OCC Turns up Scrutiny of Vendor Management

By Laura Alix


In 2015, vendor management may be the new black. Or, if we’re going to use an industry-specific example, the new QM rule. That is to say, it’s an issue to watch this year.

Of course, vendor management is nothing new for the banking industry. What is new is the increased regulatory scrutiny in this area, which has been ramping up since a joint regulatory review and ensuing enforcement actions in 2011 of several large mortgage servicers.

The most recent turning point, according to many, is OCC Bulletin 2013 – 29, issued in October 2013, which laid out agency guidance on managing risks associated with third-party relationships.

And while community banks aren’t regulated by the OCC, where the Office of the Comptroller of the Currency goes, the other regulators tend to follow, observers say.

“The fear is that if this is implemented in accordance with its terms and it spreads to the FDIC and state chartering authorities, it’s going to be quite a regulatory burden – not only for the banks involved, but also for the third-party vendors involved,” said Kevin Handly, an independent Boston-based banking lawyer and professor of banking law at Boston University’s law school.

Echoing a theme that tends to reverberate throughout the banking industry, Handly said that burden will be the most onerous for smaller, third-party vendors. A service provider could potentially be asked to open their doors and books to regulators during a bank examination, sucking up time and resources, and smaller companies and startups may ultimately decide it’s not worth it at all to do business with banks.

On the flipside, banks could decide it’s not worth contracting with a promising startup or small business that’s not already entrenched in the financial services industry.

Handly also said he is concerned that the OCC’s guidelines do not specify just how far regulators or bankers must go in determining whether a given vendor presents too much risk. If, for example, a vice president at a third-party security firm has a 10-year-old misdemeanor, is that grounds for dismissal? Must bankers run all their vendors through the OFAC’s “black list?”

“It is a potential huge can of worms,” he said.


A critical question

One of the key questions surrounding the subject of vendor management is how banks define vendors as “critical” or not. The OCC has laid down its expectation that banks identify those third-party service providers engaged in “critical activities” and hold them to more rigorous standards than those engaged in less critical functions.

While the agency has not laid down exact criteria for what constitutes “critical activities,” it outlines “critical” as meaning engaged in significant functions, like payments, clearing and information technology, or anything else that could incur “significant risk” if the vendor falls short of expectations, have “significant customer impacts,” or have a major impact on bank operations.

“Our expectations are that management and the board of directors are able to identify what are those critical services,” said Beth Dugan, the OCC’s deputy comptroller for organizational risk. “They must make that determination of themselves for their given situation.”

When asked about how often regulators look into the books of third-party service providers, Dugan demurred, saying, “to be honest, I don’t think it’s a very frequent [occurrence].”

Some community bankers say vendor management doesn’t have to be that complicated or onerous a task.

Belmont Savings Bank, for instance, ranks its vendors A, B or C, according to their exposure to sensitive information, President and CEO Robert M. Mahoney said. The A vendors would be those with access to the most sensitive customer information, like account numbers or balances and Social Security numbers, while B vendors might have some exposure to semi-sensitive information, like customer home addresses, and C vendors would include, say, the guy who clears the snow from the parking lot in the winter.

Whitman-based Mutual Bank does something similar, ranking its vendors according to high, medium, low or non-existent risk, said CEO Glen S. White.

Both CEOs estimated they did business with maybe four or five vendors that warranted the highest risk rating, but neither seemed especially concerned that regulatory pressure vis a vis vendor management might be unduly burdensome in the year ahead.

That’s partially because, both agreed, for those most critical functions, they tended to contract with service providers heavily steeped in the banking industry – not with vendors who had just two or three bank clients.

Mahoney added, “Vendor management has been top of mind for three or four years; ranking your vendors, determining which have access to highly sensitive information, which don’t, visiting them, monitoring them, understanding their disaster recovery plans … If the OCC had to tell me to do that, then shame on me.”


Laura Alix is a staff writer for The Warren Group. She may be reached at lalix@thewarrengroup.com.