The Office of the Comptroller of the Currency (OCC) recently issued a new Bulletin 2013-29 containing substantially more onerous risk management guidance for third-party business relationships (3PRs) of national banks and federal savings associations. Predicated on concerns about the growing volume, diversity, and complexity of both domestic and foreign 3PRs and what OCC identifies as new or increased risks―operational, compliance, reputation, strategic, and credit―attending such relationships, the Bulletin updates prior OCC guidance on 3PRs.

Other agencies, such as the FDIC, have previously issued guidance on risk management for 3PRs and identified heightened concerns regarding what they view as higher-risk activities. (Our recent legal alert discussed the FDIC's new supervisory approach to payment processing relationships―direct, or indirect through third parties (3Ps)―with merchants engaged in higher-risk activities.) 

The Bulletin develops a theme intoned by Comptroller Thomas J. Curry in a September 2013 speech in which he announced a program of "heightened expectations" for large banks, such as "strong" internal controls and audit functions ("satisfactory" ratings will no longer be acceptable) and "significant engagement" by directors, including the knowledge and focus to present a "credible challenge" to management.

OCC intends to issue regulations formalizing its "heightened expectations" program. The Bulletin moves in that direction by stressing the integration of 3PR risk management into an institution's strategic goals and risk appetite, all of which should be embodied in a plan and board-approved policies for selection, assessment (including due diligence), and monitoring of vendors, consultants, and others with whom the bank does business. For 3PRs involving "critical activities" (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., IT), that could pose material risks to the bank, the Bulletin indicates that OCC examiners will expect to find comprehensive and rigorous oversight by the bank and its senior management.

The Bulletin contains a fairly detailed discussion of a national bank's responsibilities in the life cycle of 3PRs:

  • Planning and selection
  • Due diligence
  • Contract negotiation and terms (especially important with foreign 3PRs that operate under different legal systems and cultures and are difficult to monitor)
  • Ongoing monitoring
  • Contingency plans for termination of the 3PR
  • Oversight and accountability
  • Documentation and reporting
  • Periodic independent reviews of the 3PR risk management process

While much of the Bulletin is sensible enough in the abstract, the additional compliance burden will be substantial and costly, particularly for community banks, which often must outsource necessary functions that they cannot realistically perform in-house. Although Comptroller Curry's "heightened expectations" as described in his September speech were explicitly directed only at large banks, the Bulletin conspicuously notes its own applicability to community banks. Unfortunately, the capacity of private sector financial institutions to shoulder a cumulative and ever-increasing compliance burden is not unlimited.

The actions that the Bulletin requires national banks to take with regard to 3PRs include the following:

  • An assessment of its financial condition, "growth, earnings, pending litigation, unfunded liabilities," etc., as "comprehensive as if [the bank were] extending credit"
  • Ensuring that it "periodically conducts thorough background checks on its senior management"
  • Evaluating the 3P's legal and regulatory compliance program, including whether it has "the expertise, processes, and controls to enable the bank to remain compliant with domestic and international laws and regulations"
  • Ongoing monitoring that is tantamount to an ongoing due diligence process

We are unconvinced that many 3Ps involved in 3PRs, which largely comprise unregulated, nonfinancial businesses, will find the level of intrusiveness contemplated by the Bulletin acceptable. This is particularly true for those 3Ps (like some cloud computing businesses) whose market share could result in their bank customers, of whatever size, having insufficient leverage to negotiate for what the Bulletin contemplates. The OCC's expectation that a 3P that is not itself a regulated entity would, by virtue of doing business with a national bank or federal thrift, become (or contractually consent to become) "subject to OCC examination oversight, including access to all work papers, drafts, and other materials" is, in our view, a disincentive for 3Ps to do business with national banks and federal thrifts.

Thus, the natural consequence (perhaps unintended) of the Bulletin will likely be a reduction in the number of 3Ps willing to do business with federally chartered depository institutions or increased costs to such institutions for 3P goods and services. Unless the Federal Reserve and the FDIC promulgate similarly burdensome guidance, the Bulletin will result in a competitive advantage for state-chartered institutions.

Ballard Spahr's Consumer Financial Services and Bank Regulation and Supervision Groups include experienced lawyers who, among other things, counsel banking clients and their boards of directors and senior management on a variety of risk management issues, particularly those that expose them to legal, regulatory, and reputational risk. For more information, please contact CFS Group Practice Leader Alan S. Kaplinsky at 215.864.8544 or, or Keith R. Fisher in the Bank Regulation and Supervision Group at 202.661.2284 or

Copyright © 2013 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.








Related Practices

Consumer Financial Services
Bank Regulation and Supervision


Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >