(Bankers and compliance officers can skip through to the fourth paragraph. You already know the basics.)
The future is darker for the American consumer because of the negligence of Equifax. This risk may be worse for banks, credit unions and all financial institutions. On Friday, September 8, the company notified the world that their database had been hacked. In terms of numbers, the hack wasn’t even close to Yahoo’s billion plus accounts. In terms of overall damage, nothing comes close to Equifax’s horrible achievement. It is the destruction, firestorm and radiation of nuclear bomb compared to Yahoo’s firecracker.
Let’s talk about the OCC first.
The Office of the Comptroller of the Currency (OCC) is an independent bureau within the United States Department of the Treasury that was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and thrift institutions and the federal branches and agencies of foreign banks in the United States. Among other duties, this office tells banks and credit unions how they should manage risk – including third-party risk.
What is third-party risk?
The FDIC defines third-party risk as “the potential risk that arises from financial institutions relying upon outside parties to perform services or activities on their behalf.” A third-party is broadly defined to include all entities that have entered into a business relationship with the financial institution, whether the third party is a bank or a nonbank, affiliated or not affiliated, regulated or non-regulated, or domestic or foreign. They maintain a good slide-deck on the basics of third-party risk here.
Concerning third-party relationships, the EXACT words of the OCC are as follows:
1. A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
2. A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
3. An effective risk management process throughout the life cycle of the relationship includes:
a. plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
b. proper due diligence in selecting a third party.
c. written contracts that outline the rights and responsibilities of all parties.
d. ongoing monitoring of the third party’s activities and performance.
e. contingency plans for terminating the relationship in an effective manner.
f. clear roles and responsibilities for overseeing and managing the relationship and risk management process.
g. Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
h. Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
4. This guidance applies to all banks with third-party relationships. A community bank should adopt risk management practices commensurate with the level of risk and complexity of its third-party relationships. A community bank’s board and management should identify those third-party relationships that involve critical activities and ensure the bank has risk management practices in place to assess, monitor, and manage the risks.
Few of you are monitoring Equifax.
Equifax is a vendor. Banks, credit unions, utilities (basically everyone that you can enter into a financial contract with) pull data from Equifax and push new data back to the agency. Equifax is a vendor and this is not an abstract definition – it is fact. If your bank or credit union has business with Equifax if you ever had business with Equifax, you are not safe from litigation. The heat is on Equifax right now. It took a matter of hours for the first class-action to be filed in Portland, Oregon. The potential cost of this breach (based on an average of $245 per-capita) is $35 billion, (Paymentssource, 2017). That is twice the market cap and almost 6x the total assets of Equifax. A vulnerability in the Apache Struts framework has been identified as the hack’s access point. Indications are that a patch had been issued prior to the intrusion, but the timeline is not clear yet, (eWeek, 2017). There may or may not be a shared liability. The point here is that every cent of Equifax’s value might already be accounted for; and when that reward is gone the lawyers will look at the creditors next.
Read the OCC’s guidance again. Ultimately, it may not happen - the argument can be made, though. Your community bank or credit union is not out of danger. I reached out to 14 banking and compliance experts and 10 responded. Here are the results:
Question: Based upon the OCC’s guidance, is a credit-reporting agency considered a vendor that must be monitored by a creditor in a risk-appropriate manner?
8 Answered yes.
1 Answered yes, but “don’t worry about it.”
1 I assume said no, answered “stupid question.”
4 Did not answer.
With these links come an important recommendation. No matter how long you and your teammates have been working in compliance, no matter how much you think you know, you need to review the regulations and the instructions for the implementation of your compliance program on a regular basis. Review the regulations. Review your interpretation of the regulations. Review your compliance operationalization for efficiency and effectiveness. Dedicate time to training.
For further information, contact John Eckert, Director, Operational Risk and Core Policy at (202) 649-7163 or email@example.com, or (202) 649-6550.
An excellent slide-deck: https://www.fdic.gov/regulations/resources/director/virtual/thirdparty.pdf
For more information: firstname.lastname@example.org
AuditLink - Credit Union vendor management platform and risk analysis.
Trust Exchange - Real-time, custom-compliance platform