Objective: To determine the extent of third-party involvement in student lending activities and evaluate the effectiveness of management’s third-party oversight and risk management processes.
These procedures apply to any arrangements with third parties to provide student loan-related services to customers on the bank’s behalf. Banks may fully “outsource” loan originations, servicing, collection activities (using collection agencies or attorneys), or the offering of products in the bank’s name.
Refer to OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,”
for additional information on OCC expectations.
Examination Procedures > Supplemental Examination Procedures
1. Determine the adequacy of the bank’s third-party risk management program.
• Assess the adequacy of the risk management policy and determine that analysis, documentation, and reporting requirements are clearly addressed.
• Determine that management has designated an individual to be responsible for the program and has delegated the authority necessary for its effective administration to that individual.
• Review the bank’s process for maintaining a complete list of third parties used by the bank.
• Review the bank’s criteria for designating “significant” third parties according to the dollar amount of the contract, the importance of the service provided, and the
potential risk involved in the activity. While the risk management program should address all third-party relationships, the OCC expects a more rigorous process to manage those third parties deemed significant.
• Review the bank’s due diligence process and determine whether the process – provides for comprehensive, well-documented reviews by qualified staff.
– identifies any potential conflicts of interest with bank directors, officers, staff, and their related interests.
– addresses compliance with all applicable laws and regulations, including safety and soundness regulatory standards, and laws prohibiting lending discrimination and unfair or deceptive practices.
2. Identify third parties that provide significant student loan services on the bank’s behalf, particularly those that provide loan origination and servicing of both private and FFELP runoff portfolios. Determine the bank’s relationship manager for each of those third parties.
3. Verify that bank management’s expertise in the outsourced activities is sufficient to accurately identify and manage the risks involved.
4. Determine whether management has adequate controls, including policies, procedures and monitoring controls, to avoid becoming involved with a third party engaged in discriminatory, unfair, deceptive, abusive, or predatory lending practices. If weaknesses or concerns are found, consult the bank’s EIC or compliance examiner.
Note: For additional information, refer to the “Fair Lending” booklet of the
Comptroller’s Handbook and OCC Advisory Letter 2002-3, “Guidance on Unfair or Deceptive Acts or Practices.”
5. Assess the adequacy of contract management, focusing on the process for ensuring that clauses necessary to effectively manage the third parties are included.
• Determine whether the bank has a current contract on file for all third parties and that the bank monitors key dates (e.g., maturity, renewal, and adjustment periods).
• Review a sample of contracts with significant third parties to confirm that the contracts satisfactorily address the following:
Examination Procedures > Supplemental Examination Procedures
– Scope of the arrangement, including the frequency, content, and format of services provided by each party.
– Outsourcing notifications or approvals required, if the third party proposes to subcontract a service to another party.
– All costs and compensation, including any incentives.
– Performance standards, including when standards can be adjusted and the consequences of failing to meet those standards.
– Reporting and MIS requirements.
– Data ownership and access.
– Appropriate privacy and confidentiality restrictions.
– Requirements for compliance with all applicable laws and regulations, including safety and soundness regulatory standards, and laws prohibiting lending
discrimination and unfair or deceptive practices.
– Mandatory third-party control functions such as quality assurance and audit, including requirements for submitting audit results to the bank.
– Expectations and responsibilities for business resumption and contingency plans.
– Responsibility for consumer complaint resolution and associated reporting to the bank.
– Third-party financial statement submission requirements.
– Appropriate dispute resolution, liability, recourse, penalty, indemnification, and termination clauses.
– The authority for the bank to perform on-site third-party reviews. Third-party performance of services is subject to OCC examination oversight.
• Determine whether the bank’s monitoring of third parties’ adherence to the bank’s contracts (especially to financial terms and performance standards) is adequate in frequency and scope.
• Determine whether issues identified through the monitoring process are appropriately resolved in a timely manner.
6. Assess the adequacy of the monitoring process for significant third parties.
• Using the sample of significant third parties reviewed in the previous procedure, confirm that the bank’s oversight incorporates, at a minimum,
– reports evidencing the third party’s performance relative to service-level agreements and other contract provisions.
– customer complaints and resolutions for the services and products outsourced.
– third-party financial statements and audit reports.
– compliance with applicable laws and regulations.
• Evaluate whether the process results in an accurate determination of whether
contractual terms and conditions are being met, and whether any revisions to service-level agreements or other terms are needed.
• Verify whether management documents and follows up on performance, operational, or compliance problems and whether the documentation and follow-ups are timely and effective.
• Determine whether the relationship manager or other bank staff periodically meets with its third parties to discuss performance and operational issues.
Examination Procedures > Supplemental Examination Procedures
• Determine whether third-party risk management administers call monitoring, mystery shopper, customer callback, or customer satisfaction programs, if appropriate.
• Assess the adequacy of the bank’s process for determining when on-site reviews are warranted, the scope of those reviews, and reporting of results.
• Determine whether management evaluates the third party’s ongoing ability to perform the contracted functions in a satisfactory manner based on performance and financial condition.
7. For third-party loan originators,
• assess the adequacy of the process used to qualify third parties for loan origination.
• assess the adequacy of the reports and tracking mechanisms in place to monitor performance (e.g., volume of applications submitted, approved, and booked; quality;
exceptions; and loan performance) and relationship profitability, including performance and profitability compared with projections.
• assess the adequacy of the process used to monitor compliance with the bank’s lending policies, and applicable laws and regulations.
• verify that management maintains a watch list for problematic originators and that actions taken (including termination of the relationship, if warranted) are appropriate and timely.
8. Assess the adequacy of the content, accuracy, and distribution of third-party management program reports.
9. Determine whether the bank has any loans to the third party and whether any other conflicts of interest exist.
10. Determine whether any insiders have relationships with the third parties used by the bank and whether any potential conflicts of interest exist (e.g., insider has ownership interests, officer or board positions, or loans to the third party).
11. Determine whether the bank is involved in any significant third-party relationships where deficiencies in management expertise or controls result in the failure to adequately
identify and manage the associated risk. If so, consult with the EIC and the supervisory office and determine whether it is appropriate to require that the activity be suspended pending satisfactory corrective action.
12. Develop conclusions on the extent of third-party involvement in student lending activities and the effectiveness of management’s third-party oversight and risk management
processes. Include any Education Department servicer review findings. Clearly document all findings.
Examination Procedures > Conclusions