Guidance for Third-Party Risk Management According to OCC Bulletins
Third-party risk management is the focus of the three Office of Comptroller of Currency (OCC) Bulletins, with Bulletin 2013-29 serving as the foundational guidance for banks. According to OCC Bulletin 2013-29, banks should develop a robust and effective risk management program to handle the risks and complexities of managing third-party relationships. The Bulletin outlines five key phases in the third-party risk management lifecycle: planning; due diligence and third-party selection; contract negotiation; ongoing monitoring; termination (and contingency planning). As part of its risk management process, banks should, throughout this lifecycle, ensure effective oversight and accountability, generate appropriate documents and reports, and perform independent reviews.
OCC Bulletin 2013-29 highlights concerns around properly assessing and performing due diligence to understand potential costs relating to third-party risk management. Vendorpedia enables banks to automate the risk assessment process, offering intelligent risk flagging, mitigation workflows, and out-of-the-box questionnaire templates. The Global Risk Exchange also streamlines due diligence by aggregating information about third parties for review, such as security and privacy certifications.
OCC Bulletin 2013-29 identifies ongoing monitoring as a key element of a proper third-party risk management program. Within Vendorpedia, banks can create an inventory of all third-party risks and relationships. And by linking with the Global Risk Exchange, banks can receive notifications when security and privacy certifications expire, or when breaches and enforcements occur. Additionally, create triggers within Vendorpedia’s automation engine to act quickly and perform reassessments when third-party relationships change.
OCC Bulletin 2013-29 emphasizes the importance of contract management, pinpointing the priorities of performing assessments and avoiding contracts that incentivize third parties to take risks that are harmful to the bank or customer. OneTrust Vendorpedia gives banks the ability to execute repeatable workflows to help follow an adequate due diligence process before entering into contracts, as well as to confirm that contracts clearly define third party responsibilities. And once a contract is signed, banks can extract and report on key terms for each third-party relationship.
OCC Bulletin 2013-29 recommends documentation and reporting for oversight, accountability, monitoring, and risk management. Throughout the lifecycle of a third-party relationship, banks should maintain records to demonstrate compliance, which also helps streamline audits. With action-tracking and up-to-date audit trails, as well as dashboards and detail column reporting, banks can pull rapid reports in Vendorpedia for executives and auditors or regulatory authorities.
Refining your third-party risk management program?See How Vendorpedia Can Help
Key Capabilities to Meet OCC Guidance for Third-Party Risk Management
Build contingency workflows and checklists to automate actions when terminating third-party relationships
Use assessments with built-in logic and risk flags to determine the criticality of third-party relationships and associated risks
Track third-party relationships throughout the relationship lifecycle, from assessment to ongoing monitoring and termination