Latest Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero  Image  Solutions  Compliance  Occ  Bulletins

OCC Bulletin Compliance

OCC Bulletins and Third-Party Risk Management

The Office of the Comptroller of the Currency (OCC) is the group within the Department of the Treasury that charters, regulates, and supervises all national banks and federal savings associations, as well as federal branches and agencies of foreign banks. The OCC enforces its regulations with examinations, and it can deny applications for new charters or take other actions against banks and thrifts that do not comply with laws and regulations or otherwise engage in unsafe practices.

The OCC's mission is to ensure that national banks and federal savings associations operate in a safe and sound manner; provide fair access to financial services; treat customers fairly; and comply with applicable laws and regulations.

OCC Bulletin 2013-29, clarified with a FAQ in OCC Bulletin 2017-21, provides risk management guidance for “assessing and managing risk associated with third-party relationships.” OCC 2020-10 provides guidance to Examiners on what to look for when examining a bank’s third-party risk management program.

These bulletins highlight the need for an effective risk management process throughout the lifecycle of third-party relationships, including risk assessment, continuous monitoring, and reporting and documentation to facilitate oversight and accountability.

Relevant Bulletins

  • OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance

  • OCC Bulletin 2017-07: Third-Party Relationships: Supplemental Examination Procedures

  • OCC Bulletin 2017-21: Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29

Navigate the TPRM Compliance Landscape

The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.

Read the Handbook
Feature tprm compliance handbook 0821

Meeting OCC TPRM Compliance Requirements

Here's how Prevalent can help you address OCC third-party risk management requirements:

Bulletin 2013-29 Requirements How We Help

Due Diligence and Third-Party Selection: “A bank should not rely solely on experience with or prior knowledge of the third party as a proxy for an objective, in-depth assessment of the third party's ability to perform the activity in compliance with all applicable laws and regulations and in a safe and sound manner.

The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

Risk Management: “Evaluate the effectiveness of the third party's risk management program, including policies, processes, and internal controls.”

The Prevalent Assessment service simplifies compliance and reduces risk with automated collection, analysis, and remediation of vendor surveys using industry standard and custom surveys.

Information Security: “Assess the third party's information security program. Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. When technology is necessary to support service delivery, assess the third party's infrastructure and application security programs, including the software development life cycle and results of vulnerability and penetration tests.

Management of Information Systems: “Gain a clear understanding of the third party's business processes and technology that will be used to support the activity. When technology is a major component of the third-party relationship, review both the bank's and the third party's information systems to identify gaps in service-level expectations, technology, business process and management, or interoperability issues. Review the third party's processes for maintaining accurate inventories of its technology and its subcontractors. Assess the third party's change management processes to ensure that clear roles, responsibilities, and segregation of duties are in place. Understand the third party's performance metrics for its information systems and ensure they meet the bank's expectations”

In addition to facilitating automated, periodic internal control-based assessments, the platform provides cyber security and business monitoring – continually assessing third-party networks to identify potential weaknesses that can be exploited by cyber criminals. Prevalent also offers penetration testing as-a-service to help customers investigate vendor network operations at a much more granular level.

With the integration of internal assessments, external cyber monitoring and penetration testing, covered entities gain a complete view of vendor risks plus clear and actionable remediation guidance to address those risks.

Ongoing Monitoring: “Ongoing monitoring for the duration of the third-party relationship is an essential component of the bank's risk management process. More comprehensive monitoring is necessary when the third-party relationship involves critical activities.

Some key areas of consideration for ongoing monitoring may include assessing changes to the third party's

  • business strategy (including acquisitions, divestitures, joint ventures) and reputation (including litigation)
  • compliance with legal and regulatory requirements
  • financial condition”

The Prevalent Cyber & Business Monitoring service provides both snapshot and continuous vendor monitoring for immediate notification of high-risk issues, prioritization, and remediation recommendations. Data security and business risk monitoring enables you to look beyond tactical vendor health for a more strategic view of a vendor’s overall information security risk.

Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks.

Examples of business information collected during the analysis include:

  • M&A activity
  • Layoffs
  • Lawsuits
  • Data breaches
  • Product recalls
  • Bankruptcy
  • Capital transactions (e.g., debt, equity)

Documentation and Reporting: “A bank should properly document and report on its third-party risk management process and specific arrangements throughout their life cycle.

Proper documentation typically includes:

  • A current inventory of all third-party relationships
  • Due diligence results, findings, and recommendations
  • Regular reports to the board and senior management”

The Prevalent Third-Party Risk Management platform includes reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.

  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo