Insurance Coalition Executive Director Issues Public Comment on Comptroller of the Currency Notice

WASHINGTON, Oct. 23 -- Bridget Hagan, executive director at the Insurance Coalition, has issued a public comment on the Comptroller of the Currency notice entitled "Proposed Interagency Guidance on Third-Party Relationships: Risk Management". The comment was written on Oct. 18, 2021, and posted on Oct. 19, 2021:

* * *

I write on behalf of the Insurance Coalition (the Coalition), a group of insurance companies that share a common interest in federal regulators affecting the industry. The Coalition has a specific interest in regulations that apply to insurance savings and loan holding companies (ISLHCs). Several of our members would be directly subject to this guidance, and we hope that our perspective is useful as you consider this important framework. We appreciate this opportunity to respond to the request for public input on third-party risk management and appreciate the open and deliberative process conducted in advance of the release of the guidance.

I. Executive Summary

As financial institutions that are regulated at the holding company level by the Federal Reserve Board (the Board), ISLHCs have a direct stake in all changes surrounding guidance on developing risk management practices for third-party relationships. The trust that policyholders and other stakeholders place in us to manage risk, including third-party risk, is critical to the insurance business model.

Conceptually, the Coalition supports the third-party risk management guidance as providing helpful clarifications. In addition to supervised institutions, we believe that customers and the public at large will benefit from clearer, more uniform guidance on how federally supervised financial institutions evaluate and manage the risks associated with each third-party relationship. The Coalition also has several recommended revisions that we believe would improve the proposed guidance as applied to ISHLCs, as well with respect to bank-owned life insurance products (BOLI).

II. Proposed Revisions to Third-party Guidance

A. Question 1: Exclusion from the proposed guidance for low-risk third party relationships limited to ISLHC

Question 1 asks to what extent the guidance provides sufficient utility, relevance, comprehensiveness, and clarity for banking organizations with different risk profiles and organizational structures. In our view, the unique organizational structure of an ISLHC necessitates that the TPRM guidelines allow for flexibility to tailor requirements to the business model of the supervised entity - in the case of ISLHCs, to align with standards common to the insurance industry. This will allow institutions to focus risk management on the third parties that represent the most risk.

Additionally, we recommend that the final guidance include more clarity as to how to appropriately scale a risk-based approach based on the size, complexity, and business model of a financial institution. Risk dimensions most important to ISLHCs, such as referral arrangements, model risk management, and privacy, have varying levels of maturity within a third-party relationship when compared to large bank holding companies. We recommend implementing additional guidance as to the flexibility of the proposed risk-based approach.

We recommend that the final guidance provide an exclusion for those low-risk third party relationships limited to the holding company in an ISLHC. For such third parties of the ISLHC, the ISLHC should not need to obtain due diligence information, negotiate certain contractual terms, or conduct ongoing monitoring. Low-risk third party relationships limited to the ISLHC are those parties that are not utilized across the enterprise and do not engage directly with the insured depository institution. Examples of such low-risk third-party entities for an ISLHC include but are not limited to: soil remediation, specialty service providers (i.e., HVAC, leak detection, ladder assist, etc.), auto body shops, etc.

B. Question 2: Additional third-party relationship aspects should be considered.

Question 2 asks what other aspects, if any, of third-party relationships the guidance should consider. We believe that expanded guidance is needed on reasonable risk acceptance philosophies, with examples of areas where occasional trigger and appetite exceedances are understood and generally accepted by both regulators and customers.

We also support providing more guidance on agreements specific to brokered products, short-term pilot/innovation agreements, proof-of-concept evaluations of emerging technology, and data analytic service providers, which we believe would help clarify some of the gaps in the proposed guidelines.

C. Question 4: The description of business arrangements in the proposed guidance should be narrowed.

Question 4 asks whether the discussion of "business arrangement" in the proposed guidance provides sufficient clarity to permit banking organizations to identify those arrangements for which the guidance is appropriate. We respectfully suggest that the description of "business arrangements" in the proposed guidance is too broad. We believe that a more detailed description would provide sufficient parameters for banking organizations to identify those arrangements for which the guidance is appropriate. We recommend clarifying the description, which currently includes any and all noncustomer business arrangements and providing examples of non-client business arrangements which are not considered third parties.

We also believe that the proposed guidance should clarify that third-party relationships with insurance companies involving the provision and servicing of bank-owned life insurance (BOLI) are outside the scope of the guidance. Life insurance companies are subject to comprehensive state-based regulation, including with respect to risk management. Further, the purchase of and risk management of BOLI is already governed by the 2004 Interagency Statement on the Purchase and Risk Management of Life Insurance.

D. Question 6: Separately identifying enterprise-wide expectations for larger entities compared to smaller entities.

Question 6 asks how the proposed guidance could better help a banking organization appropriately scale its third-party risk management practice. We believe that the guidance can do this by separately identifying enterprise-wide expectations for larger entities compared to smaller entities. More clarity is needed regarding the appropriate structuring that the management committees and oversight committees are expected to have compared versus employee managers at an institution. We also suggest further clarification regarding the expected level of board involvement of a holding company in TRPM.

E. Question 8: Clarify the difference between a critical activity and a critical service provider.

Question 8 asks how the proposed description of critical activities can be clarified or improved. We suggest that the final guidance clarify the difference between a critical activity and a critical service provider. The guidance indicates that critical business activities should be presented to the board for approval. Larger, complex financial institutions may have too many critical service providers to present to the board for all arrangements involving those providers, and management is typically in a better position to understand the risks and complexities of those arrangements. Clarification would help supervised entities understand if there is an expectation for board approval for all critical service provider arrangements, even small, low-risk arrangements that only remotely relate to critical activities. In addition to requesting the clarification, we suggest that board approval should not be required for small, low-risk arrangements.

F. Question 9: Delegation of responsibilities to management.

Question 9 asks what additional information the proposed guidance could provide for banking organizations to consider when managing risks related to different types of business arrangements with third parties. In our view, an explicit acknowledgement in the guidance of how a board may delegate some of its responsibilities to management would benefit institutions. For large, more complex organizations, there should be flexibility to allow such delegation, and it is critical to have uniformity across the different regulators' approach on this matter.

G. Question 13: Third-party due diligence.

Question 13 asks in what ways the discussion of shared due diligence in the proposed guidance could better provide clarity to banking organizations regarding third-party due diligence activities. More guidance is necessary on how to approach third-party providers who are unwilling to provide requested data. ISLHC third-party providers are sometimes unwilling to provide information regarding their financial conditions, especially privately held or affiliates of publicly traded companies. Some of those entities decline to break out separate affiliate financial conditions. Typically, ISLHCs and other supervised entities weigh the potential risk of the third-party's nonperformance due to financial instability (in light of all the information provided) and the risk of the third party's nonperformance to the entire enterprise. We would recommend more clarity on how to address situations involving a third party's refusal to provide information to enable supervised entities to appropriately assess the risk of such arrangements.

H. Question 15: Due Diligence for third-party subcontractors.

Question 15 asks how the proposed guidance could be enhanced to provide more clarity on conducting due diligence for subcontractor relationships. We recommend more clarity in the guidance regarding expectations (including feasibility) for conditions where entities should perform due diligence directly on third parties' subcontractors. Supervised entities would benefit from a more detailed description regarding whether it would be acceptable to rely on the evaluation of the third parties' third-party risk management program to formulate opinions about subcontractor residual risk.

I. Question 17: Information security risks with engaging a third party.

Question 17 asks what additional information should be provided regarding a banking organization's assessment of a third party's information security and regarding information security risks involved with engaging a third party. We recommend that the final guidance provide more information on the expectations for responding to known vulnerabilities and ensuring that third parties had adequately addressed those known vulnerabilities. We recommend that the guidance address the ability of financial institutions to conduct an assessment of suppliers and subcontractors' information security programs.

III. Conclusion

The Coalition appreciates the opportunity to submit this comment letter. We would be happy to provide additional information on these comments and look forward to continuing to engage on this important topic as you continue work on the guidance. Please do not hesitate to contact me at 571212-2036 or [email protected].

Sincerely,

Bridget Hagan

Executive Director

The Insurance Coalition

* * *

The notice can be viewed at: https://www.regulations.gov/document/OCC-2021-0011-0001

TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact MYRON STRUCK, editor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com