No. 2000-04
DATE: October 24, 2000
SUBJ: Third-Party Risk
TO: The Corporate Credit Union Addressed:
The Office of the Comptroller of the Currency (OCC) issued a letter on third-party risk, dated August 29, 2000. The information in the OCC letter is applicable to all financial institutions. This Guidance Letter will highlight a number of issues raised by OCC. However, corporate credit union staff are encouraged to review the entire OCC document, which can be obtained on the OCC’s Website: www.occ.treas.gov.
There are a number of ways in which third-parties (e.g. vendors, brokers, dealers, and agents) can provide valuable assistance to corporate credit unions in meeting their members’ needs. A third-party may be able to facilitate the offering of a specific product or service in a more cost effective or timely manner than the corporate could do on its own. The third-party may possess staff expertise or operational infrastructure that would not be feasible for an individual corporate to maintain. Utilizing a third-party to provide a product or service may be a very prudent business decision. However, use of a third-party does not negate the requirement for corporate credit union management to maintain adequate control of the associated risks.
Before entering into a new product or service, it is expected that management would initiate an appropriate level of preplanning. Likewise, before entering into an arrangement with a third-party to provide a product or service, management should undergo a similar preplanning process. The officials cannot rely solely on the representations and assertions of the third-party.
Due Diligence
Before entering in to any material contractual arrangement with a third-party it is critical that a due diligence review be performed. At a minimum, the due diligence review should include:
Performance Monitoring
To ensure that an arrangement with a third-party is providing the corporate with the expected benefits, management must dedicate sufficient resources to monitor the third-party’s performance on a regular and ongoing basis. At a minimum, the performance monitoring should include:
Documentation
A key factor to a successful partnership with a third-party service provider is to fully document all aspects of the relationship. If deficiencies in the delivery of products or services are documented, the third-party is more apt to address them in a timely and efficient manner. If there is a deterioration of the financial or operational condition of the third party, or if there is a lack of compliance with the conditions of the agreement or applicable laws or regulations, appropriate documentation may assist in correcting the concerns, limiting the impact on the corporate, or voiding the contract. At a minimum, the following documentation should be maintained:
The use of third-parties by corporate credit unions to provide products and services will likely continue to grow in frequency and importance as products and services continue to grow in complexity and sophistication. Officials must remain cognizant of the associated risks. Further, appropriate action must be taken to control and mitigate those risks to ensure the corporate’s ongoing safety and soundness. A corporate credit union may expose itself to financial loss if it allows too much control of the business relationship to be placed in the hands of a third-party.
If you have any questions, please contact this office at (703) 518-6640.
Sincerely,
Robert F. Schafer
Director
Office of Corporate Credit Unions
OCCU/DAS:ds
cc: State Supervisory Authorities
NASCUS
NAFCU
ACCU
bcc: Reading File
Regional Directors
All OCCU Staff
Office of General Counsel
draft: s:\WorkIn Process\Office Staff\Shetler\Guidance Letter-Third Party Risk.doc
final: s:\Directives\OCUGuidanceLetter\2000-04-Third Party Risk.doc