New "Know Your Vendor" Guidance from the OCC

Iowa Banking Law Dickinson Law Firm Des Moines, Iowa

Posted on 11/19/2013 at 12:36 PM by The Newsroom

In a recent Bulletin, the Office of the Comptroller of the Currency published new guidance concerning third party vendor risk management practices. The guidance follows on the heels of the CFPB's vendor management guidance and rescinds the OCC's 2000 Advisory Letter on third party risk and its 2001 third party risk management principles Bulletin.

The OCC's new supervisory expectations provide more detailed guidance than before, and make all the more clear the proposition that banks it regulates are ultimately going to be held responsible for their vendor's performance. Specifically, the guidance provides that failure to have an effective risk management process that is commensurate with the level of risk, complexity of third-party relationships and bank's organizational structure may be an unsafe and unsound banking practice. In order to assess risk appropriately, banks must perform appropriate due diligence, negotiate contracts carefully, develop monitoring plans and contingency plans in the event of a contract's termination, and clarify roles not only within a bank as regards a service provider, but also between the bank and a service provider. Moreover, the OCC indicated that the more critical the activity is, the more rigorous the risk management assessment should be.

The ante has been raised in this latest release. More focused vendor management planning, more extensive due diligence, greater attention to contract details such as property rights and indemnification, more concerted monitoring, and contingency plans are the new norm, and banks regulated by the OCC are encouraged to observe the OCC's best practices for each of these areas. Given the increased reliance and outsourcing of bank operations to third party vendors, and given that we now have best practices established by the OCC, we should expect to see all federally insured banks subjected to similar expectations by their respective regulators. Past developments prove over and over that what's best practice for one type of financial institution is usually determined to be a best practice for others. We are prepared to assist in revisiting bank policies and procedures for evaluating, engaging and monitoring third party providers in light of the OCC's latest statement of its expectations as concerns third party service providers. To view the OCC's release, click here.  

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed. 

Categories: Banking Law


Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.

There are no comments yet.
Add Comment

* Indicates a required field