On October 20, 2017, the OCC issued Bulletin 2017-49 providing updated principles that OCC regulated banks should follow to prudently manage the risks associated with offering new, modified, or expanded products and services (“New Activities”).
According to the bulletin, New Activities should be developed and implemented consistently with sound risk management practices and should align with banks’ overall business plans and strategies. New Activities should also encourage fair access to financial services and fair treatment of consumers and should be in compliance with applicable laws and regulations.
The OCC expects bank management to have appropriate risk management processes for the development of New Activities and to effectively measure, monitor, and control the risks associated with New Activities. It also expects board of directors to oversee management’s implementation of the risk management system, including execution of control programs and appropriate audit over New Activities.
The bulletin outlines the primary risks that arise in developing and introducing New Activities, namely:
- Strategic Risk – The risk to current or projected financial condition and resilience arising from adverse business decisions, poor implementation of those decisions, or lack of responsiveness to changes in the financial services industry or operating environment;
- Reputation Risk – The risk to current or projected financial condition and resilience arising from negative public opinion;
- Credit Risk – The risk to current or projected financial condition and resilience arising from an obligor’s failure to meet the terms of any contract with the bank or failure to perform as agreed;
- Operational Risk – The risk to current or projected financial condition and resilience arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events;
- Compliance Risk – The risk to current or projected financial condition and resilience arising from violations of laws or regulations or from nonconformance with prescribed practices, internal policies and procedures, or ethical standards; and
- Liquidity Risk – The risk to current or projected financial condition and resilience arising from an inability to meet obligations when they come due.
The bulletin states that effective and principles-based risk management systems should include the following components:
Due Diligence and Approvals
Management and the board should clearly understand the rationale for engaging in New Activities and how proposed New Activities meet the bank’s strategic objectives. Management should conduct due diligence to fully understand the risks and benefits before implementing New Activities. Although the board may delegate the bank’s daily managerial duties to others, the board is ultimately responsible for providing the appropriate oversight to ensure that the bank operates in a safe and sound manner and in compliance with applicable laws and regulations. In fulfilling its responsibilities, the board should hold management accountable for appropriate policies and due diligence processes for New Activities. Management should inform the board of all material New Activities, including due diligence findings and plans that clearly articulate and appropriately manage risks and returns. The board or a delegated board committee should consider whether New Activities are consistent with the bank’s strategic goals and risk appetite.
Policies, Procedures, and Controls
Management should establish (or amend existing) and implement policies and procedures that provide guidance on risk management of New Activities. Policies and procedures should outline the processes, roles and responsibilities, and any standards required to ensure implementation of and adherence to an adequate risk management system for New Activities.
Management should have effective change management processes to manage and control the implementation of new or modified operational processes, as well as the addition of new technologies into the bank’s existing technology architecture.
Performance and Monitoring
Management should have appropriate performance and monitoring systems, including MIS, to assess whether the activities meet operational and strategic expectations and legal requirements and are within the bank’s risk appetite.
Third-Party Relationship Risk Management
Third-party relationship risk management should include comprehensive oversight of third-party relationships, particularly those involving critical activities. When contracting with third-party service providers, bank management should understand the risks associated with the New Activities and conduct adequate due diligence of service providers. Due diligence includes assessing service providers’ management, reputation, product performance, and financial condition. The degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship.
Financial Technology – Bank management that partners or contracts with fintech companies to offer new products or services should understand the technologies that these companies offer; risk and controls associated with those technologies; and the effect that the new delivery channel will have on existing operational controls. Banks should include fintech companies in their third-party risk management process and consider it as any other third-party service providers.
Bank management should determine whether the third-party service providers and the bank’s New Activities align with the bank’s strategic plans and risk appetite. Inherent risk may be elevated when using “turnkey” (complete and unmodifiable) and “white label” (customizable) products or services that are designed for minimal involvement by the bank in administering the New Activities. Bank management should implement an ongoing and effective third-party risk management program for third-party service providers. Throughout the third-party relationship’s life cycle, the risk management process should include ongoing monitoring. As part of the life cycle, management should develop and maintain a contingency plan in the event the bank must terminate the relationship, a contract expires, the service provider cannot perform as expected, or the provider changes its business strategy. All third-party relationships should be governed by written contracts, and management should not overly rely on the service provider’s assertions.
If you have any questions concerning these Risk Management Principles, please reach out to Solomon Maman.Download Related Document