The OCC issued new guidance on third party relationships last Wednesday. The new guidance, found in Bulletin 2013-29, rescinds and replaces OCC Bulletin 2001-47, which many banks have used as the "template" for structuring their vendor management programs and as a checklist for what they need to address in their contracts with third party vendors. While I haven't had a chance to absorb all aspects of the revised guidance, I have a couple of quick impressions. The first is that by including an extensive section toward the latter part of the guidance that includes specific duties for a bank's directors, as well as "senior management" and "business line management," the OCC is sending a message to banks that it expects third party relationships and vendor management to ultimately be the responsibility of the bank's board of directors. While, strictly speaking, this was always the case (see, for example, the statement on page 1 of Bulletin 2001-47 as to the responsibility of the board of directors and management to "properly oversee and manage" such relationships), by going into detail as to the specific duties of the directors and senior management in the latest guidance, the OCC is making it clear that (1) it expects banks to be "drilling down" in terms of due diligence and management, both upfront and ongoing, on the risks of third party relationships, and (2) that if those relationships cause loss to the bank of any type (reputational, operational, and strategic risks are all discussed), then the OCC will be looking all the way up the food chain at the bank to assess blame and, if warranted, impose penalties.
Here's a telling line: “A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.” The emphasis is the OCC's, not mine.
There will be a lot of commentary on the new guidance in the near future. Banks of all kinds, not merely national banks, ought to pay attention to it. The OCC (and the other federal banking regulators, in our view) mean business. Vendor management, and third party relationships generally, must be addressed at the highest levels of the bank, because if a relationship turns "sour" and the bank suffers adverse consequences (even a "hit" to its public image), you can bet your bottom dollar they'll be assessing responsibility and consequences from the top down.