On June 7, 2017, the Office of the Comptroller of the Currency (“OCC”) issued frequently asked questions (“FAQs”) that supplement the OCC’s 2013 guidance entitled “Third-Party Relationships: Risk Management Guidance” (“2013 Bulletin”). The 2013 Bulletin sets forth the OCC’s expectation for banks’ due diligence and ongoing monitoring of third-party service providers, including enhanced diligence and monitoring for third parties that support critical activities. While the FAQs affirm this guidance, they provide substantial flexibility for banks to right-size their approach to third-party risk management, including with respect to banks’ financial technology (“fintech”) partnerships. This alert highlights key aspects of the FAQs.
THE THIRD-PARTY RISK MANAGEMENT GUIDANCE IS BROAD…
The FAQs confirm the broad scope of the 2013 Bulletin, stating that any business arrangement between the bank and another entity—including outsourced products and services, use of outside consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements—are third-party relationships subject to the guidance.
Please see full publication below for more information.