Third-Party Risk Management for Banks and the Office of Comptroller of Currency (OCC) Guidelines


The OCC provides guidance to banks on assessing and managing risks related to third-party relationships and expects banks to have appropriate risk management processes. To that end, OCC Bulletins 2013-29, 2017-21, and 2017-07 set forth guidelines on managing third-party risks. Banks should follow the OCC’s guidance to help meet regulatory requirements and demonstrate accountability.

Guidance for Third-Party Risk Management According to OCC Bulletins

Third-party risk management is the focus of the three Office of Comptroller of Currency (OCC) Bulletins, with Bulletin 2013-29 serving as the foundational guidance for banks. According to OCC Bulletin 2013-29, banks should develop a robust and effective risk management program to handle the risks and complexities of managing third-party relationships. The Bulletin outlines five key phases in the third-party risk management lifecycle: planning; due diligence and third-party selection; contract negotiation; ongoing monitoring; termination (and contingency planning). As part of its risk management process, banks should, throughout this lifecycle, ensure effective oversight and accountability, generate appropriate documents and reports, and perform independent reviews.

Conduct Third-Party Risk Assessments, Perform Due Diligence

OCC Bulletin 2013-29 highlights concerns around properly assessing and performing due diligence to understand potential costs relating to third-party risk management. Vendorpedia enables banks to automate the risk assessment process, offering intelligent risk flagging, mitigation workflows, and out-of-the-box questionnaire templates. The Global Risk Exchange also streamlines due diligence by aggregating information about third parties for review, such as security and privacy certifications.

Monitor Third Party, Vendor, Supplier Performance and Risks

OCC Bulletin 2013-29 identifies ongoing monitoring as a key element of a proper third-party risk management program. Within Vendorpedia, banks can create an inventory of all third-party risks and relationships. And by linking with the Global Risk Exchange, banks can receive notifications when security and privacy certifications expire, or when breaches and enforcements occur. Additionally, create triggers within Vendorpedia’s automation engine to act quickly and perform reassessments when third-party relationships change.

Evaluate Contracts and Track Key Terms

OCC Bulletin 2013-29 emphasizes the importance of contract management, pinpointing the priorities of performing assessments and avoiding contracts that incentivize third parties to take risks that are harmful to the bank or customer. OneTrust Vendorpedia gives banks the ability to execute repeatable workflows to help follow an adequate due diligence process before entering into contracts, as well as to confirm that contracts clearly define third party responsibilities. And once a contract is signed, banks can extract and report on key terms for each third-party relationship.

Maintain Records for Oversight and Accountability

OCC Bulletin 2013-29 recommends documentation and reporting for oversight, accountability, monitoring, and risk management. Throughout the lifecycle of a third-party relationship, banks should maintain records to demonstrate compliance, which also helps streamline audits. With action-tracking and up-to-date audit trails, as well as dashboards and detail column reporting, banks can pull rapid reports in Vendorpedia for executives and auditors or regulatory authorities.

Refining your third-party risk management program?

See How Vendorpedia Can Help

Key Capabilities to Meet OCC Guidance for Third-Party Risk Management

Contingency Automation

Build contingency workflows and checklists to automate actions when terminating third-party relationships

Intelligent Risk Assessments

Use assessments with built-in logic and risk flags to determine the criticality of third-party relationships and associated risks

Lifecycle Workflows

Track third-party relationships throughout the relationship lifecycle, from assessment to ongoing monitoring and termination

Onetrust All Rights Reserved