Q: When collaborating to meet responsibilities for managing a relationship with a common third-party service provider, what are some of the responsibilities that each bank still needs to undertake individually to meet the expectations in OCC Bulletin 2013-29?
A: While collaborative arrangements can assist banks with their responsibilities in the life cycle phases for third-party risk management, each individual bank should have its own effective third-party risk management process tailored to each bank’s specific needs. Some individual bank-specific responsibilities include defining the requirements for planning and termination (e.g., plans to manage the third-party service provider relationship and development of contingency plans in response to termination of service), as well as
- integrating the use of product and delivery channels into the bank’s strategic planning process and ensuring consistency with the bank’s internal controls, corporate governance, business plan, and risk appetite.
- assessing the quantity of risk posed to the bank through the third-party service provider and the ability of the bank to monitor and control the risk.
- implementing information technology controls at the bank.
- ongoing benchmarking of service provider performance against the contract or service-level agreement.
- evaluating the third party’s fee structure to determine if it creates incentives that encourage inappropriate risk taking.
- monitoring the third party’s actions on behalf of the bank for compliance with applicable laws and regulations.
- monitoring the third party’s disaster recovery and business continuity time frames for resuming activities and recovering data for consistency with the bank’s disaster recovery and business continuity plans.