OCC adds FAQs on third-party relationships

OCC Bulletin 2020-10, issued yesterday, contains updated FAQs to supplement OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. These FAQs are intended to clarify the OCC’s existing guidance and reflect evolving industry trends.

The new bulletin rescinds OCC Bulletin 2017-21, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29,” issued on June 7, 2017. The FAQs from Bulletin 2017-21 have been incorporated unchanged into the new bulletin, except for question No. 24, which was updated to reflect current AICPA Service Organization Control report information.

Topics addressed include:

• the terms “third-party relationship” and “business arrangement.”
• when cloud computing providers are in a third-party relationship with a bank.
• when data aggregators are in a third-party relationship with a bank.
• risk management when the bank has limited negotiating power in contractual arrangements.
• critical activities and how a bank can determine the risks associated with third-party relationships.
• bank management’s responsibilities regarding a third party’s subcontractors.
• reliance on and use of third party-provided reports, certificates of compliance, and independent audits.
• risk management when third party has limited ability to provide the same level of due diligence-related information as larger or more established third parties.
• risk management when using a third-party model or when using a third party to assist with model risk management.
• use of third-party assessment services in managing third-party relationship risks.
• a board’s approval of contracts.
• risk management when obtaining alternative data from a third party