Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29
- Source: occ.gov
Treliant knows third-party risk management. If you need assistance with assessing or managing your third-party risks, Treliant can help.
On March 5, 2020, the Office of the Comptroller of the Currency (OCC) released OCC Bulletin 2020-10, an updated list of frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance. OCC Bulletin 2020-10 rescinds and replaces OCC Bulletin 2017-21, although most of the FAQ from OCC Bulletin 2017-21 have been incorporated into OCC Bulletin 2020-10 without changes.
Many of the additions to the FAQ, which are summarized below, are focused on technological advances. There are specific FAQs related to cloud computing, data aggregators, and alternative data providers.
- What is a business arrangement? Business relationship is interpreted broadly and synonymously with third-party relationship. Examples of business relationships include outsourced products and services; consultants; networking arrangements; merchant payment processing arrangements; and products or services provided by affiliates, subsidiaries, joint ventures, or other ongoing relationships; referral arrangements; appraisal or appraisal management company relationships; professional services providers; and maintenance, catering, and custodial service companies. Neither written contracts nor monetary exchange is required to establish a business relationship.
- Does a company that provides a bank with cloud computing have a third-party relationship with the bank? If so, what are the risk management expectations? A bank with a business relationship with a cloud computing provider has a third-party relationship with the provider. Banks should incorporate a level of due diligence and oversight commensurate with the risk, while keeping in mind that specific technical controls may operate differently in a cloud computing environment than in traditional network environments.
- If a data aggregator collects customer-permissioned data from a bank, does the data aggregator have a third-party relationship with the bank? If so, what are the risk management expectations? Whether a bank with a business relationship with a data aggregator depends on the formality of the relationship between the data aggregator and the bank. If the bank contracts or partners with a data aggregator to use the data aggregator’s services, or if the bank has a bilateral agreement with a data aggregator for sharing customer-permissioned data (such as through an API), then the bank has a business relationship with the data aggregator. Banks should incorporate a level of due diligence and oversight commensurate with the risk. Given the sensitivity of data to be shared, the bank should consider the data aggregator’s ability to appropriately manage the risks associated with sharing sensitive customer information.
If the data aggregator using credentials provided by the customer to “screen scrape” or capture customer data without a contract with the bank, the bank typically does not have a business relationship with the data aggregator. Even so, banks should implement appropriate risk management for this type of activity, including identification of screen-scraping activities and due diligence on parties engaging in screen-scraping activities.
- What type of due diligence and monitoring should be conducted in third-party relationships where the bank has limited negotiating power? The bank should take appropriate actions to manage the risks of the business relationship, such as assessing whether the third party is the most appropriate provider for the goods or services; determining if the risk of limited negotiating power is within the bank’s risk appetite; confirming the contracts meet the bank’s needs; identifying alternate methods to analyze critical third parties; retaining documentation of efforts to obtain information and analyze the third party; and being prepared to address interruptions in service delivery.
- What third-party relationships involve critical activities? Critical third-party relationships related to significant bank functions or significant shared services that could have significant customer impacts; require significant resources to implement and manage the third-party relationship; could cause the bank to face significant risk; or could have a major impact on bank operations if the outsourced activity must be placed with a new vendor or brought in-house. Examples include payments, clearing, settlements, custody, and information technology. Banks are expected to have a sound methodology for designating critical third-party relationships and ensuring those relationships receive more comprehensive and rigorous oversight and risk management.
- How should banks determine the risks associated with third-party relationships? Banks should consider the size, complexity, category of relationship, risk characteristics, and criticality. Due diligence and risk management activities should be commensurate with the risk and complexity of the third-party relationship.
- What are bank management’s responsibilities regarding a third-party’s subcontractors? Bank management should determine whether a third-party appropriately oversees, monitors, and manages its fourth-parties. This may involve use of independent reports and certifications. A bank’s third-party risk management system should identify third-parties that use subcontractors or fourth parties. Ongoing monitoring for those vendors should consider the nature and extent of the reliance on fourth parties; the location of subcontractors and bank data; the criticality of the services provided; whether subcontractors have access to sensitive customer information; and the third party’s monitoring and control testing of subcontractors.
- Can a bank rely on reports, certificates of compliance, and independent audits provided by entities with which it has a third-party relationship? Banks may review and consider such reports. Bank management should consider whether the reports contain sufficient information to assess the third party’s controls and whether the report, certification, or audit is consistent with generally recognized standards. For some third parties, such as cloud computing providers with multiple physical locations, cloud-specific SOC reports based on the framework advanced by the Cloud Security Alliance may be useful. For others, such as financial market utilities, reports disclosing how the third party’s businesses and operations reflect each of the applicable Principles for Financial Market Infrastructures are reliable. In addition, banks can also rely on pooled audit reports, which are audits paid for by a group of banks that use the same company for similar products and services.
- What type of due diligence and monitoring should be applied to third parties such as fintechs, start-ups, and small businesses, that are limited in their ability to provide the same level of information as more established or larger third parties? Banks should consider the financial condition of their third parties. If third parties have limited due diligence information, banks should consider alternative information sources. In assessing third parties, the bank may consider the third party’s funding sources, access to funds, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors influencing financial stability. Banks may also consider the criticality of the business relationship and the third party’s risk management and control environment. For third parties with limited financial information, the bank should prepare contingency plans in case the third party is unable to perform the agreed-upon activities.
- How should a bank manage third-party risk when using a third-party model or a third party to assist with model risk management? Both OCC Bulletin 2013-29 and OCC Bulletin 2011-12 (Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management) are applicable to business relationships involving use of a third-party model or use of a third party to assist with model risk management. Banks should conduct appropriate due diligence on the third-party and on the model itself. Risk-based reviews of models should incorporate ongoing model monitoring and maintenance to ensure the model is working as intended, existing validation activities are sufficient, and needed modification and updates are made to the model. If the bank leverages a third-party validation report provided by the model vendor, the bank should ensure the report includes a clear statement model purpose, validation scope, key assumptions and limitations, and validation results, including model deficiencies over a range of financial and economic conditions, and a determination whether compensating controls are required
- How may a bank use third-party assessment services (a.k.a. third-party utilities)? When using a third-party assessment service, bank management should understand the scope of the utility report and how the report covers the specific services the bank receives from the third-party. For critical vendors, the standardized questionnaire used by third-party assessment services may not be sufficient. In addition, banks using third-party assessment services should incorporate the third-party utility into their third-party risk management processes.
- How does a bank’s board of directors approve third-party contracts involving critical activities? The bank board does not have to read or negotiate each contract for critical activities. However, the board should receive sufficient information to understand the bank’s strategy for the use of third parties, as well as key dependencies, limitations, benefits, and risks of using third parties for critical services. The board may use executive summaries of contracts in their review, and may delegate contract approval to a board committee or senior management.
- How should a bank handle third-party risk management when obtaining alternative data from a third party? When acquiring alternative data from a third party, the bank should conduct appropriate due diligence on the third party; ensure the alternative data usage is consistent with safe and sound banking operations; consider the relevant consumer protection laws and regulations related to the data and its use; conduct appropriate risk-based monitoring on the third party; and, if the proposed use of the alternative data is a substantial deviation from the bank’s existing plans or a material change in the bank’s use of alternative data, discuss the bank’s plan with the OCC portfolio manager, examiner-in-charge, or supervisory office, as appropriate.
In all of the FAQ related to technology, there are recurrent themes related to information security and reputational and operational risks. Some banks and financial technology providers have expressed concerns that the OCC has not balanced information security concerns with consumer data access. Others have complained that the focus on information security could slow adoption of open banking and data sharing technologies. If the Consumer Financial Protection Bureau (CFPB) issues a rule to enforce consumer data access under §1033 of the Consumer Financial Protection Act, banks may have additional constraints in balancing consumer data access and information security. Finally, the FAQ related to data aggregator activities may reignite the ongoing debates over which data should be accessible to aggregators as well as providing clarity on white-listing of data aggregator IP addresses.