OCC Bulletin 2021-31| July 19, 2021

Third-Party Relationships: Notice and Request for Comment on Proposed Interagency Guidance

To

Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the agencies) are seeking comment from interested parties on a notice of “Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” which was published in the Federal Register on July 19, 2021. The comment period closes on September 17, 2021.

Note for Community Banks

When finalized, the “Proposed Interagency Guidance on Third-Party Relationships: Risk Management” will apply to community banks1 with third-party relationships. 

Highlights

The proposed interagency guidance

  • promotes consistency in the agencies’ guidance on third-party risk management.
  • outlines the third-party risk management life cycle and identifies risk management principles applicable to each stage of the life cycle.
  • recognizes that not all third-party relationships present the same level of risk or criticality to a bank’s operations.
  • describes sound risk management for third-party relationships, commensurate with the bank’s risk profile and complexity as well as the criticality of the activity.

The proposed interagency guidance is based on the OCC’s existing third-party risk management guidance from 2013. The proposed interagency guidance would replace each agency’s existing guidance on this topic and would be directed to all banking organizations supervised by the agencies.2

The request for comment

  • seeks feedback on the utility, relevance, comprehensiveness, and clarity of the proposed guidance.
  • asks for responses to specific questions listed in the Federal Register notice.
  • includes the OCC’s 2020 frequently asked questions as an appendix. The agencies are considering incorporating concepts discussed in those frequently asked questions into the final guidance.

Background

Banks routinely rely on third parties for a range of products, services, and activities. The OCC, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation each have previously issued guidance for their respective supervised banking organizations. Each agency’s guidance addresses third-party relationships and appropriate risk management practices. For example, the OCC issued OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” which addresses practices for assessing and managing risks associated with third-party relationships. In addition, the OCC issued OCC Bulletin 2020-10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29,” which clarifies the OCC’s guidance and reflects evolving industry trends. When finalized, the proposed guidance would replace the OCC’s existing guidance on third-party risk management.

Further Information

Please contact Emily Doran, Governance and Operational Risk Policy Analyst, Operational Risk Policy Division, at (202) 649-6550.

 

Grovetta N. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy

Related Link

1 “Banks” refers collectively to national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations.

2 For OCC-supervised banks, the proposed guidance would be used in conjunction with OCC Bulletin 2002-16, “Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance.” In addition, other OCC supervisory guidance may include supplemental considerations relating to the use of third parties.