Regulator: Third-Party Risk Management Is A Heightened Supervisory Focus

A bank regulator recently warned that managing third-party risk is a heightened supervisory focus.

The Office of the Comptroller of the Currency (OCC) in its Semiannual Risk Perspective report identified increasing use of third-party service providers and the concentration of critical operations among few service providers as operational concerns.

The report notes a growth in partnerships between banks (you can substitute the term credit unions) and third-party companies or vendors. Financial institutions are becoming more reliant upon third-party financial technology companies for new emerging products and services. This is driving third-party risk.

The report also noted that consolidation -- both among banks and among third-party service providers -- has “increased reliance on a smaller group of third parties providing critical applications and resulted in large numbers of banks, especially community banks, relying on a small number of service providers.”

The report found "instances of concentration of third-party service providers for specialized services, such as merchant card processing, denial-of-service mitigation, ... and other specific product or market service."

This concentration in a limited number of third-party service providers could result in systemic risk in the financial services sector.

The OCC advised that banks address third-party risk "through appropriate due diligence and ongoing oversight."

This should be the same advice to credit unions from the National Credit Union Administration (NCUA), as NCUA does not have the authority to examine third-party service providers, unlike other federal banking regulators.