How to Meet OCC Third-Party Risk Management Compliance Requirements

Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the Office of the Comptroller of the Currency (OCC) Bulletins 2013-29, 2017-07, and 2017-21 relating to Third-Party Relationships. Please be sure to review all the blogs in this series for additional third-party risk management guidance, and download the white paper for a complete examination of requirements.

The Office of the Comptroller of the Currency (OCC), part of the US Department of the Treasury, charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. With the power to enforce the regulations it issues with examinations – including taking actions against banks that do not comply with laws and regulations – it is imperative that all financial services-related organizations be familiar with its risk management requirements.

This blog summarizes the specific third-party risk management requirements noted in the following OCC Bulletins:

• OCC Bulletin 2013-29, clarified with a FAQ in OCC Bulletin 2020-10, provides risk management guidance for all national banks, federal savings associations and technology service providers for “assessing and managing risk associated with third-party relationships.”
• OCC 2017-07 provides guidance to Examiners on what to look for when examining a bank’s third-party risk management program. In so doing, it sets forth the practices that banks are expected to have in place.

These bulletins highlight the need for an effective risk management process throughout the lifecycle of the third-party relationship, including the need to assess, continuously monitor, and provide adequate documentation and reporting to facilitate oversight and accountability.

Meeting OCC Third-Party Risk Management Compliance Requirements

For the purposes of this blog, we have summarized select OCC requirements and identified Prevalent Third-Party Risk Management Platform capabilities that demonstrate the breadth and value you can gain from our complete TPRM platform. For a complete listing of the OCC requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, Satisfying Compliance with Third-Party Risk Management Requirements.

According to the OCC Bulletin 2013-29, an effective third-party risk management process includes:

• Plans that outline the bank's strategy; identify the inherent risks of the activity; and detail how the bank selects, assesses, and oversees the third party
• Proper due diligence in selecting a third party
• Written contracts that outline the rights and responsibilities of all parties
• Ongoing monitoring of the third party's activities and performance
• Contingency plans for terminating the relationship in an effective manner
• Clear roles and responsibilities for overseeing and managing the relationship and risk management process
• Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management
• Independent reviews that allow bank management to determine that the bank's process aligns with its strategy and effectively manages risks

Trust Prevalent to Help Assess and Monitor Vendors According to OCC Requirements

Prevalent’s Third-Party Risk Management Platform enables national banks, federal savings associations, and technology service providers to fulfill these requirements across the entire vendor ecosystem. Delivered in the simplicity of the cloud, the Prevalent platform combines automated vendor assessments, continuous threat monitoring, assessment workflow, and remediation management across the entire vendor life cycle.

• Vendor tiering enables third parties to be managed according to the risk they present with different assessments, frequencies, and scoring as warranted.
• Customizable surveys with documented evidence enable the assessment and monitoring to be carried out relative to the risk and function of each third party.
• Reporting provides the information necessary in multiple forms as required for different levels of the organization.

Having strong Information Security and Systems Management policies, as well as measuring and monitoring risk associated with being out of compliance, is part of the Third-Party Risk Management Lifecycle. This requires a complete internal view of the controls in place, as well as continuous monitoring of all third parties; something that cannot be addressed with a simple external automated scan. Trust Prevalent’s Third-Party Risk Management platform to help address the compliance requirements of OCC Bulletins 2013-29, 2017-07, and 2017-21.

For a complete listing of the OCC requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, Satisfying Compliance with Third-Party Risk Management Requirements.

Our Series Continues…

Next week’s blog examines Financial Conduct Authority’s FG 16/5 Guidance for firms outsourcing to the cloud and other third-party IT services.