Mom, Apple Pie, and the Office of Comptroller of the Currency
Records and Information Management and the New OCC Guidance
Remember growing up when your mother didn’t want you to hang out with certain friends? It was as though she had a list of friends that she considered safe — the ones who, come over to the house stay for dinner, sleep over and were welcomed as part of the family. Then there were other friends that the mere mention of their names sent a look of concern across her face, as she started to think about all the trouble you two were going to get into — there was no escape, you were already guilty.
Of course when you were a child you thought this was just another example of parental law being enforced indiscriminately. However, much like many of the things your mom said that once seemed unfair and overprotective, looking back as an adult, and perhaps with children of your own, these “friend” rules are much more understandable.
Speaking of Parental Oversight
Recently the Office of the Comptroller of the Currency (OCC) released an update to its governance ruling for third-party risk management. For bank’s needing guidance to better identify and update their “good friends” list, the recent bulletin highlights the importance of reviewing third-party relationships that have become critical to the operations and services offered by the bank.
While the OCC guidance is directed at all critical relationships, the purpose of this paper is to look at how the OCC’s recommendations may impact your records and information management program. Records in any format, be it physical paper or electronic, contain personal information; about your clients, as well as your employees. Each vendor relationship needs to be evaluated within the context of your program and the nature of the services outsourced; however any vendor with access to personal information is likely to be considered critical.
For some banks the bulletin has kicked off a larger enterprise-wide initiative to review all vendors in an effort to determine which ones should be considered critical under the new risk weighed model. Other banks have used the guidance to confirm that the recommended practices are already in place. Needless to say, the bulletin has far-reaching implications and will be relied on as banks continue to enhance or establish a compliant vendor risk management program.
Over the last few years we have seen this topic emphasized by many of the financial industry regulators. As the OCC and other agencies take a closer look at your vendor relationships, they want to make sure you are taking a “continuous life cycle” approach with your program.
It is important to start with the general understanding that not all vendor relationships are created equal and the OCC guidance clearly focuses on the relationships that are deemed critical to the bank’s ability to first and foremost protect their customers’ deposits and personal information. Each bank needs to evaluate their vendors by first asking: “Does the nature of this relationship pose a significant risk to our customers and business?” By determining the severity of the risk exposure you are now able to confidently build a compliant vendor risk program with the appropriate controls in place that help you plan, implement, audit, and maintain all of the relationships your institution is leveraging to meet the needs of your customers, employees and operations.
Risk Management Life Cycle
The OCC has provided a model for banks to consider when reviewing their third-party relationships. The Risk Management Life Cycle model highlights the six areas banks need to focus on when selecting and working with a critical third party.
It is important to note that the OCC and other regulatory agencies expect banks to have robust vendor risk management policies and procedures in place equal to the level of risk that the outsourced task represents. A good rule of thumb to consider is that your bank is outsourcing the task, not the responsibility. The OCC outlines what it considers an effective third-party vendor risk management process in the life-cycle management process depicted in the diagram. Starting with the planning phase and continuing through to the termination phase, by adhering to the five stages and documenting the continuous reporting and reviews practices necessary, a bank will be able to monitor, understand, and ultimately mitigate third-party vendor risk.
While most banks all have some type of plan when they enter into a third-party vendor relationship--it’s not like you ignore the risks—the OCC now states that you need to document the planning phase, and how the risks are being evaluated. It’s recommended that you adapt your risk management assessment based on the complexity and risk associated with the third-party relationship. For example, for the most critical activities, plans should be reviewed and approved by the most senior level management, perhaps even the bank’s board. Making sure your needs are clearly documented and approved by management prior to contacting or entering into an agreement with a vendor will now become standard.
Most records and information management programs fall into one of three categories; in-house, fully outsourced or blended. There are risks associated with each option. The decision to use a third-party provider must meet the overall strategic goals, objectives, and risk appetite of your bank. This includes looking at the costs of outsourcing verses maintaining the program in house. This latest guidance also speaks to the need to incorporate the cost to manage and monitor third party relationships as you assess whether or not it is truly more cost effective to outsource. Direct and indirect costs should be documented to determine whether the potential financial benefits outweigh the estimated costs to control the risk and manage your program.
In addition to the cost-benefit analysis, banks need to consider which regulations impact the activity outsourced. For records and information management long standing regulations like Gramm Leach Bliley or, the far and wide reaching, Dodd Frank impact how you handle your program. Partnering with a third party that has experience complying with the specific industry regulations can help you to more easily demonstrate compliance to regulators.
The planning phase is the time to document how the bank will select, assess, and monitor the third-party relationship. It is important to consider the complexity of the activity being outsourced. What types of service level agreements will be needed to ensure that you can affectively monitor the activities.