OCC Issues New FAQ on Vendor Management

Emphases that third party vendor risk management is not a “one-size-fits-all” process. 

The challenges that financial institutions face managing third-party relationships are real, and so is the uncertainty about what regulators want to see in vendor management policies. In response to questions from OCC-regulated banks, the Office of the Comptroller of Currency just issued a set of frequently asked questions.

One year ago, then US Comptroller of the Currency Thomas Curry issued a warning to banks about what the regulator viewed as growing risk exposure, particularly with regard to a growing reliance on third parties:

“Some banks are struggling to find viable business models, while others are increasingly adopting innovative products, services, and processes in response to evolving customer demands and the entrance of new competitors. Doing so often involves assuming unfamiliar risks, including expanded reliance on third-party relationships, and the need to update or acquire new information systems and technology platforms. Banks may face heightened strategic planning and governance risk if they do not use sound risk management practices…”

On June 7th, the OCC issued the FAQ, intended to supplement the 2013 guidance entitled “Third-Party Relationships: Risk Management Guidance.” A few FAQs worth noting:

On Flexbility

The OCC affords institutions some flexibility in customizing their third-party risk management practices:

“Not all third-party relationships present the same level of risk…Bank management should determine the risks associated with each third-party relationship and then determine how to adjust risk management practices for each relationship…commensurate with the level of risk and complexity of the third-party relationship.”

On Critical Activities

The FAQs clarify that relationships that support “critical activities” should be more robust:

“The level of due diligence and ongoing monitoring … may differ for, and should be specific to, each third-party relationship. The level of due diligence and ongoing monitoring should be consistent with the level of risk and complexity posed by each third-party relationship.” There is, of course, an expectation that with respect to critical activities “due diligence and ongoing monitoring will be robust, comprehensive, and appropriately documented.”

On Outsourcing Compliance Management

The FAQ acknowledges the growing reliance by institutions on outside compliance management systems:

A bank may “outsource some or all aspects of their compliance management systems to third parties, so long as banks monitor and ensure that third parties comply with current and subsequent changes to consumer laws and regulations…The board is responsible for overseeing the development of an effective third-party risk management process commensurate with the level of risk and complexity of the third-party relationships.”

On Marketplace Lenders

“Operational risk can increase quickly if the banks and the marketplace lenders do not include appropriate limits and controls in their operational processes, such as contractually agreed-to loan volume limits and proper underwriting…To address the risks created by marketplace lending arrangements, a bank’s due diligence of marketplace lenders should include consulting with the bank’s appropriate business units, such as credit, compliance, finance, audit, operations, accounting, legal, and information technology.”

Elements of an Effective Risk Management Process

The FAQ identifies the following seven important elements of a risk management process:

  1. policies and procedures for selecting, assessing, and overseeing third parties;
  2. written contracts outlining the rights and responsibilities of all parties;
  3. ongoing monitoring of the third party’s activities and performance;
  4. contingency plans for third-party relationships;
  5. clear roles and responsibilities for overseeing and managing third-party relationships;
  6. documentation and reporting that facilitates oversight, accountability, monitoring, and risk management; and
  7. audits of the effectiveness of the risk management process.


This month’s OCC release is noteworthy as the first clarification of the guidance since it was issued four years ago. Since then, banks have been forced to take a deep dive into their contractual relationships and compliance/risk management procedures to ensure they would withstand the scrutiny of examiners. The full FAQ is worth the attention of any banks under OCC oversight, and also specifically addresses management of other areas of bank operations, including fintech providers, cybersecurity issues, mobile payments, reviews of fourth-party risk and more.


2013 Guidance: Bulletin 2013-29 “Third-Party Relationships: Risk Management Guidance” 

Full text of the new FAQ  

EDR Insight Brief:

Fingerprints Everywhere: 5 Things I Learned About Vendor Management summarizes our webinar with Scott Roller, 3W Partners, on Third-Party Oversight & Governance In A New Regulatory Era.

EDR Insight Brief: