On March 5, 2020 the Office of the Comptroller of the Currency (OCC) released Bulletin 2020-10, a supplement to OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. The supplement identifies and responds to 27 frequently asked questions (FAQs) on third-party relationships, some of which were previously addressed in a supplement issued on June 7, 2017, OCC Bulletin 2017-21, which is now rescinded.
Topics addressed in the new FAQs include:
- Definitions of the key terms “third-party relationship” and “business arrangement”
- Risk management when the bank has limited negotiating power in contractual arrangements
- Critical activities and how a bank can determine the risks associated with third-party relationships
- Bank management’s responsibilities regarding a third party’s subcontractors
- Reliance on and use of third party-provided reports, certificates of compliance, and independent audits
- Risk management when a third party has limited ability to provide the same level of due diligence-related information as larger or more established third parties
- Risk management when using a third-party model or when using a third party to assist with model risk management
- Use of third-party assessment services in managing third-party relationship risks
- A board of director’s approval of contracts and
- Risk management when obtaining alternative data from a third party.
The recent guidance also addresses specific types of third parties such as cloud service providers, data aggregators, fintech companies, and subcontractors. The OCC discusses how banks can offer products or services to underbanked or underserved segments of the population through third-party relationships with fintech companies, what banks should consider when entering a marketplace lending arrangement with non-bank entities (a practice that can be the subject of scrutiny judicially and in Congress), and the application of third-party risk management principles to bank’s mobile payment providers.
The OCC requires adequate safeguards and controls for both the bank and its third-party vendors and will hold a bank accountable for compliance with applicable laws and regulations. Bank management is responsible for determining the risk associated with each of the bank’s third-party relationships, which should be commensurate with the level of risk and complexity of its third-party relationships.
It is the case that third-party or vendor management is and remains a primary area of risk and review for the OCC (as well as other federal and state bank regulators). The potential lack of direct regulation of third parties necessarily elevates the regulators’ focus when banks rely on them for critical functions and operations. This most recent release provides bank with further insight into OCC expectation and reaffirms the need to have complete and thorough risk-based vendor and third party management programs with input and engagement by both bank management and the board of directors.
For information and advice on compliance with these and other OCC requirements on third-party risk management, please reach out to either of the authors or your primary DLA Piper contact.