Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

OCC updates FAQs on third-party risk management

Agency Rule-Making & Guidance OCC Third-Party Risk Management Fintech

Agency Rule-Making & Guidance

On March 5, the OCC released Bulletin 2020-10, which provides answers to frequently asked questions (FAQs) concerning its existing guidance on management of third-party relationships, including relationships with fintech firms and data aggregators. This bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” rescinds (but incorporates the substance of) OCC Bulletin 2017-21 (covered by InfoBytes here). Key topics addressed in the new FAQs include:

  • clarifying the definition of “third-party relationships” and “business arrangements”;
  • outlining expectations for banks that have third-party relationships with cloud computing providers or data aggregators;
  • addressing a bank’s reliance on and use of third party-provided reports, certificates of compliance, and independent audits;
  • discussing risk management when a third party—such as a less established fintech firm, start-up, or other small business—has limited ability to provide the same level of financial information or other due diligence-related information as a more established third party;
  • suggesting approaches for due diligence and ongoing monitoring in instances where the bank has limited negotiating power;
  • addressing ways banks can offer products or services to underbanked/underserved populations through fintech third-party relationships;
  • discussing considerations for banks when entering into a marketplace lending arrangement with a nonbank entity; and
  • outlining measures to address risk management when obtaining alternative data from a third party that may be used by or on behalf of a bank.

The bulletin also reiterates that banks are expected “to practice effective risk management regardless of whether the bank performs an activity internally or through a third party,” and that a “bank’s use of third parties does not diminish the bank’s responsibility to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations.”