GET THE REPORT: Forrester Ranks Prevalent a Leader in Cybersecurity Risk Ratings Solutions

OCC Provides Clarification on How to Manage Third-Party Risk

by Brad Keller, JD, CTPRP

June 12th, 2017


On June 7th, the OCC issued a welcomed update to the 2013 Guidance on how to manage third party relationships (OCC Bulletin 2017-21). While much of the guidance provides insight into how to address issues related to fintech companies, there are several key areas that have received little, if any, previous formal comment by the OCC.  This first in a series of blogs will address an area of the Guidance that will substantially improve the TPRM process.


I am pleased to see that the OCC has finally embraced collaboration. Much of the first part of the Guidance (Sections 4-6) discusses the benefits of collaboration, the use of common/standard information gathering tools for assessment due diligence, and the formation of user groups.  After having commented on the benefit (and acceptability) of collaboration unofficially in the past, the OCC has now endorsed the concept of bank collaboration on third party risk management. The OCC acknowledged that using collaboration for “performing due diligence…and ongoing monitoring” is a cost-effective way to lower the costs of third party risk management required by 2013-29.

As the former program Director for Shared Assessments I was frequently called upon to discuss the regulatory position on having banks take a shared approach to third party due diligence, and the sharing of common questionnaires of third party security controls.  Fortunately, that question has now been definitively answered.  In 2017-21, the OCC clearly indicates that the sharing of due diligence is acceptable, and speaks to its benefits:

Banks may take advantage of various tools designed to help them evaluate the controls of third-party service providers. In general, these types of tools offer standardized approaches to perform due diligence and ongoing monitoring of third-party service providers by having participating third parties complete common security, privacy, and business resiliency control assessment questionnaires. After third parties complete the questionnaires, the results can be shared with numerous banks and other clients. Collaboration can result in increased negotiating power and lower costs to banks during the contract negotiation phase of the risk management life cycle.

OCC 2017-21 also encourages banks to become members of user groups who share common third party service providers. The OCC notes that these user groups would be of particular advantage to smaller institutions and community banks which lack the resources to support broad scale risk management programs.

Notably, 2017-21 restates the (previously unofficial) position of the OCC about how common third party due diligence is to be used.  Section 5 of the Guidance reinforces the concept that while institutions can share due diligence and ongoing monitoring information, they are still responsible for making their own risk based decisions about the acceptability of a third party’s risk controls. Therefore, banks must have a robust mechanism to evaluate risk controls, remediate (when necessary), and provide documentation for each component of the third party life cycle.

Prevalent has been leading the collaboration discussion for some time now, focusing much of our attention on providing banks with the ability to share assessment due diligence and on-going threat monitoring through common repositories and user networks. Having OCC 2017-21 validate those efforts is, to say the least, reassuring.