An official website of the United States government
OCC Bulletin 2020-10
March 5, 2020
Share This Page:
Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Office of the Comptroller of the Currency (OCC) is issuing frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance," issued October 30, 2013. These FAQs are intended to clarify the OCC's existing guidance and reflect evolving industry trends.
This new bulletin rescinds OCC Bulletin 2017-21, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29," issued on June 7, 2017. The FAQs from OCC Bulletin 2017-21 have been incorporated unchanged into this new bulletin, except for question No. 24, which was updated to reflect current AICPA Service Organization Control report information. The FAQ numbers from OCC Bulletin 2017-21 are noted in parentheses throughout this bulletin.
This bulletin applies to community banks.1
Topics addressed in the new FAQs include
OCC Bulletin 2013-29 addresses risk management of third-party relationships. The OCC expects a bank to practice effective risk management regardless of whether the bank performs an activity internally or through a third party. A bank's use of third parties does not diminish the bank's responsibility to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations. A bank's third-party risk management should be commensurate with the level of risk and complexity of its third-party relationships; the higher the risk of the individual relationship, the more robust the third-party risk management should be for that relationship. It is up to bank management to determine the risks associated with each of the bank's third-party relationships.
OCC Bulletin 2013-29 recognizes that not all third-party relationships present the same level of risk or criticality to a bank's operations. Risk does not depend on the size of the third-party relationship. For example, a large service provider delivering office supplies might be low risk; a small service provider in a foreign country that provides information technology services to a bank's call center might be considered high risk.
Some banks categorize their third-party relationships by similar risk characteristics and criticality (e.g., information technology service providers; portfolio managers; catering, maintenance, and groundkeeper providers; and security providers). Bank management then applies different standards for due diligence, contract negotiation, and ongoing monitoring based on the risk profile of the category. By differentiating its third-party service providers by category, risk profile, or criticality, the bank may be able to gain efficiencies in due diligence, contract negotiation, and ongoing monitoring.
Bank management should determine the risks associated with each third-party relationship or category of relationship. A bank's third-party risk management should be commensurate with the level of risk and complexity of its third-party relationships; the higher the risk of the individual or category of relationships, the more robust the third-party risk management should be for that relationship or category of relationships. A bank's policies regarding the extent of due diligence, contract negotiation, and ongoing monitoring for third-party relationships should show differences that correspond to different levels of risk.
Please contact Lazaro Barreiro, Director for Governance and Operational Risk Policy, Operational Risk Division, at (202) 649-6550.
Grovetta N. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy
1 As used in this bulletin, "banks" refers collectively to national banks, federal savings associations, and federal branches and agencies of foreign banking organizations.
2 For more information, refer to OCC Bulletin 2019-43, "Appraisals: Appraisal Management Company Registration Requirements."
3 Refer to OCC Bulletin 2003-12, "Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing: Revised Guidelines on Internal Audit and its Outsourcing."
4 If a bank considers these activities to be low risk, management should refer to FAQ No. 7 in this bulletin for more information about the extent of due diligence, contract negotiation, and ongoing monitoring that should be conducted for third-party relationships that support or involve low-risk bank activities.
5 Refer to FAQ No. 11 in this bulletin for more information about a third party's subcontractors.
6 Refer to FAQ No. 14 in this bulletin for more information on bank reliance on reports, certificates of compliance, and independent audits provided by entities with which the bank has a third-party relationship.
7 Data aggregators are entities that access, aggregate, share, or store consumer financial account and transaction data that they acquire through connections to financial services companies. Aggregators are often intermediaries between the financial technology (fintech) applications that consumers use to access their data and the sources of data at financial services companies. An aggregator may be a generic provider of data to consumer fintech application providers and other third parties, or the aggregator may be part of a company providing branded and direct services to consumers. Refer to U.S. Department of the Treasury report "A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation" for more information on data aggregators.
8 Refer to OCC Bulletin 2001-12, "Bank-Provided Account Aggregation Services: Guidance to Banks" (national banks) for more information on direct relationships. While the OCC has not made OCC Bulletin 2001-12 applicable to federal savings associations, federal savings associations may nonetheless find the information in the bulletin relevant.
9 An API refers to a set of protocols that links two or more systems to enable communication and data exchange between them. An API for a particular routine can easily be inserted into code that uses that API in the software. An example would be the Financial Data Exchange's "FDX API Standard."
10 Refer to OCC News Release 2015-1, "Collaboration Can Facilitate Community Bank Competitiveness, OCC Says," January 13, 2015.
11 Any collaborative activities among banks must comply with antitrust laws. Refer to the Federal Trade Commission and U.S. Department of Justice's "Antitrust Guidelines for Collaborations Among Competitors."
12 Refer to ISO 22301:2012, 'societal Security – Business Continuity Management Systems – Requirements," for more information regarding the ISO's standards for business continuity management.
13 For more information on types of audits and control reviews, refer to appendix B of the "Internal and External Audits" booklet of the Comptroller's Handbook.
14 The OCC conducts examinations of services provided by significant TSPs based on authorities granted by the Bank Service Company Act, 12 USC 1867. These examinations typically are conducted in coordination with the Board of Governors of the Federal Reserve Board, Federal Deposit Insurance Corporation, and other banking agencies with similar authorities. The scope of examinations focuses on the services provided and key technology and operational controls communicated in the FFIEC Information Technology Examination Handbook and other regulatory guidance.
15 Existing OCC and interagency guidance potentially applicable to alternative data includes "Policy Statement on Discrimination in Lending" (59 Fed. Reg. 18266 (April 15, 1994)); OCC Bulletin 1997-24, "Credit Scoring Models: Examination Guidance"; OCC Bulletin 2011-12, 'sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management"; OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management"; and OCC Bulletin 2017-43, "New, Modified, or Expanded Bank Products and Services: Risk Management Principles."
16 Refer to OCC Bulletin 2019-62, "Consumer Compliance: Interagency Statement on the Use of Alternative Data in Credit Underwriting," for more information about compliance risk management considerations regarding the use of alternative data. Also refer to Consumer Financial Protection Bureau (CFPB), "Request for Information Regarding Use of Alternative Data and Modeling Techniques in the Credit Process," 82 Fed. Reg. 11183 (February 21, 2017).
17 The information in this list is consistent with the Interagency Policy Statement on the Use of Alternative Data in Credit Underwriting.