Special Alert: OCC Issues Supplement to Third-Party Oversight Guidance, Emphasizes Bank Responsibilities in Managing Risks in Fintech Relationships
On June 7, 2017, the Office of the Comptroller of the Currency (OCC) issued Bulletin 2017-21 as a supplement to Bulletin 2013-29, the OCC’s 2013 risk management guidance related to third-party relationships. The OCC’s latest release answers 14 frequently asked questions (FAQs) and marks the second supplement issued this year to Bulletin 2013-29. Previously, on January 24, 2017, the OCC issued Bulletin 2017-7 to advise national banks, federal savings associations, and technology service providers of examination procedures the OCC would follow during supervisory examinations.
As previously summarized in Buckley Sandler’s Special Alert, Bulletin 2013-29 requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, and warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” Bulletin 2013-29 outlined a “life cycle” approach and provided detailed descriptions of steps that a bank should consider taking at five important stages of third-party relationships: (i) planning; (ii) due diligence and third-party selection; (iii) contract negotiation; (iv) ongoing monitoring; and (v) termination. Consistent with the life cycle approach established in Bulletin 2013-29, the examination procedures set forth in Bulletin 2017-7 identify steps examiners should take in requesting information relevant to assessing the banks’ third-party relationship risk management at each phase of the life cycle.
Click here to read full special alert.
If you have questions about the ruling or other related issues, visit our Vendor Management and FinTech practice pages for more information, or contact a Buckley Sandler attorney with whom you have worked in the past.