Third Party Compliance Audits: The New Imperative for Financial Institutions

By Brad Moody,

compliance

“Use of third parties reduces management’s direct control of activities and may introduce new or increase existing risks, specifically operational, compliance, reputation, strategic, and credit risks as well as the interrelationship of these risks. Increased risk most often arises from greater complexity, ineffective risk management by the bank, and inferior performance by the third party.” – Office of the Comptroller of the Currency, October 30, 2013 Bulletin

It’s well established that banks are increasingly turning to third parties to handle a wide range of activities and processes, from cash transport and ATM replenishment to IT and other services. However, when you examine the latest standards and scrutiny placed on financial institutions by the FDIC, CFPB, FFIEC, OCC, FinCEN, and others, it is clear that whether the activities are being performed by the bank itself or a third-party vendor, it’s the bank that carries the bulk of the risk. … Continue reading

3 Essential Loss Prevention Controls for Cash Service Vendors

By Mark Lowers,

In today’s integrated financial services system, Cash-in-Transit (CIT) service providers face new challenges in theft and fraud prevention. Traditional approaches to internal controls may leave risky gaps where CIT vendors and their banking customers intersect. Upgrading—and redesigning—these controls so that partners interpret outcomes accurately, and in the same way, is necessary to raise the adequacy of protections against theft and fraud risks.

The Office of the Comptroller of the Currency (OCC) has made it clear that banking institutions are ultimately responsible for the risk management performance of the third party cash vendor services they purchase. Banks cannot simply offload risks to vendors when they outsource traditional banking services. … Continue reading

Underlying Deficiencies in BSA/AML Infractions

By Mark Lowers,

In March 2014, Thomas J. Curry, Comptroller of the Currency, spoke before the Association of Certified Anti-Money Laundering Specialists about the Bank Secrecy Act (BSA) and Anti-Money Laundering law (AML) compliance. While he generally spoke positively about the efforts of banking institutions to meet the requirements of the BSA, he was also quick to point out that most of the headlines surrounding banks and the BSA are negative.

In other words, the media will seek out banks that are not in compliance. As a result, the industry as a whole must do more.

Curry noted that BSA infractions can, “almost always be traced back to decisions and actions of the institution’s board and senior management.” The underlying deficiencies that lead to these poor decisions fall into four areas:

… Continue reading

Summarizing the OCC Risk Management Framework for Banks

By Mark Lowers,

The on-going regulatory response to the 2008 financial crisis includes the Office of the Comptroller of the Currency (OCC) Risk Management Guidance on third-party relationships, issued in October 2013. The bulletin states that the OCC expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party.

“A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”

In a recent speech before the Risk Management Association, Thomas J. Curry, Comptroller of the Currency, emphasized the importance of managing the risks “associated with bank systems and processes” even above credit risk. He noted banks’ “increasing reliance on third parties” and the systemic risks they impose. … Continue reading

Why Third Party Bank Audits Make Sense

By Mark Lowers,

The Office of the Comptroller of the Currency (OCC) is focused on the responsibility of financial institutions—national banks and Federal savings associations—to be responsible for the risk management of business operations whether they are performed internally or through third party vendors.

CIT companies are clearly included in this mandate.

The OCC recognizes that the growing interconnectedness of banks with third party cash management service providers has created new sources of risk due to gaps or inconsistencies of controls that can occur where distinct businesses interface. In everyday terms, this means there can be situations where “no one is in charge.”

Since the OCC is responsible for the security of the overall financial system, it is moving to make banks accountable for the gaps and inconsistencies between them and third party vendors that may pose risk to the system.

This creates specific kinds of difficulties for banks because they can be held accountable for the actions of organizations they do not own. Banks and their third party vendors, including CIT businesses, have different regulatory, standard practice, and incentive profiles, as well as different cultures and assumptions.  It will take especially thorough due diligence to write contracts that lay out the important responsibilities and performance expectations for the different parties to get all the entities on the same page.

In these circumstances, monitoring performance takes on greater importance. There is a substantial possibility that unanticipated gaps or inconsistencies will emerge despite careful risk management planning. Banks have a strong incentive to measure performance and find irregularities as quickly as possible. … Continue reading