Is your Due Diligence program meeting the OCC Compliance Guidelines?
A Guide to OCC Requirements: What you need to know to mitigate risk
Recognizing that financial institutions increasingly rely on third parties to operate, the OCC or the Office of the Comptroller of the Currency released Risk Management Guidance in October 2013. At the time, Comptroller of the Currency Thomas J. Curry suggested that concerns that organizations’ risk management processes were inadequate given the increasing volume, diversity and complexity third-party relationships at home and abroad.
OCC standards mean that organizations can be held accountable for the actions of third parties operating on their behalf. The regulations include:
- Conducting appropriate due diligence of vendors
- Implementing internal policies and procedures for control and oversight of third-party relationships
- Instituting contracts that detail compliance expectations
- Addressing compliance issues proactively
- Having plans for risk management and disaster recovery in place
These requirements do not apply to financial institutions alone; debt collection companies, non-bank consumer credit services and auto dealerships represent a few of the types of businesses that need to make OCC compliance a priority.
Why is third-party risk management important?
Not all third-party relationships carry the same amount of risk. Evaluating third parties against an OCC compliance risk assessment matrix allows you to match the due diligence you conduct to the level of risk and complexity of each third-party relationship.
Through investigations—on its own and in collaboration with other agencies like the Consumer Financial Protection Bureau (CFPB)—the OCC found serious third party compliance issues.
- Failing to conduct adequate risk assessments, due diligence and ongoing monitoring of third-party relationships
- Moving forward with third-party relationships without first assessing their risk management processes to ensure compliance
- Entering into incentive-based contracts that increase the likelihood that a third party will take risks to maximize profits
Moreover, such compliance issues lead to serious penalties. In addition to requiring financial restitution to affected customers, organizations may be subject to substantial fines, reputational damage and increased scrutiny by regulators. In one such action, the organization found in violation of OCC and CFPB rules was required to pay $309 million in restitution and $60 million in civil penalties in addition to being subjected to an independent audit and required to make improvements to its third-party vendor oversight*.
Subjecting every third-party you rely on to an extensive due-diligence process may be tempting given the enormous financial and reputational costs when an organization is found to have violated OCC requirements. Such an intensive approach is impractical, however, both in terms of time and expense. Instead, financial institutions should follow a risk-based due-diligence process to uncover potential threats more efficiently.
OCC Risk Management Essentials
To mitigate third-party risk, companies must:
- Conduct a risk assessment to determine the level of risk a third-party may pose.
- Perform due diligence, commensurate with the risk and complexity of the activities the third party. For low risk entities, this would include basic due diligence covering verification of key company data and financials, name checks of the entity and key executives/board members against sanctions, watch lists and PEPs. For high risk entities, this would include all of the above, entity and person checks related to negative news and associates.
- Review third parties’ compliance policies, including their internal controls, processes and training
- Implement an ongoing monitoring and reporting process to mitigate risk over time.
- Document your due diligence efforts.
So why use Nexis Diligence™ to support your risk based due diligence process? Nexis Diligence™ gives you access to critical content not easily discoverable on the open web such as licensed news sources from around the globe; negative news, PEPs, sanctions and watch lists; company information including corporate hierarchies, financial health and more. The result? You can conduct research more efficiently, reduce costs associated with accessing information hidden behind paywalls and maintain an audit trail of your research to demonstrate your commitment to an OCC compliance program.
Download the full white paper for details on the penalties organizations face for non-compliance and more recommendations for a third-party risk management process to protect your reputation and bottom line.