The Green Sheet Online Edition
August 10, 2015 • Issue 15:08:01
OCC bulletin to banks
I heard that the OCC issued some kind of guidance in the last couple of years to banks about risk scoring of third parties. Wouldn't this affect payment processors and registered ISOs doing business with merchant acquiring banks? I haven't found anything about it in The Green Sheet.
Marilyn Tarpe, Superlative POS LLC
I found nothing in our archives pertaining to the Office of the Comptroller of the Currency and risk scoring of third parties. The guidance you are referring to is probably Bulletin 2013-29 issued by the OCC on Oct. 30, 2013. The subject of the bulletin is third-party relationships, and it was issued to "Chief Executive Officers and Chief Risk Officers of All National Banks and Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties." The bulletin defines third-party relationships as "any business arrangement between a bank and another entity, by contract or otherwise."
Registered ISOs, independent payment processing companies, equipment vendors, information technology service providers, data security consultants and many more enterprises within the payments sphere serve as third-party service providers to banks. The bulletin stated that an "effective risk management process throughout the life cycle of the relationship" should include:
- Plans that outline the bank's strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party
- Proper due diligence in selecting a third party
- Written contracts that outline the rights and responsibilities of all parties
- Ongoing monitoring of the third party's activities and performance
- Contingency plans for terminating the relationship in an effective manner
- Clear roles and responsibilities for overseeing and managing the relationship and risk management process
- Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management
- Independent reviews that allow bank management to determine that the bank's process aligns with its strategy and effectively manages risks
The full bulletin is on the web at www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.
The federal government has stepped up scrutiny of our industry on multiple fronts in recent years. If you search our website for Operation Choke Point, for example, you'll find numerous references to one of the most draconian programs to date. Also, "Coming to terms with escalating compliance requirements," which we published Jan. 12, 2015, in issue 15:01:01, describes what payment companies are up against in the current environment and highlights the increased emphasis on "know your customer" best practices. You'll find it at www.greensheet.com/emagazine.php?story_id=4241.
Thank you for your question. This is an issue vital to all in the payments industry.
How well do you know your customers?
Have actions taken by federal and state governments to regulate or otherwise influence our industry changed the way you run your business? If so, what are you doing differently now? Have any of the regulatory steps been beneficial, or do you see them as mostly a pain in the neck? Do let us know. And please keep your questions, suggestions and insights coming to us at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.