Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the Office of the Comptroller of the Currency (OCC) Bulletins 2013-29, 2017-07, and 2017-21 relating to Third-Party Relationships. Please be sure to review all the blogs in this series for additional third-party risk management guidance, and download the white paper for a complete examination of requirements.
The Office of the Comptroller of the Currency (OCC), part of the US Department of the Treasury, charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. With the power to enforce the regulations it issues with examinations – including taking actions against banks that do not comply with laws and regulations – it is imperative that all financial services-related organizations be familiar with its risk management requirements.
This blog summarizes the specific third-party risk management requirements noted in the following OCC Bulletins:
These bulletins highlight the need for an effective risk management process throughout the lifecycle of the third-party relationship, including the need to assess, continuously monitor, and provide adequate documentation and reporting to facilitate oversight and accountability.
For the purposes of this blog, we have summarized select OCC requirements and identified Prevalent Third-Party Risk Management Platform capabilities that demonstrate the breadth and value you can gain from our complete TPRM platform. For a complete listing of the OCC requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, Satisfying Compliance with Third-Party Risk Management Requirements.
According to the OCC Bulletin 2013-29, an effective third-party risk management process includes:
Prevalent’s Third-Party Risk Management Platform enables national banks, federal savings associations, and technology service providers to fulfill these requirements across the entire vendor ecosystem. Delivered in the simplicity of the cloud, the Prevalent platform combines automated vendor assessments, continuous threat monitoring, assessment workflow, and remediation management across the entire vendor life cycle.
Having strong Information Security and Systems Management policies, as well as measuring and monitoring risk associated with being out of compliance, is part of the Third-Party Risk Management Lifecycle. This requires a complete internal view of the controls in place, as well as continuous monitoring of all third parties; something that cannot be addressed with a simple external automated scan. Trust Prevalent’s Third-Party Risk Management platform to help address the compliance requirements of OCC Bulletins 2013-29, 2017-07, and 2017-21.
For a complete listing of the OCC requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, Satisfying Compliance with Third-Party Risk Management Requirements.
Next week’s blog examines Financial Conduct Authority’s FG 16/5 Guidance for firms outsourcing to the cloud and other third-party IT services.
VRM programs are usually driven by one of three objectives. In this post, we'll examine these...
The CAIQ assessment offers a standard approach to evaluating cloud provider security controls.