Académique Documents
Professionnel Documents
Culture Documents
OCCBULLETIN201721
Subject:ThirdPartyRelationships To:ChiefExecutiveOfficersandChiefRisk
Date:June7,2017 OfficersofAllNationalBanksandFederal
SavingsAssociations,TechnologyService
Providers,DepartmentandDivisionHeads,All
ExaminingPersonnel,andOtherInterested
Parties
Description:FrequentlyAskedQuestionstoSupplement
OCCBulletin201329
Summary
TheOfficeoftheComptrolleroftheCurrency(OCC)isissuingfrequentlyaskedquestions(FAQ)to
supplementOCCBulletin201329,ThirdPartyRelationships:RiskManagementGuidance,issued
October30,2013.
NoteforCommunityBanks
Thisbulletinaddressesquestionsfromnationalbanksandfederalsavingsassociations(collectively,
banks)regardingguidanceinOCCBulletin201329.ThisbulletinandOCCBulletin201329are
applicabletoallbanks..
1.Whatisathirdpartyrelationship?
OCCBulletin201329definesathirdpartyrelationshipasanybusinessarrangementbetweenthebank
andanotherentity,bycontractorotherwise.Thirdpartyrelationshipsincludeactivitiesthatinvolve
outsourcedproductsandservicesuseofoutsideconsultants,networkingarrangements,merchant
paymentprocessingservices,andservicesprovidedbyaffiliatesandsubsidiariesjointventuresand
otherbusinessarrangementsinwhichabankhasanongoingthirdpartyrelationshipormayhave
responsibilityfortheassociatedrecords.Recently,manybankshavedevelopedrelationshipswith
financialtechnology(fintech)companiesthatinvolvesomeoftheseactivities,includingperforming
servicesordeliveringproductstoabankscustomerbase.Ifafintechcompanyperformsservicesor
deliversproductsonbehalfofabankorbanks,therelationshipmeetsthedefinitionofathirdparty
relationshipandtheOCCwouldexpectbankmanagementtoincludethefintechcompanyinthebanks
thirdpartyriskmanagementprocess.
Bankmanagementshouldconductindepthduediligenceandongoingmonitoringofeachofthebanks
thirdpartyserviceprovidersthatsupportcriticalactivities.TheOCCrealizesthatalthoughbanksmay
wantindepthinformation,theymaynotreceivealltheinformationtheyseekoneachcriticalthirdparty
serviceprovider,particularlyfromnewcompanies.Whenabankdoesnotreceivealltheinformationit
seeksaboutthirdpartyserviceprovidersthatsupportthebankscriticalactivities,theOCCexpectsthe
banksboardofdirectorsandmanagementto
developappropriatealternativewaystoanalyzethesecriticalthirdpartyserviceproviders.
establishriskmitigatingcontrols.
bepreparedtoaddressinterruptionsindelivery(forexample,usemultiplepaymentsystems,
generatorsforpower,andmultipletelecommunicationslinesinandoutofcriticalsites).
makeriskbaseddecisionsthatthesecriticalthirdpartyserviceprovidersarethebestservice
providersavailabletothebankdespitethefactthatthebankcannotacquirealltheinformationit
wants.
retainappropriatedocumentationofalltheireffortstoobtaininformationandrelateddecisions.
1/6
6/7/2017
ensurethatcontractsmeetthebanksneeds.
2.OCCBulletin201329definesthirdpartyrelationshipsverybroadlyandreadslikeitcanapply
tolowerriskrelationships.Howcanabankreduceitsoversightcostsforlowerrisk
relationships?
Notallthirdpartyrelationshipspresentthesamelevelofrisk.Thesamerelationshipmaypresentvarying
levelsofriskacrossbanks.Bankmanagementshoulddeterminetherisksassociatedwitheachthird
partyrelationshipandthendeterminehowtoadjustriskmanagementpracticesforeachrelationship.The
goalisforthebanksriskmanagementpracticesforeachrelationshiptobecommensuratewiththelevel
ofriskandcomplexityofthethirdpartyrelationship.Thisriskassessmentshouldbeperiodicallyupdated
throughouttherelationship.Itshouldnotbeaonetimeassessmentconductedatthebeginningofthe
relationship.
TheOCCexpectsbankstoperformduediligenceandongoingmonitoringforallthirdpartyrelationships.
Thelevelofduediligenceandongoingmonitoring,however,maydifferfor,andshouldbespecificto,
eachthirdpartyrelationship.Thelevelofduediligenceandongoingmonitoringshouldbeconsistentwith
thelevelofriskandcomplexityposedbyeachthirdpartyrelationship.Forcriticalactivities,theOCC
expectsthatduediligenceandongoingmonitoringwillberobust,comprehensive,andappropriately
documented.Additionally,foractivitiesthatbankmanagementdeterminestobelowrisk,management
shouldfollowthebanksboardestablishedpoliciesandproceduresforduediligenceandongoing
monitoring.
3.Howshouldbanksstructuretheirthirdpartyriskmanagementprocess?
Thereisnoonewayforbankstostructuretheirthirdpartyriskmanagementprocess.OCCBulletin2013
29notesthattheOCCexpectsbankstoadoptaneffectivethirdpartyriskmanagementprocess
commensuratewiththelevelofriskandcomplexityoftheirthirdpartyrelationships.Somebankshave
dispersedaccountabilityfortheirthirdpartyriskmanagementprocessamongtheirbusinesslines.Other
bankshavecentralizedthemanagementoftheprocessundertheircompliance,informationsecurity,
procurement,orriskmanagementfunctions.Nomatterwhereaccountabilityresides,eachapplicable
businesslinecanprovidevaluableinputintothethirdpartyriskmanagementprocess,forexample,by
completingriskassessments,reviewingduediligencequestionnairesanddocuments,andevaluatingthe
controlsoverthethirdpartyrelationship.Personnelincontrolfunctionssuchasaudit,riskmanagement,
andcomplianceprogramsshouldbeinvolvedinthemanagementofthirdpartyrelationships.Howevera
bankstructuresitsthirdpartyriskmanagementprocess,theboardisresponsibleforoverseeingthe
developmentofaneffectivethirdpartyriskmanagementprocesscommensuratewiththelevelofriskand
complexityofthethirdpartyrelationships.Periodicboardreportingisessentialtoensurethatboard
responsibilitiesarefulfilled.
4.Whenmultiplebanksusethesamethirdpartyserviceproviders,cantheycollaborate1tomeet
expectationsformanagingthirdpartyrelationshipsspecifiedinOCCBulletin201329?
Iftheyareusingthesameserviceproviderstosecureorobtainlikeproductsorservices,banksmay
collaborate2tomeetcertainexpectations,suchasperformingtheduediligence,contractnegotiation,and
ongoingmonitoringresponsibilitiesdescribedinOCCBulletin201329.Likeproductsandservicesmay,
however,presentadifferentlevelofrisktoeachbankthatusesthoseproductsorservices,making
collaborationausefultoolbutinsufficienttofullymeetthebanksresponsibilitiesunderOCCBulletin
201329.Collaborationcanleverageresourcesbydistributingcostsacrossmultiplebanks.Inaddition,
manybanksthatuselikeproductsandservicesfromtechnologyorotherserviceprovidersmaybecome
membersofusergroups.Frequently,theseusergroupscreatetheopportunityforbanks,particularly
communitybanks,tocollaboratewiththeirpeersoninnovativeproductideas,enhancementstoexisting
productsorservices,andcustomerserviceandrelationshipmanagementissueswiththeservice
providers.Banksthatuseacustomizedproductorservicemaynot,however,beabletousecollaboration
tofullymeettheirduediligence,contractnegotiation,orongoingresponsibilities.
Banksmaytakeadvantageofvarioustoolsdesignedtohelpthemevaluatethecontrolsofthirdparty
serviceproviders.Ingeneral,thesetypesoftoolsofferstandardizedapproachestoperformduediligence
andongoingmonitoringofthirdpartyserviceprovidersbyhavingparticipatingthirdpartiescomplete
commonsecurity,privacy,andbusinessresiliencycontrolassessmentquestionnaires.Afterthirdparties
completethequestionnaires,theresultscanbesharedwithnumerousbanksandotherclients.
2/6
6/7/2017
Collaborationcanresultinincreasednegotiatingpowerandlowercoststobanksduringthecontract
negotiationphaseoftheriskmanagementlifecycle.
Somecommunitybankshavejoinedanalliancetocreateastandardizedcontractwiththeircommon
thirdpartyserviceprovidersandimprovenegotiatingpower.
5.Whencollaboratingtomeetresponsibilitiesformanagingarelationshipwithacommonthird
partyserviceprovider,whataresomeoftheresponsibilitiesthateachbankstillneedsto
undertakeindividuallytomeettheexpectationsinOCCBulletin201329?
Whilecollaborativearrangementscanassistbankswiththeirresponsibilitiesinthelifecyclephasesfor
thirdpartyriskmanagement,eachindividualbankshouldhaveitsowneffectivethirdpartyrisk
managementprocesstailoredtoeachbanksspecificneeds.Someindividualbankspecific
responsibilitiesincludedefiningtherequirementsforplanningandtermination(e.g.,planstomanagethe
thirdpartyserviceproviderrelationshipanddevelopmentofcontingencyplansinresponsetotermination
ofservice),aswellas
integratingtheuseofproductanddeliverychannelsintothebanksstrategicplanningprocessand
ensuringconsistencywiththebanksinternalcontrols,corporategovernance,businessplan,and
riskappetite.
assessingthequantityofriskposedtothebankthroughthethirdpartyserviceproviderandthe
abilityofthebanktomonitorandcontroltherisk.
implementinginformationtechnologycontrolsatthebank.
ongoingbenchmarkingofserviceproviderperformanceagainstthecontractorservicelevel
agreement.
evaluatingthethirdpartysfeestructuretodetermineifitcreatesincentivesthatencourage
inappropriaterisktaking.
monitoringthethirdpartysactionsonbehalfofthebankforcompliancewithapplicablelawsand
regulations.
monitoringthethirdpartysdisasterrecoveryandbusinesscontinuitytimeframesforresuming
activitiesandrecoveringdataforconsistencywiththebanksdisasterrecoveryandbusiness
continuityplans.
6.Whatcollaborationopportunitiesexisttoaddresscyberthreatstobanksaswellastotheir
thirdpartyrelationships?
Banksmayengagewithanumberofinformationsharingorganizationstobetterunderstandcyberthreats
totheirowninstitutionsaswellastothethirdpartieswithwhomtheyhaverelationships.Banks
participatingininformationsharingforumshaveimprovedtheirabilitytoidentifyattacktacticsand
successfullymitigatecyberattacksontheirsystems.BanksmayusetheFinancialServicesInformation
SharingandAnalysisCenter(FSISAC),theU.S.ComputerEmergencyReadinessTeam(USCERT),
InfraGard,andotherinformationsharingorganizationstomonitorcyberthreatsandvulnerabilitiesandto
enhancetheirriskmanagementandinternalcontrols.BanksalsomayusetheFSISACtoshare
informationwithotherbanks.
7.Isafintechcompanyarrangementconsideredacriticalactivity?
Abanksrelationshipwithafintechcompanymayormaynotinvolvecriticalbankactivities,dependingon
anumberoffactors.OCCBulletin201329providescriteriathatabanksboardandmanagementmay
usetodeterminewhatcriticalactivitiesare.Itisuptoeachbanksboardandmanagementtoidentifythe
criticalactivitiesofthebankandthethirdpartyrelationshipsrelatedtothesecriticalactivities.Theboard
(orcommitteesthereof)shouldapprovethepoliciesandproceduresthataddresshowcriticalactivitiesare
identified.UnderOCCBulletin201329,criticalactivitiescanincludesignificantbankfunctions(e.g.,
payments,clearing,settlements,andcustody),significantsharedservices(e.g.,informationtechnology),
orotheractivitiesthat
couldcausethebanktofacesignificantriskifathirdpartyfailstomeetexpectations.
couldhavesignificantbankcustomerimpact.
requiresignificantinvestmentinresourcestoimplementthirdpartyrelationshipsandmanage
risks.
couldhavemajorimpactonbankoperationsifthebankhastofindanalternativethirdpartyorif
theoutsourcedactivitieshavetobebroughtinhouse.
3/6
6/7/2017
TheOCCexpectsbankstohavemorecomprehensiveandrigorousmanagementofthirdparty
relationshipsthatinvolvecriticalactivities.
8.Canabankengagewithastartupfintechcompanywithlimitedfinancialinformation?
OCCBulletin201329statesthatbanksshouldconsiderthefinancialconditionoftheirthirdpartiesduring
theduediligencestageofthelifecyclebeforethebankshaveselectedorenteredintocontractsor
relationshipswiththirdparties.Inassessingthefinancialconditionofastartuporlessestablishedfintech
company,thebankmayconsideracompanysaccesstofunds,itsfundingsources,earnings,netcash
flow,expectedgrowth,projectedborrowingcapacity,andotherfactorsthatmayaffectthethirdpartys
overallfinancialstability.Assessingchangestothefinancialconditionofthirdpartiesisanexpectationof
theongoingmonitoringstageofthelifecycle.Becauseitmaybereceivinglimitedfinancialinformation,
thebankshouldhaveappropriatecontingencyplansincasethestartupfintechcompanyexperiencesa
businessinterruption,fails,ordeclaresbankruptcyandisunabletoperformtheagreeduponactivitiesor
services.
Somebankshaveexpressedconfusionaboutwhetherthirdpartyserviceprovidersneedtomeetabanks
creditunderwritingguidelines.OCCBulletin201329statesthatdependingonthesignificanceofthe
thirdpartyrelationship,abanksanalysisofathirdpartysfinancialconditionmaybeascomprehensive
asifthebankwereextendingcredittothethirdpartyserviceprovider.Thisstatementmayhavebeen
misunderstoodasmeaningabankmaynotenterintorelationshipswiththirdpartiesthatdonotmeetthe
bankslendingcriteria.ThereisnosuchrequirementorexpectationinOCCBulletin201329.
9.Howcanabankofferproductsorservicestounderbankedorunderservedsegmentsofthe
populationthroughathirdpartyrelationshipwithafintechcompany?
Bankshavecollaboratedwithfintechcompaniesinseveralwaystohelpmeetthebankingneedsof
underbankedorunderservedconsumers.Banksmaypartnerwithfintechcompaniestooffersavings,
credit,financialplanning,orpaymentsinanefforttoincreaseconsumeraccess.Insomeinstances,banks
serveonlyasfacilitatorsforthefintechcompaniesproductsorserviceswithoneoftheproductsor
servicescomingfromthebanks.Forexample,severalbankshavepartneredwithfintechcompaniesto
establishdedicatedinteractivekiosksorautomatedtellermachines(ATM)withvideoservicesthatenable
theconsumertospeakdirectlytoabankteller.Frequently,theseinteractivekiosksorATMsareinstalled
inretailstores,seniorcommunitycenters,orotherlocationsthatdonothavebranchestoservethe
community.Somefintechcompaniesofferotherwaysforbankstopartnerwiththem.Forexample,a
bankscustomerscanlinkhisorhersavingsaccountwiththefintechcompanysapplication,whichcan
offerincentivestothebankscustomerstosaveforshorttermemergenciesorachievespecificsavings
goals.
Intheseexamples,thefintechcompanyisconsideredtohaveathirdpartyrelationshipwiththebankthat
fallsunderthescopeofOCCBulletin201329.
10.Whatshouldabankconsiderwhenenteringamarketplacelendingarrangementwithnonbank
entities?
Whenengaginginmarketplacelendingactivities,abanksboardandmanagementshouldunderstandthe
relationshipsamongthebank,themarketplacelender,andtheborrowersfullyunderstandthelegal,
strategic,reputation,operational,andotherrisksthatthesearrangementsposeandevaluatethe
marketplacelenderspracticesforcompliancewithapplicablelawsandregulations.Aswithanythird
partyrelationship,managementatbanksinvolvedwithmarketplacelendersshouldensuretherisk
exposureisconsistentwiththeirboardsstrategicgoals,riskappetite,andsafetyandsoundness
objectives.Inaddition,boardsshouldadoptappropriatepolicies,inclusiveofconcentrationlimitations,
beforebeginningbusinessrelationshipswithmarketplacelenders.
Banksshouldhavetheappropriatepersonnel,processes,andsystemssothattheycaneffectively
monitorandcontroltherisksinherentwithinthemarketplacelendingrelationship.Risksinclude
reputation,credit,concentrations,compliance,market,liquidity,andoperationalrisks.Forcreditrisk
management,forexample,banksshouldhaveadequateloanunderwritingguidelines,andmanagement
shouldensurethatloansareunderwrittentotheseguidelines.Forcomplianceriskmanagement,banks
shouldnotoriginateorsupportmarketplacelendersthathaveinadequatecompliancemanagement
processesandshouldmonitorthemarketplacelenderstoensurethattheyappropriatelyimplement
applicableconsumerprotectionlaws,regulations,andguidance.Whenbanksenterintomarketplace
lendingorservicingarrangements,thebankscustomersmayassociatethemarketplacelenders
4/6
6/7/2017
productswiththoseofthebanks,therebyintroducingreputationriskiftheproductsunderperformorharm
customers.Also,operationalriskcanincreasequicklyiftheoperationalprocessesofthebanksandthe
marketplacelendersdonotincludeappropriatelimitsandcontrols,suchascontractuallyagreedtoloan
volumelimitsandproperunderwriting.
Toaddresstheserisks,banksduediligenceofmarketplacelendersshouldincludeconsultingwiththe
banksappropriatebusinessunits,suchascredit,compliance,finance,audit,operations,accounting,
legal,andinformationtechnology.Contractsorothergoverningdocumentsshouldlayoutthetermsof
servicelevelagreementsandcontractualobligations.Subsequentsignificantcontractualchangesshould
promptreevaluationofbankpolicies,processes,andriskmanagementpractices.
11.DoesOCCBulletin201329applywhenabankengagesathirdpartytoprovidebank
customerstheabilitytomakemobilepaymentsusingtheirbankaccounts,includingdebitand
creditcards?
Whenusingthirdpartyserviceprovidersinmobilepaymentenvironments,banksareexpectedtoactina
mannerconsistentwithOCCBulletin201329.Banksoftenenterintobusinessarrangementswiththird
partyserviceproviderstoprovidesoftwareandlicensesinmobilepaymentenvironments.Thesethird
partyserviceprovidersalsoprovideassistancetothebanksandthebankscustomers(forexample,
paymentauthentication,deliveringpaymentaccountinformationtocustomersmobiledevices,assisting
cardnetworksinprocessingpaymenttransactions,developingormanagingmobilesoftware(apps)or
hardware,managingbackendservers,ordeactivatingstolenmobilephones).
Manybankcustomersexpecttousetransactionaccountsandcredit,debit,orprepaidcardsissuedby
theirbanksinmobilepaymentenvironments.Becausealmostallbanksissuedebitcardsandoffer
transactionaccounts,banksfrequentlyparticipateinmobilepaymentenvironmentseveniftheydonot
issuecreditcards.Banksshouldworkwithmobilepaymentproviderstoestablishprocessesfor
authenticatingenrollmentofcustomersaccountinformationthatthecustomersprovidetothemobile
paymentproviders.
12.Mayacommunitybankoutsourcethedevelopment,maintenance,monitoring,andcompliance
responsibilitiesofitscompliancemanagementsystem?
Banksmayoutsourcesomeorallaspectsoftheircompliancemanagementsystemstothirdparties,so
longasbanksmonitorandensurethatthirdpartiescomplywithcurrentandsubsequentchangesto
consumerlawsandregulations.Somebanksoutsourcemaintenanceormonitoringorusethirdpartiesto
automatedatacollectionandmanagementprocesses(forexample,tofilecompliancereportsunderthe
BankSecrecyActorformortgageloanapplicationprocessingordisclosures).TheOCCexpectsallbanks
todevelopandmaintainaneffectivecompliancemanagementsystemandprovidefairaccesstofinancial
services,ensurefairtreatmentofcustomers,andcomplywithconsumerprotectionlawsandregulations.
Strongcompliancemanagementsystemsincludeappropriatepolicies,procedures,practices,training,
internalcontrols,andauditsystemstomanageandmonitorcomplianceprocessesaswellasa
commitmentofappropriatecomplianceresources.
13.Canbanksobtainaccesstointeragencytechnologyserviceproviders(TSP)reportsof
examination?
TSPreportsofexamination3areavailableonlytobanksthathavecontractualrelationshipswiththeTSPs
atthetimeoftheexamination.BecausetheOCCs(andotherfederalbankingregulators)statutory
authorityistoexamineaTSPthatentersintoacontractualrelationshipwitharegulatedfinancial
institution,theOCC(andotherfederalbankingregulators)cannotprovideacopyofaTSPsreportof
examinationtofinancialinstitutionsthatareeitherconsideringoutsourcingactivitiestotheexaminedTSP
orthatenterintoacontractafterthedateofexamination.
BankscanrequestTSPreportsofexaminationthroughthebanksrespectiveOCCsupervisoryoffice.
TSPreportsofexaminationareprovidedonarequestbasis.TheOCCmay,however,proactively
distributeTSPreportsofexaminationincertainsituationsbecauseofsignificantconcernsorother
findingstobankswithcontractualrelationshipswiththatparticularTSP.
AlthoughabankmaynotshareaTSPreportofexaminationorthecontentsthereinwithotherbanks,a
bankthathasnotcontractedwithaparticularTSPmayseekinformationfromotherbankswith
informationorexperiencewithaparticularTSPaswellasinformationfromtheTSPtomeetthebanks
duediligenceresponsibilities.
5/6
6/7/2017
14.CanabankrelyonathirdpartysServiceOrganizationControl(SOC)report,preparedin
accordancewiththeAmericanInstituteofCertifiedPublicAccountantsStatementonStandards
forAttestationEngagementsNo.18(SSAE18)?
Inmeetingitsduediligenceandongoingmonitoringresponsibilities,abankmayreviewathirdpartys
SOCreportpreparedinaccordancewithSSAE18toevaluatetheeffectivenessofthethirdpartysrisk
managementprogram,includingpolicies,processes,andinternalcontrols.4Ifathirdpartyuses
subcontractors(alsoreferredtoasfourthparties),abankmayfindthethirdpartysSSAE18report
particularlyuseful,asSSAE18requirestheauditortodetermineandreportontheeffectivenessof
controlsthethirdpartyhasimplementedtomonitorthecontrolsofthesubcontractor.Inotherwords,the
SSAE18reportwilladdressthequestionastowhetherthethirdpartyhaseffectiveoversightofits
subcontractors.AbankshouldconsiderwhetheranSSAE18reportcontainssufficientinformationandis
sufficientinscopetoassessthethirdpartysriskenvironmentorwhetheradditionalauditorreviewis
requiredforthebanktoproperlyassessthethirdpartyscontrolenvironment.
FurtherInformation
TheOCCencouragesbankstocontacttheirassignedlocalfieldofficeportfoliomanager,assistantdeputy
comptroller,orappropriatelargebanksupervisionstaffmemberstodiscussproductsandservices
involvingthirdpartiestheyareconsideringortobetterunderstandhowtomeettheirresponsibilitiesfor
managingthirdpartyrelationshipsunderOCCBulletin201329.
ForquestionsregardingthisbulletinorOCCBulletin201329,pleasecontactJudiMcCormick,
GovernanceandOperationalRiskPolicyAnalyst,OperationalRiskPolicyDivision,at(202)6496550.
TheOCCintendstoreviewbanksquestionsonOCCBulletin201329fromtimetotimeandissuefuture
FAQsorotherguidancewhenitdeemsnecessary.
BethanyA.Dugan
DeputyComptrollerforOperationalRisk
1RefertoOCCNewsRelease20151,CollaborationCanFacilitateCommunityBanksCompetitiveness,OCCSays,January13,
2015.
2Anycollaborativeactivitiesamongbanksmustcomplywithantitrustlaws.RefertotheFederalTradeCommissionandU.S.
DepartmentofJusticesAntitrustGuidelinesforCollaborationsAmongCompetitors.
3TheOCCconductsexaminationsofservicesprovidedbysignificantTSPsbasedonauthoritiesgrantedbytheBankService
CompanyAct,12USC1867.TheseexaminationstypicallyareconductedincoordinationwiththeBoardofGovernorsoftheFederal
ReserveBoard,FederalDepositInsuranceCorporation,andotherbankingagencieswithsimilarauthorities.Thescopeof
examinationsfocusontheservicesprovidedandkeytechnologyandoperationalcontrolscommunicatedintheFFIECInformation
TechnologyExaminationHandbookandotherregulatoryguidance.
4AsofMay2017,SSAE18replacedSSAE16forSOC1engagements.
6/6