Kezia Farnham

Senior Manager

OCC third party risk management: 8 steps to achieve compliance

Cyber attacks, data breaches and market fluctuations are just a few risks financial institutions face. As risks are rising, it’s more important than ever for banks and other financial services organizations to have a practical approach to OCC third-party risk management.

OCC refers to the Office of the Comptroller of the Currency, an independent bureau within the U.S. Department of the Treasury that regulates and monitors national banks and other financial institutions. Like other regulatory bodies, the OCC expects not only that organizations are compliant themselves but that any third-party partners are, too.

There is third-party risk management software that can facilitate this compliance. But it’s also essential that organizations have an effective third-party risk management strategy in place that accounts for the OCC’s guidance.

What Is the OCC and How Does It Apply to Third-Party Risk Management?

The OCC is the federal regulatory body overseeing all national banks, federal savings associations, federal branches and agencies of foreign banks. They operate independently from the U.S. Department of the Treasury, allowing it greater oversight of financial institutions.

The OCC’s function applies to third-party risk management because while the OCC does ensure that banks treat all customers fairly, it’s also in charge of compliance. The OCC sets requirements that all financial institutions must meet based on relevant laws and regulations. These requirements apply to an organization’s direct activities and to the activities of any third parties they work with.

Organizations need to be aware of the following OCC bulletins:

• 2013-29
• 2020-10
• 2017-07
• 2001-47

OCC Bulletin 2013-29

This bulletin specifically addresses financial institutions’ third-party relationships. In it, the OCC requires that banks, savings associations and even software providers assess and manage the risks tied to their third-party partners.

OCC Bulletin 2020-10

This bulletin is a supplement to Bulletin 2013-29. It acts as an FAQ to clarify what 2013-29 requires. In it, the OCC defines important terms and clarifies how banks should manage different types of risk.

It's important to note the OCC considers a third-party relationship any arrangement between a bank and an outside entity, by contract or otherwise. Organizations that engage in these types of arrangements must then also be compliant with 2013-29.

OCC Bulletin 2017-07

This bulletin focuses on examiners. These are the people who review each institution’s risk management program to determine whether or not that program is compliant. While it targets examiners, 2017-07 is also a valuable roadmap for OCC third-party risk management because it details exactly what processes should be in place.

OCC Bulletin 2001-47

OCC Bulletin 2013-29 replaced this bulletin as of May 2012. But Bulletin 2001-47 illustrates how long the OCC has been overseeing compliance activities. In this rescinded bulletin, the OCC guides banks on safeguarding against third-party risks. Many of their initial recommendations appear in OCC 2013-29, including the need for a thorough risk assessment and due diligence process.

OCC Bulletin 2013-29 Third Party Relationships Risk Management Guidance

Bulletin 2013-29 is the foremost guide to OCC third-party risk management. Issued on October 20, 2013, it remains an essential document for banks and savings associations that need to secure third-party relationships.

The OCC’s guidance spans from the initial due diligence to third-party contracts to the daily processes required to ensure third-party compliance. According to 2013-29, banks should:

1. Implement risk management policies and procedures: These should match the risk and complexity of their third-party relationships. The more complex the relationships, the more comprehensive the policies should be.
2. Actively oversee all third-party relationships: This means completing thorough due diligence and overseeing all of their activities to ensure risk management practices are in place.
3. Develop a risk management process: OCC third-party risk management requires that processes cover the entire lifecycle of the third-party relationship.

How to Meet OCC Third-Party Risk Management Requirements

Organizations need to consider the entire lifecycle to meet the OCC third-party risk management requirements. Banks and other covered financial institutions need thorough and documented processes for every step, from risk assessments to contract execution to regular reviews.

Organizations can take the following steps to achieve OCC compliance:

1. Create a Risk Management Strategy: This strategy outlines how the organization will evaluate and manage risk. It should be well-documented and detail the process for third-party selection and the risks involved in the arrangement.
2. Complete Due Diligence: Not all third parties are trustworthy, even if they seem so at first. To comply with the OCC, banks need an effective way to vet all potential third-party partners to ensure no bad actors gain access to the organization.
3. Work With Contracts: Contracts can protect financial institutions because they outline the working relationship and what that requires of each party. Organizations should define the roles and responsibilities of the third party, specifically those that pertain to risk management.
4. Monitor Risk: Risks always evolve, and third parties can slip up at any time. Organizations must adopt an always-on approach to risk to catch any potential lapses in the third party’s performance.
5. Have a Contingency Plan: Third-party relationships don’t always go to plan, even if both parties have the best intentions. An organization’s contingency plan should define how the bank will proceed if the relationship falls through, including how they’ll quickly limit the third party’s access to company systems.
6. Define Roles and Responsibilities: An important part of responding to risk is knowing who is responsible for activities related to risk management. Banks should document who will do what, from due diligence to onboarding and even in case of a breach.
7. Deliver Ongoing Reporting: An organization may have a risk management program, but that doesn’t mean all policies are working. Ongoing reporting ensures key stakeholders have visibility into the program and provides assurance that the risk management strategy is effective.
8. Plan for Independent Reviews: Reviews are inherent in OCC third-party risk management. Organizations that successfully implement steps 1-7 will be well prepared for independent reviews, during which banks can validate their strategy's effectiveness.

Stay Ahead of Risk With Technology

Third parties are an integral part of any financial institution. In many cases, third parties support the services and products that customers love. But they also introduce risk. While OCC third-party risk management is a great way organizations can protect themselves, achieving compliance can be both time-consuming and costly.

The right tools can make all the difference between effectively securing all third parties and letting costly lapses fall through the cracks. Learn more about how technology can save money and enhance third-party compliance through fully-deployed automation with real-time visibility on one unified platform.