How to Meet OCC Third-Party Risk Management Compliance Requirements

Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the Office of the Comptroller of the Currency (OCC) Bulletins 2013-29, 2017-07, and 2017-21 relating to Third-Party Relationships. Please be sure to review all the blogs in this series for additional third-party risk management guidance, and download the white paper for a complete examination of requirements.

The Office of the Comptroller of the Currency (OCC), part of the US Department of the Treasury, charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. With the power to enforce the regulations it issues with examinations – including taking actions against banks that do not comply with laws and regulations – it is imperative that all financial services-related organizations be familiar with its risk management requirements.

This blog summarizes the specific third-party risk management requirements noted in the following OCC Bulletins:

• OCC Bulletin 2013-29, clarified with a FAQ in OCC Bulletin 2020-10, provides risk management guidance for all national banks, federal savings associations and technology service providers for “assessing and managing risk associated with third-party relationships.”
• OCC 2017-07 provides guidance to Examiners on what to look for when examining a bank’s third-party risk management program. In so doing, it sets forth the practices that banks are expected to have in place.

These bulletins highlight the need for an effective risk management process throughout the lifecycle of the third-party relationship, including the need to assess, continuously monitor, and provide adequate documentation and reporting to facilitate oversight and accountability.

Meeting OCC Third-Party Risk Management Compliance Requirements

For the purposes of this blog, we have summarized select OCC requirements and identified Prevalent Third-Party Risk Management Platform capabilities that demonstrate the breadth and value you can gain from our complete TPRM platform. For a complete listing of the OCC requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, The Third-Party Risk Management Risk Management Compliance Handbook.

According to the OCC Bulletin 2013-29, an effective third-party risk management process includes:

• Plans that outline the bank's strategy; identify the inherent risks of the activity; and detail how the bank selects, assesses, and oversees the third party
• Proper due diligence in selecting a third party
• Written contracts that outline the rights and responsibilities of all parties
• Ongoing monitoring of the third party's activities and performance
• Contingency plans for terminating the relationship in an effective manner
• Clear roles and responsibilities for overseeing and managing the relationship and risk management process
• Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management
• Independent reviews that allow bank management to determine that the bank's process aligns with its strategy and effectively manages risks