OCC Issues Updated Risk Management Guidance On Third-Party Relationships


The Office of the Comptroller of the Currency (“OCC”) has revised its risk management guidance on third-party relationships, advising banks to adopt risk management processes that provide more comprehensive oversight and management of third-party relationships involving critical bank activities. The guidance only applies to national banks and federal savings associations; however, state chartered banks are subject to guidance issued by the Federal Deposit Insurance Corporation (“FDIC”) on this topic, and credit unions are subject to guidance issued by the National Credit Union Administration (“NCUA”) on this topic.

As banks continue to increase not only the number, but also the complexity of their relationships with both foreign and domestic third parties, the OCC is concerned that the quality of risk management may not be keeping pace with those changes. The updated guidance states that banks should adopt risk management processes that are proportionate with the level of risk and complexity of third-party relationships and that ensure comprehensive risk management and oversight of third-party relationships involving critical activities.

To manage risks associated with third-party relationships, the OCC advises banks to:

  • Develop plans that outline the bank’s strategy, identify inherent risks of the activity and detail how the bank will select, assess and oversee the third party;
  • Perform proper due diligence when selecting a third-party provider, which includes, but is not limited to, reviewing and evaluating the third party’s overall business strategy, legal and regulatory compliance program, depth of resources, previous experience and risk management program;
  • Negotiate written contracts that clearly outline the rights and responsibilities of all parties;
  • Conduct ongoing monitoring of the third party’s activities and performance;
  • Execute a plan to terminate the relationship in a manner that allows the bank to transition the activities to another third party, bring the activities in-house or discontinue the activities;
  • Assign clear roles and responsibilities for overseeing and managing the third-party relationship and risk management process;
  • Maintain proper documentation and reporting to facilitate oversight, accountability, monitoring and risk management; and
  • Conduct independent reviews of the risk management process to enable management to assess that the bank’s process aligns with its strategy and effectively manages risks.

As a result of this guidance, the OCC has rescinded its previous Bulletin 2001-47 entitled “Third-Party Relationships: Risk Management Principles” and Advisory Letter 2000-9 entitled “Third-Party Risk.”

The complete guidance can be found on the OCC’s website at http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html. Guidance by the FDIC on this topic can be found at http://www.fdic.gov/news/news/financial/2008/fil08044a.html, and guidance by the NCUA can be found at http://www.ncua.gov/Resources/Documents/LCU2007-13ENC.pdf.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cullen and Dykman LLP | Attorney Advertising

Written by:


Cullen and Dykman LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.