On June 7, the OCC released Bulletin 2017-21, which provides answers to frequently asked questions from national banks and federal saving associations concerning third-party procedure guidance. The Bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” released October 30, 2013, highlights the OCC’s responses to the following topics:

  • defines third-party relationships and provides guidance on conducting due diligence and ongoing monitoring of service providers;
  • provides insight on how to adjust risk management practices specific to each relationship;
  • discusses ways to structure third-party risk management processes;
  • discusses advantages and disadvantages to collaboration between multiple banks when managing third-party relationships;
  • outlines bank-specific requirements when using collaborative arrangements;
  • provides information-sharing forums that offer resources to help banks monitor cyber threats;
  • discusses how to determine whether a fintech relationships is a “critical activity” and covers risks associated with engaging a start-up fintech company;
  • addresses ways in which banks and fintech companies can partner together to serve underbanked populations;
  • covers criteria to consider when entering into a marketplace lending arrangement with a nonbank entity;
  • clarifies whether OCC Bulletin 2013-29 applies when a bank engages a third-party to provide mobile payments options to consumers;
  • outlines the OCC’s compliance management requirements;
  • discusses banks’ rights to access interagency technology service provider reports; and
  • answers whether a bank can rely on the accuracy of a third-party’s risk management report.

As previously covered in InfoBytes, the OCC released a supplement (Bulletin 2017-7) to Bulletin 2013-29 in January of this year identifying steps prudential bank examiners should take when assessing banks’ third-party relationship risks.