of financial institutions to leverage their finite resources by taking advantage of third-party relationships, the Office of the Comptroller of the Currency and the Federal Reserve Board have released guidance for managing risks associated with the use of third-parties. This Commercial Law Update summarizes the guidance published by the OCC on October 30, 2013 (the "OCC Guidance") and the Fed on December 5, 2013 (the "Fed Guidance"). Board members, senior management and compliance officers should be aware of how this guidance affects their institution's current outsourcing processes because a failure to implement effective risk management processes in connection with third-party relationships may constitute an unsafe and unsound banking practice.

As of the date of this Update, the Federal Deposit Insurance Corporation has not indicated whether it plans to issue new third-party risk management guidance, nor has there been any indication that interagency guidance on this topic is forthcoming. State-chartered non-member banks and savings associations should continue to rely on existing FDIC guidance, including the Financial Institution Letter entitled "Guidance for Managing Third-Party Risk" dated June 6, 2008 (FIL-44-2008), although familiarity with the concepts introduced in the OCC Guidance and the Fed Guidance may be beneficial as you review your third-party risk management processes.

OCC Guidance

The OCC Guidance provides detailed direction to national banks and federal savings associations with regard to assessing and managing the risks related to the use of "third-party relationships," which include any business arrangements between the institution and another entity, whether by contract or otherwise, but generally do not include a financial institution's relationship with its customers.

The general principle underlying the OCC Guidance is that national banks and federal savings associations should "adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships." The OCC Guidance provides financial institutions with flexibility to tailor risk management processes to each financial institution's own risk profile, rather than imposing a one size fits all approach on all financial institutions under the OCC's purview. Nevertheless, the OCC Guidance notes that effective third-party risk management processes should include the following elements throughout the entire relationship:

  • Planning: develop plans that outline the financial institution's strategy for managing risks inherent in the relationship;

  • Due Diligence and Third-Party Selection: conduct due diligence commensurate with the level of risk and complexity of the relationship prior to establishing such relationship and consider the third-party's strategies and goals, legal and regulatory compliance, financial condition, business expertise and reputation, information security and reliance on subcontractors;

  • Contract Negotiation: negotiate written contracts that clearly specify the parties' rights and responsibilities;

  • Ongoing Monitoring: perform ongoing monitoring throughout the duration of the relationship;

  • Termination: create contingency plans for terminating the relationship;

  • Documentation and Reporting: develop proper documentation and reporting processes;

  • Oversight and Accountability: ensure that the board and senior management of the financial institution are effectively managing the relationship; and

  • Independent Reviews: perform independent reviews of the financial institution's risk management processes.

The OCC Guidance references heightened requirements on certain "critical activities" (i.e., activities involving significant functions of a financial institution such as payment, clearing, settlement, custody and information technology) that require more comprehensive and rigorous oversight and management. The OCC states that critical activities will impose greater oversight responsibility on a financial institution's senior management and board of directors to ensure that such activities are performed in a safe and sound manner and in compliance with applicable law. The escalated responsibilities of the board and senior management include:

  • board approval of initial plans to manage the relationship;

  • a more active role in the due diligence process by senior management and the board;

  • ongoing monitoring and review of existing relationships;

  • board approval of contracts that involve critical activities; and

  • independent reviews of risk management processes conducted periodically with appropriate actions taken in response to any adverse results.

The OCC Guidance replaces and enhances prior guidance (namely, Bulletin 2001-47 and OCC Advisory Letter 2000-9) which was less detailed and did not include the heightened requirements applicable to outsourcing "critical activities."

Fed Guidance

The Fed Guidance applies to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries) and U.S. operations of foreign banking organizations. The Fed Guidance outlines standards for implementing risk management programs regarding a financial institution's use of "service providers" to perform operational functions. The use of the term "service providers" in the Fed Guidance is broadly defined to include all entities (whether bank or non-bank, affiliated or non-affiliated, regulated or non-regulated, or domestic or foreign) that have entered into a contractual relationship with a financial institution to provide business functions or activities. Regarding these service provider programs, the Fed Guidance lists the following "core elements" of an effective risk management program:

  • Risk Assessments: determine whether to outsource, the cost implications and the ability to provide appropriate oversight and management;

  • Due Diligence and Selection of Service Providers: review business background, reputation and strategy, financial performance/condition and internal controls;

  • Contract Provisions and Considerations: document terms in written contracts that are reviewed by legal counsel prior to execution and cover, among other things, scope, cost, audit rights, monitoring of performance standards, confidentiality and security of information, indemnification, default and limits on liability;

  • Oversight and Monitoring of Service Providers: establish performance metrics and ensure that personnel with oversight and management responsibilities have proper expertise and stature to manage the relationship, and structure the process to be risk-focused with more frequent assessments and monitoring for higher risk service providers;

  • Incentive Compensation Review: review and approve the service provider's compensation structure to determine whether it encourages unnecessary risk-taking; and

  • Business Continuity and Contingency Plans: prepare contingency plans focusing on critical services and consider alternative arrangements in response to performance failures.

The Fed Guidance states that an appropriate risk management program should be focused on risk (namely, activities that: (a) have a substantial impact on an institution's financial condition, (b) are critical to the institution's ongoing operations, (c) involve sensitive customer information or new bank products or services, or (d) pose material compliance risk) and provide oversight and controls commensurate with the level of risk.

Unlike the OCC Guidance, the Fed Guidance explicitly provides that the depth and formality of a risk management program will depend on the "criticality, complexity, and number of material activities being outsourced." Accordingly, if a smaller financial institution, such as a community bank, outsources a small number of critical activities to reputable service providers – notwithstanding that such critical activities may implicate material risks – the risk management program may be simpler and require less compliance elements and considerations. The Fed's pragmatic approach appears to offer greater flexibility to smaller financial institutions (like community banks) that outsource critical banking activities.

©2023 von Briesen & Roper, s.cNational Law Review, Volume IV, Number 14

About this Author

William Taibl, Von Briesen Roper Law Firm, Milwaukee, Real Estate Law Attorney

Bill Taibl has experience in nearly all areas of financial institution representation and in a wide variety of real estate-related matters. He provides counsel on law and regulatory compliance issues related to consumer and operational matters, including Truth in Lending, RESPA and ECOA, required Board policies, branching activities, new product development and subsidiary transactions. He has handled major troubled loan workouts in Wisconsin and around the country. He has been involved in a wide variety of real estate sales and purchase transactions and commercial lease...

Andrew Guzikowski, von Briesen Roper Law Firm, Milwaukee, Finance Law Attorney

Andy Guzikowski is a Shareholder and Chair of the Firm’s Public Finance Section.

Andy has had more than 25 years of experience in public finance. He has served as bond counsel and issued the approving bond/tax opinions in over $500 million of tax-exempt bond issues that financed municipal equipment purchases, sewers, new schools and school improvements as well as manufacturing facilities, nursing homes and senior living facilities and has a broad range of experience representing bond issuers, borrowers, underwriters, bond purchasers, remarketing...

Brion Winters, von Briesen Roper Law Firm, Milwaukee, Corporate and Finance Law Attorney

Brion is a Shareholder at von Briesen with a unique background and skillset that service the diverse needs of his clients.  Brion’s clients come in all shapes and sizes from closely-held businesses, start-up companies and individuals to well-established financial institutions and municipalities. Brion’s commitment to customer service, attention to detail and unending desire to provide value serves his business, banking, developer, municipal and individual clients well.  

In 2008, Brion joined von Briesen from M&I Wealth Management where he...