<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

STOP! Collaborate Cautiously and Listen- The OCC is Back with New Third-Party Risk Management Guidance

author Michael Berman
2 min read
Jun 12, 2017

Just in time for your summer beach reading, the OCC has released frequently asked questions based on OCC Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance.” This guidance provides additional information on 14 questions which are detailed below.

While the guidance offers no surprises or material changes for most financial institutions, there are a few key takeaways from this new guidance, released on June 7., including the structure of third-party risk management, collaboration, and outsourcing compliance management systems (CMSs).

The OCC & Third-Party Risk Management

The first few questions provide guidance on the structure of a bank’s third-party risk management program. They emphasize that banks should customize their vendor management program to their specific vendors, business practices, and structure. There is no one-size-fits-all approach to third-party risk management.

Collaboration

The word “collaborate” in some form shows up 14 times in this OCC release. In the case of this guidance, collaboration refers to the action of working with someone to produce or create something.

What does the OCC have to say about collaboration? While banks can work together on any function related to vendor management, they can’t rely exclusively on those collaborative efforts to meet regulatory compliance for third-party risk. This is especially true when the banks collaborating have different contractual provisions and/or any unique products. (It goes back to the structure of third-party risk management and there being no one-size-fits-all approach.) Banks should also have their own processes to evaluate the performance of their vendor. Collaboration may be very helpful for security matters like cybersecurity.

Outsourcing compliance management systems (CMS)

A community bank can outsource some or all aspects of their CMS to a third party or multiple third parties. The bank still has responsibility for the results, including making sure the vendor is compliant with consumer laws and regulations. While the OCC expects all banks to develop and maintain an effective CMS, it is possible to outsource any aspect of these programs, but the bank is responsible for managing the vendor.

Questions addressed in the guidance

  • What is a third-party relationship?
  • OCC Bulletin 2013-9 defines third-party relationships very broadly and reads like it can apply to lower-risk relationships. How can a bank reduce its oversight costs for lower-risk relationships?
  • How should banks structure their third-party risk management process?
  • When multiple banks use the same third-party service providers, can they collaborate to meet expectations for managing third-party relationships specified in OCC Bulletin 2013-29?
  • When collaborating to meet responsibilities for managing a relationship with a common third-party service provider, what are some of the responsibilities that each bank still needs to undertake individually to meet the expectations in OCC Bulletin 2013-29?
  • What collaboration opportunities exist to address cyber threats to banks as well as to their third-party relationships?
  • Is a fintech company arrangement considered a critical activity?
  • Can a bank engage with a start-up fintech company with limited financial information?
  • How can a bank offer products and services to underbanked or underserved segments of the population through a third-party relationship with a fintech company?
  • What should a bank consider when entering a marketplace lending arrangement with nonbank entities?
  • Does OCC Bulletin 2013-29 apply when a bank engages a third party to provide bank customers the ability to make mobile payments using their bank accounts, including debit and credit cards?
  • May a community bank outsource the development, maintenance, monitoring and compliance responsibilities of its compliance management system?
  • Can banks obtain access to interagency technology service providers’ (TSP) reports of examination?

Can a bank rely on a third-party Service Organization Control (SOC) report, prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 18 (SSAE 18)?

Subscribe to the Nsight Blog

All Topics Risk & Compliance Product Insight Banks Lending Compliance Credit Unions Risk Management Fair Lending Nfairlending Cluster: Risk Management Compliance Lending Compliance Management Integrated Risk Blog Nrisk Regulatory Compliance Management News & Updates HMDA Risk Mortgage Lenders Ncomply Vendor Management Business Resiliency CRA Lending Compliance Blog Vendor CFPB Ncontinuity Third-Party Vendor Management Business Continuity Cybersecurity Fintech NVendor Strategic Planning Ncyber Ntransmittal Audits & Findings Company Culture OCC Regulatory Updates Audit Nverify Regulatory Compliance Exams FDIC Compliance Management Findings Nfindings NCUA Contract Management Employee Intranet Contract FRB Business Continuity Management FFIEC Findings Management Ncontracts manager Third-Party Vendors Vendor Risk Enterprise Risk Management ABA Bank Access Control Audit Findings Board Portal Call Report Due Diligence Efficiency Employee Engagement Exam findings FIEC Inc. 5000 Internal Audit Management Nboardportal Verify Wealth Management
Are You Connecting the Risk Management Dots?
Risk & Compliance

Are You Connecting the Risk Management Dots?

Feb 17, 2017 1 min read
The $30 Million Spreadsheet: The hidden costs of spreadsheets–and their mistakes
Risk & Compliance

The $30 Million Spreadsheet: The hidden costs of spreadsheets–and their mistakes

May 16, 2016 3 min read
All the Risk News That’s Fit to Print: Ncontracts’ Top 2020 Risk Management Blogs
Risk Management

All the Risk News That’s Fit to Print: Ncontracts’ Top 2020 Risk Management Blogs

Dec 22, 2020 5 min read