OCC Bulletin 2020 – Frequently Asked Questions on Third Party Relationships

The Office of the Comptroller of the Currency (OCC) recently released an updated FAQ on third-party management expectations for banks of all sizes. While no new guidance or requirements were issued, the FAQ addresses a number of concerns regarding third-party risk that we’ve heard from our clients in recent years. In particular, it addresses:

• Banks’ use of fintech providers and startup tech companies
• Relationships with third-party aggregators (such as Mint and You Need a Budget)
• Oversight related to your vendors’ subcontractors
• Strategies for vendors with whom you have limited information or negotiating leverage

The FAQ also includes information about risk assessing these various third-parties and tailoring oversight requirements based on risk.

We have compiled a few key takeaways from the FAQ:

• Cloud providers unambiguously fall under the vendor and third-party management requirements. When vendors utilize cloud providers (which is common in SaaS providers), the bank should be aware of those subcontracting arrangements.
• Data aggregators do not often have a direct relationship with the bank, and are not considered third-party service providers. However, there are several ways that a bank could establish a direct relationship with the aggregators through the use of APIs, data sharing, special security requirements, etc. that need to be assessed. The FAQ details several questions and scenarios around this.
• In some cases, banks have very little negotiating leverage with a third-party, or the third-party is unwilling to provide requested information. In these cases, the bank should implement mitigating controls, if possible, or evaluate any deficiencies against its risk appetite.
• While monitoring and oversight is required for all vendors, the degree of oversight should be based on risk. Low-risk vendors will likely have little oversight performed, corresponding with bank policy. Vendor risk ratings need to be reassessed over time to ensure they maintain a low-risk status.
• The FAQ defines what are considered “critical activities” and provides general guidance on how to perform risk assessments based on this and other factors.
• Fintech providers may or may not perform “critical activities” as defined above. If they do, a “comprehensive and rigorous” level of monitoring and oversight is expected.
• The bank’s direct responsibility regarding its vendors’ subcontractors is generally limited to supervising the vendor’s oversight program for those subcontractors. A SOC report should have sufficient information about these processes. The bank should be aware of subcontractors and should contractually stipulate notification of the use of subcontractors.
• Collaborative processes for multiple users to get information from a service provider can be useful. However, risks to each institution by the use of the service may vary, and risk analyses still need to be performed individually. This also applies to tools and services offering security evaluation information regarding your third-parties.
• Fintechs (especially startups) are likely to have limited information available regarding financial condition and internal controls. Banks should have contingency plans for providers that can’t prove their financial viability. Lack of internal controls—or lack of proof of internal controls—should be considered a risk and evaluated according to the nature of the vendor’s services and your own risk appetite.

The OCC FAQ on third-party vendor management details some of the most pressing issues related to managing third-party relationships and mitigating prevalent third-party risk. Although the document does not declare any new regulations surrounding third-party security risk or enterprise risk management, its insightful statements will help align your risk management processes for optimal security.