The OCC is Back with New Third-Party Risk Management Guidance

Just in time for your summer beach reading, the OCC has released frequently asked questions based on OCC Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance.” This guidance provides additional information on 14 questions which are detailed below.

While the guidance offers no surprises or material changes for most financial institutions, there are a few key takeaways from this new guidance, released on June 7., including the structure of third-party risk management, collaboration, and outsourcing compliance management systems (CMSs).

The OCC & Third-Party Risk Management

The first few questions provide guidance on the structure of a bank’s third-party risk management program. They emphasize that banks should customize their vendor management program to their specific vendors, business practices, and structure. There is no one-size-fits-all approach to third-party risk management.

Collaboration

The word “collaborate” in some form shows up 14 times in this OCC release. In the case of this guidance, collaboration refers to the action of working with someone to produce or create something.

What does the OCC have to say about collaboration? While banks can work together on any function related to vendor management, they can’t rely exclusively on those collaborative efforts to meet regulatory compliance for third-party risk. This is especially true when the banks collaborating have different contractual provisions and/or any unique products. (It goes back to the structure of third-party risk management and there being no one-size-fits-all approach.) Banks should also have their own processes to evaluate the performance of their vendor. Collaboration may be very helpful for security matters like cybersecurity.

Outsourcing compliance management systems (CMS)

A community bank can outsource some or all aspects of their CMS to a third party or multiple third parties. The bank still has responsibility for the results, including making sure the vendor is compliant with consumer laws and regulations. While the OCC expects all banks to develop and maintain an effective CMS, it is possible to outsource any aspect of these programs, but the bank is responsible for managing the vendor.

Questions addressed in the guidance

• What is a third-party relationship?
• OCC Bulletin 2013-9 defines third-party relationships very broadly and reads like it can apply to lower-risk relationships. How can a bank reduce its oversight costs for lower-risk relationships?
• How should banks structure their third-party risk management process?
• When multiple banks use the same third-party service providers, can they collaborate to meet expectations for managing third-party relationships specified in OCC Bulletin 2013-29?
• When collaborating to meet responsibilities for managing a relationship with a common third-party service provider, what are some of the responsibilities that each bank still needs to undertake individually to meet the expectations in OCC Bulletin 2013-29?
• What collaboration opportunities exist to address cyber threats to banks as well as to their third-party relationships?
• Is a fintech company arrangement considered a critical activity?
• Can a bank engage with a start-up fintech company with limited financial information?
• How can a bank offer products and services to underbanked or underserved segments of the population through a third-party relationship with a fintech company?
• What should a bank consider when entering a marketplace lending arrangement with nonbank entities?
• Does OCC Bulletin 2013-29 apply when a bank engages a third party to provide bank customers the ability to make mobile payments using their bank accounts, including debit and credit cards?
• May a community bank outsource the development, maintenance, monitoring and compliance responsibilities of its compliance management system?
• Can banks obtain access to interagency technology service providers’ (TSP) reports of examination?

Can a bank rely on a third-party Service Organization Control (SOC) report, prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 18 (SSAE 18)?