An Ongoing Regulatory Hot Button – Managing Vendor Risk

Third-Party Vendors – Are You Managing Your Risks?

The Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), and the Federal Deposit Insurance Corporation (FDIC) expect banks to practice effective risk management regardless of whether the bank performs activities through a third party or internally.

In October, 2013, the OCC published a bulletin, titled “Third-Party Relationships:  Risk Management Guidance” (OCC Bulletin 2013-29).  Following on December 5, 2013, the FRB issued its “Guidance on Managing Outsourcing Risk.” (Supervisory Letter SR 13-19).  The FDIC’s prior guidance in 2008 on the issue, “Guidance For Managing Third-Party Risk, also emphasizes similar expectations as well as the recent revised compliance examination manual which includes procedures to identify unfair, deceptive, or abusive practices in third-party relationships (

As outlined in the FRB Guidance, “A community banking organization may have critical business activities being outsourced, but the number may be few and to highly reputable service providers.  Therefore, the risk management program may be simpler and use less elements and considerations.”

Banks must determine whether or not a particular service is a “critical activity”, which includes activities that serve significant bank functions or provide for significant shared services.  Each management process must be tailored to the individual bank and to the individual vendor relationship.  Before entering into a vendor relationship, banks should consider, among other things:  (1) compliance risks, (2) concentration risks, (3) reputational risks, (4) operational risks, and (5) legal risks.

Third-Party Risk Management Process:  Life Cycle of the Relationship

Who is Responsible for Vendor Management Oversight

Depending on the size and structure of the financial institution, the person with primary responsibility for vendor relationships and to whom that person should report will vary.  There should be clear accountability and a defined path of responsibility.  This will demonstrate to regulators that the financial institution understands the importance of this area and its commitment to effective oversight.  The Board of Directors and senior management should be actively engaged in vendor relationships, especially those vendor relationships with critical activities.

Supervisory Reviews of Third-Party Relationships

There are serious regulatory implications in failing to properly manage the financial institutions vendor relationships.  In it’s guidance, the OCC stated:

“A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.  Serious deficiencies may result in management being deemed less than satisfactory.”

Business Best Practices and Practical Tips:


Financial institutions have always had to manage vendor risk.  However, with the increased reliance on third-party vendors and the increased complexity of those relationships, financial institutions (including the Board and senior management) must devote enhanced attention and focus to this evolving area.

Be Proactive – Whether that is by automating the monitoring process to ensure that important deadlines are not missed or by pushing back on supposedly non-negotiable vendor contracts, the regulators are looking for financial institutions to make a serious commitment to consciously manage their vendor relationships and for the Board and senior management to take full ownership of the process.

This article was written by Kris Welch.

Please wait...

Subscribe to our Technical Publication!

Want to be notified when Compass is published? Enter your email address and name below and sign up to our mailing list!
Please wait...

Download the PDF File