Despite the complication of managing these new requirements, there are viable options for banks who seek a proactive approach. Supplier relationship management, otherwise known as SRM, is a process developed by companies to support supplier and vendor relationships beyond the contract signature. SRM can help foster value from third parties and reduce the risks associated with their role. An SRM program at your bank or FSA could establish the structure you need to comply with the law.
Many companies understand the concept of SRM but have failed to implement a program due to unclear program definitions and planning methodologies. However, there are many financial institutions who have enlisted the help of specialists in vendor management, that understand the complexities of these regulations and what banks need to do to classify critical suppliers and manage those suppliers properly.
The OCC Bulletin 2013-29 outlines key stages within the risk management lifecycle that every bank should include in their third-party risk management processes.
It is important to note that OCC Bulletin 2013-29 applies to all banks, including community banks. Additionally, the OCC will release a memorandum by September 2014 regarding compliance with PPM 5400-8, which outlines details regarding the examination process of third-party suppliers. It will include specifics about the how the front line managers at community and midsized banks will be responsible for discussing the issues with examiners.
The OCC Bulletin 2013-29 outlines key stages within the risk management lifecycle that every bank should include in their third-party risk management processes, including:
Create a plan to manage third-party relationship, including a clear understanding of the risks inherent in the activity
Thoroughly research third parties before hiring, ensuring that level of supplier matches the level of critical activity and risk
Ensure that the contract clearly explains the responsibilities of each party and that senior management should obtain board approval when the third party is contracted to manage a critical activity for the bank
Monitor the third-party relationship throughout the entire lifecycle of the contract
Develop a plan for transition if and when the third-party is terminated, or the contract is expired
Designate roles and responsibilities for the third party, ensuring the bank's board of directors is involved in the effective management of the supplier
Document the processes and other important details regarding the third party's responsibilities throughout the enter contract lifecycle
Establish independent reviews for all third parties to ensure they are keeping aligned with the bank's strategies and risk management policies
In the case of a violation, the OCC fines the bank and, if applicable, refunds to consumers. There are also cease and desist letters issued, stating that the bank should end an activity and not take it up again later, or else they must face legal action. From the OCC standpoint, if they find something wrong with your practice, the welfare of your reputation and operations are at risk.