On June 7, the OCC released Bulletin 2017-21, which provides answers to frequently asked questions from national banks and federal saving associations concerning third-party procedure guidance. The Bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” released October 30, 2013, highlights the OCC’s responses to the following topics:
- defines third-party relationships and provides guidance on conducting due diligence and ongoing monitoring of service providers;
- provides insight on how to adjust risk management practices specific to each relationship;
- discusses ways to structure third-party risk management processes;
- discusses advantages and disadvantages to collaboration between multiple banks when managing third-party relationships;
- outlines bank-specific requirements when using collaborative arrangements;
- provides information-sharing forums that offer resources to help banks monitor cyber threats;
- discusses how to determine whether a fintech relationships is a “critical activity” and covers risks associated with engaging a start-up fintech company;
- addresses ways in which banks and fintech companies can partner together to serve underbanked populations;
- covers criteria to consider when entering into a marketplace lending arrangement with a nonbank entity;
- clarifies whether OCC Bulletin 2013-29 applies when a bank engages a third-party to provide mobile payments options to consumers;
- outlines the OCC’s compliance management requirements;
- discusses banks’ rights to access interagency technology service provider reports; and
- answers whether a bank can rely on the accuracy of a third-party’s risk management report.
As previously covered in InfoBytes, the OCC released a supplement (Bulletin 2017-7) to Bulletin 2013-29 in January of this year identifying steps prudential bank examiners should take when assessing banks’ third-party relationship risks.