JUST OUT: Read the 2019 Gartner Magic Quadrant for IT Vendor Risk Management

OCC Bulletin Compliance

Complying with OCC Bulletins 2013-29, 2017-07 and 2017-21

The Office of the Comptroller of the Currency (OCC) is the group within the Department of the Treasury that charters, regulates, and supervises all national banks and federal savings associations, as well as federal branches and agencies of foreign banks. The OCC enforces its regulations with examinations, and it can deny applications for new charters or take other actions against banks and thrifts that do not comply with laws and regulations or otherwise engage in unsafe practices.

OCC Bulletins and Third-Party Risk Management

The OCC's mission is to ensure that national banks and federal savings associations operate in a safe and sound manner; provide fair access to financial services; treat customers fairly; and comply with applicable laws and regulations. 

OCC Bulletin 2013-29, clarified with a FAQ in OCC Bulletin 2017-21, provides risk management guidance for “assessing and managing risk associated with third-party relationships.” OCC 2017-07 provides guidance to Examiners on what to look for when examining a bank’s third-party risk management program.

These bulletins highlight the need for an effective risk management process throughout the lifecycle of third-party relationships, including risk assessment, continuous monitoring, and reporting and documentation to facilitate oversight and accountability. 

Relevant Bulletins

  • OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance
  • OCC Bulletin 2017-07: Third-Party Relationships: Supplemental Examination Procedures
  • OCC Bulletin 2017-21: Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29

White Paper: Satisfying Compliance with Third-Party Risk Management Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how the Prevalent Third-Party Risk Management Platform maps to specific mandates enabling you to achieve compliance while mitigating vendor risk. 

Read Now

Meeting OCC Third-Party Risk Management Compliance Requirements

Here's how Prevalent can help you address OCC third-party risk management requirements:

OCC Bulletin 2013-29 Third-Party Relationships: Risk Management Guidance

Bulletin 2013-29 Requirements How Prevalent Helps

Due Diligence and Third-Party Selection: “A bank should not rely solely on experience with or prior knowledge of the third party as a proxy for an objective, in-depth assessment of the third party's ability to perform the activity in compliance with all applicable laws and regulations and in a safe and sound manner.


The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels. 


Risk Management: “Evaluate the effectiveness of the third party's risk management program, including policies, processes, and internal controls.”


The Prevalent Assessment service simplifies compliance and reduces risk with automated collection, analysis, and remediation of vendor surveys using industry standard and custom surveys.


Information Security: “Assess the third party's information security program. Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. When technology is necessary to support service delivery, assess the third party's infrastructure and application security programs, including the software development life cycle and results of vulnerability and penetration tests. 

Management of Information Systems: “Gain a clear understanding of the third party's business processes and technology that will be used to support the activity. When technology is a major component of the third-party relationship, review both the bank's and the third party's information systems to identify gaps in service-level expectations, technology, business process and management, or interoperability issues. Review the third party's processes for maintaining accurate inventories of its technology and its subcontractors. Assess the third party's change management processes to ensure that clear roles, responsibilities, and segregation of duties are in place. Understand the third party's performance metrics for its information systems and ensure they meet the bank's expectations”


In addition to facilitating automated, periodic internal control-based assessments, the platform provides cyber security and business monitoring – continually assessing third-party networks to identify potential weaknesses that can be exploited by cyber criminals. Prevalent also offers penetration testing as-a-service to help customers investigate vendor network operations at a much more granular level. 

With the integration of internal assessments, external cyber monitoring and penetration testing, covered entities gain a complete view of vendor risks plus clear and actionable remediation guidance to address those risks. 


Ongoing Monitoring: “Ongoing monitoring for the duration of the third-party relationship is an essential component of the bank's risk management process. More comprehensive monitoring is necessary when the third-party relationship involves critical activities.

Some key areas of consideration for ongoing monitoring may include assessing changes to the third party's

  • business strategy (including acquisitions, divestitures, joint ventures) and reputation (including litigation) 
  • compliance with legal and regulatory requirements 
  • financial condition”

The Prevalent Cyber & Business Monitoring service provides both snapshot and continuous vendor monitoring for immediate notification of high-risk issues, prioritization, and remediation recommendations. Data security and business risk monitoring enables you to look beyond tactical vendor health for a more strategic view of a vendor’s overall information security risk.  

Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks. 

Examples of business information collected during the analysis include:

  • M&A activity
  • Layoffs
  • Lawsuits
  • Data breaches
  • Product recalls
  • Bankruptcy
  • Capital transactions (e.g., debt, equity)

Documentation and Reporting: “A bank should properly document and report on its third-party risk management process and specific arrangements throughout their life cycle.

Proper documentation typically includes:

  • A current inventory of all third-party relationships
  • Due diligence results, findings, and recommendations
  • Regular reports to the board and senior management”

The Prevalent Third-Party Risk Management platform includes reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.


The Prevalent Difference

Prevalent’s Third-Party Risk Management Platform enables national banks, federal savings associations, and technology service providers to fulfill OCC requirements across the entire vendor ecosystem. Delivered in the simplicity of the cloud, the Prevalent platform combines automated vendor assessments, continuous threat monitoring, assessment workflow, and remediation management across the entire vendor life cycle.