On January 24, 2017 the OCC published a bulletin with the subject, "Third-Party Relationships" followed by the description, "Supplemental Examination Procedures." Within the bulletin is a link to the actual supplemental examination procedures for future examinations (links to the OCC Bulletin 2017-7 and the supplemental exam procedures can be found at the bottom of this post).
The supplemental procedures document states,
“These procedures are designed to help examiners tailor the examinations of national banks and federal savings associations (collectively, banks) and determine the scope of the third-party risk management examination.”
The specificity as to an expanded focus on concentration risk is found under the heading "Quantity of Risk" on page four of the document, beneath “Objective: To determine the quantity of operational risk associated with the use of third parties."
Concentration Risk examination validation is detailed in the following passage and associated footnote:
“1. Determine whether there are any concentrations among third-party relationships.
• Review the bank’s methodology for identifying concentrations among third-party relationships
• Determine whether there are concentrations due to the bank’s reliance on a single Third party for multiple activities, particularly when several of the activities are critical to one or more lines of business
• Determine whether there are geographic concentrations where the bank’s own operations, the operations of its third parties, or the operations of third parties’ subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.”
“(Footnote 7) Concentrations may arise when a bank relies on a single third party for multiple activities, particularly when several of the activities are critical to bank operations. Additionally, geographic concentrations can arise when a bank’s own operations, and that of its third parties and subcontractors, are located in the same region or are dependent on the same critical power and telecommunications infrastructures.”
The implication is clear: vendor management organizations have been given a new challenge. It should be no surprise that there is a required understanding of service concentration for a single vendor--the new piece being introduced here is how to validate geographical concentration. At VendorInsight®, we have developed our software with the capability to maintain data management and with analytics flexibility. We are currently working with our existing clients to detail and manage these new examination expectations. If you are not our client (yet), how are your providers addressing this just-announced expectation--and when? It is a fair question you should be asking.
As most know, what the OCC defines, many of the remaining regulators will follow or formally adopt.