One of the time-honored traditions to kick off the holiday season in New York is the Macy's Parade, where huge helium filled balloons float down the broad avenues of the city. Well actually, they don't float, they are moved down the parade route by handlers who walk and pull the balloons along with tethers. The balloons are huge and unwieldy, and accidents can and do happen. Felix the Cat caught on fire once, Bullwinkle spewed helium from his nose one year and various balloons including SpongeBob have crashed into things on the street. The Cat in the Hat hit a light post in a wind gust one year, knocking it down and injuring a number of spectators. As a result of the complexity and risk associated with these balloons, there is a specific set of rules dictating the level of wind allowed. If the wind is blowing at a certain level, the biggest balloons like SpongeBob don't fly.
Talk about a risk management nightmare--hundreds of thousands of people lining the sidewalks, 5 story balloons and the potential for wind howling down Manhattan's urban canyons. Bankers know that the level of risk management planning and processes for any given situation should be commensurate with the level of risk. One area of special interest to regulators of late is around third party vendors. Banks of all sizes have become quite dependent upon outsourcing numerous activities and of special concern to regulators are third party relationships involving "critical activities." In fact, the OCC released new guidance on risk management specifically as it relates to third party relationships. The guidance warns banks to practice effective risk management, regardless of whether the bank is performing a function internally or through a third party. It also reminds banks that using a third party does not diminish the responsibility of the bank's board or senior management to ensure the activity is performed in accordance to laws.
There is a lot of detail in the guidance and compliance officers should read it carefully, but we offer a roundup of a few of the main points. Banks should adopt risk management processes commensurate with the level of risk and the complexity of its third party relationships, and they should be especially comprehensive in the case of third party relationships involving critical activities. The risk management process should continue throughout the lifecycle of the relationship beginning with an outline of the bank's strategy, identification of the inherent risks of the activity and how the bank intends to oversee the third party. There should be proper due diligence in selecting a third party and written contracts that outline the rights and responsibilities of all parties. Ongoing monitoring of activity and performance of the third parties is critical, as are contingency plans for termination of the relationship. Regulators will also look for documentation that facilitates oversight and management of the relationship is successful, as well as perform independent review to be sure all is working.
Regulators are mapping out more specifics because banks continue to increase the number and complexity of third party relationships. In many cases, banks are outsourcing entire functions such as tax, legal, audit, or IT. Regulators are concerned that the quality of risk management has not kept pace with the depth and importance of these third party relationships.
At PCBB, we are strong believers in using outsourcing to carry out processes that occupy staff time that can be more efficiently carried out by others. This regulatory update for banks should serve as a reminder that outsourcing is fine but banks need to include such arrangements in their risk management processes to ensure everything is working as expected.