Six Key Takeaways From the Update to OCC 2013-29

A Guide to Managing Financial Health When it Comes to Third-Party Relationships

The Office of the Comptroller of the Currency (OCC) recently issued an updated third-party risk management guideline for U.S. banks and federal savings associations. The update serves as an FAQ for OCC Bulletin 2013-29, and describes the steps banks must take to protect consumers from the risk of third party suppliers.

In essence, the bulletin was created because third party risk management has become more complex — and because banks are responsible for ensuring that their suppliers and third parties are compliant and following appropriate risk management processes.

As we face an ever-riskier environment, the OCC guidance becomes more important — but it’s not always easily understood. In fact, when OCC 2013-29 on conducting third-party relationships was first released in October 2013, many banks and financial institutions were unclear on the best practices for implementing the guidance.

Cue Bulletin 2017-21, issued by the OCC in June of this year to provide clarification on OCC 2013-29. The bulletin included 14 frequently asked questions to address uncertainty around third party risk management methods and redefine what types of entities needed to be considered as third parties.

Opus partner Rapid Ratings recently pointed out four essential takeaways from the OCC Bulletin 2017-21. We wanted to take the opportunity to expand on these four important points and offer two more takeaways that are critical to OCC 2013-29.

1. Banks should use a risk-based approach to evaluate the financial condition of all third parties at the start of the relationship and throughout.

The OCC expects banks to perform due diligence and ongoing monitoring for all third-party relationships. Per Bulletin 2017-21’s FAQs, “banks should consider the financial condition of their third parties during the due diligence stage of the life cycle before the banks have selected or entered into contracts or relationships with third parties.” The level of due diligence and ongoing monitoring, however, may differ for and should be specific to each third-party relationship and should be consistent with the level of risk and complexity posed by each. The same relationship may present varying levels of risk across banks. Bank management should determine the risks associated with each third-party relationship and then determine how to adjust risk management practices accordingly.

2. Fintechs are considered private third parties in need of evaluation.

The new definition of third party to include fintechs is an important clarification to OCC 2013-29. Many banks have started to develop relationships with financial technology companies that involve activities like performing services or delivering products to a bank’s customer base. If a fintech company performs these activities on behalf of a bank, the OCC will expect bank management to include the fintech company in the bank’s third party risk management process.

3. A thorough review of actual financial statements is required.

While OCC 2013-29 states that banks must assess the financial health of third parties, “including reviews of the third party’s audited financial statements,” Bulletin 2017-21 presented a clearer picture of said financial statements. According to the FAQs, evaluating financial condition of a third party includes “funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect the third party’s overall financial stability.”

4. Banks may leverage various automation tools designed to help them evaluate the controls of third-party service providers at scale.

The OCC recognizes that banks will have many third parties to evaluate under OCC 2013-29, and according to FAQ number 4, can leverage tools that “offer standardized approaches to perform due diligence and ongoing monitoring of third-party service providers.” These types of tools typically offer standardized approaches to perform due diligence and ongoing monitoring of third-party service providers by having participating third parties complete common security, privacy, and business resiliency control assessment questionnaires.

5. Collaboration is acceptable at the product or service level, but  won’t fully meet the requirements of OCC 2013-29.

This is a key clarification in FAQ number 4 – if banks are using the same service providers, they may collaborate to meet certain expectations like due diligence, contract negotiation, and ongoing monitoring responsibilities. However, banks must recognize that while collaboration is a useful tool, collaboration alone is insufficient for full compliance. Each bank is subject to a different level of risk from each product or service. While collaborative arrangements can help in the life-cycle phases for third party risk management, individual banks should still use their own tailored third-party risk management process. Some individual bank-specific responsibilities outlined in FAQ number 5 include defining the requirements for planning and termination (e.g., plans to manage the third-party relationship and development of contingency plans in response to termination of service), assessing the quantity of risk posed to the bank, ongoing benchmarking of the service provider, monitoring the third party

6. Banks may engage with a number of information-sharing organizations to better understand cyber threats.

Information sharing has proved useful for preventing cyber attacks to banks and the third parties with whom they have relationships, and is permitted under OCC 2013-29.

The need for banks to monitor all third party relationships using a risk-based approach is critical to OCC 2013-29, and now further defined in OCC 2017-21.  Bank management should determine the risks associated with each third-party relationship and then determine how to adjust risk management practices accordingly. The goal is for a bank’s risk management practices to be commensurate with the level of risk and complexity of the third-party relationship. Risk assessment is never once and done:  it should be continuously monitored and periodically updated throughout the relationship.

For more information on OCC compliance and OCC 2013-29, download the Managing Third Party Risk for OCC Compliance whitepaper.