6/7/2017

OCCBULLETIN201721

Subject:ThirdPartyRelationships To:ChiefExecutiveOfficersandChiefRisk
Date:June7,2017 OfficersofAllNationalBanksandFederal
SavingsAssociations,TechnologyService
Providers,DepartmentandDivisionHeads,All
ExaminingPersonnel,andOtherInterested
Parties

Description:FrequentlyAskedQuestionstoSupplement
OCCBulletin201329

Summary

TheOfficeoftheComptrolleroftheCurrency(OCC)isissuingfrequentlyaskedquestions(FAQ)to
supplementOCCBulletin201329,ThirdPartyRelationships:RiskManagementGuidance,issued
October30,2013.

NoteforCommunityBanks

Thisbulletinaddressesquestionsfromnationalbanksandfederalsavingsassociations(collectively,
banks)regardingguidanceinOCCBulletin201329.ThisbulletinandOCCBulletin201329are
applicabletoallbanks..

1.Whatisathirdpartyrelationship?

OCCBulletin201329definesathirdpartyrelationshipasanybusinessarrangementbetweenthebank
andanotherentity,bycontractorotherwise.Thirdpartyrelationshipsincludeactivitiesthatinvolve
outsourcedproductsandservicesuseofoutsideconsultants,networkingarrangements,merchant
paymentprocessingservices,andservicesprovidedbyaffiliatesandsubsidiariesjointventuresand
otherbusinessarrangementsinwhichabankhasanongoingthirdpartyrelationshipormayhave
responsibilityfortheassociatedrecords.Recently,manybankshavedevelopedrelationshipswith
financialtechnology(fintech)companiesthatinvolvesomeoftheseactivities,includingperforming
servicesordeliveringproductstoabankscustomerbase.Ifafintechcompanyperformsservicesor
deliversproductsonbehalfofabankorbanks,therelationshipmeetsthedefinitionofathirdparty
relationshipandtheOCCwouldexpectbankmanagementtoincludethefintechcompanyinthebanks
thirdpartyriskmanagementprocess.

Bankmanagementshouldconductindepthduediligenceandongoingmonitoringofeachofthebanks
thirdpartyserviceprovidersthatsupportcriticalactivities.TheOCCrealizesthatalthoughbanksmay
wantindepthinformation,theymaynotreceivealltheinformationtheyseekoneachcriticalthirdparty
serviceprovider,particularlyfromnewcompanies.Whenabankdoesnotreceivealltheinformationit
seeksaboutthirdpartyserviceprovidersthatsupportthebankscriticalactivities,theOCCexpectsthe
banksboardofdirectorsandmanagementto

developappropriatealternativewaystoanalyzethesecriticalthirdpartyserviceproviders.
establishriskmitigatingcontrols.
bepreparedtoaddressinterruptionsindelivery(forexample,usemultiplepaymentsystems,
generatorsforpower,andmultipletelecommunicationslinesinandoutofcriticalsites).
makeriskbaseddecisionsthatthesecriticalthirdpartyserviceprovidersarethebestservice
providersavailabletothebankdespitethefactthatthebankcannotacquirealltheinformationit
wants.
retainappropriatedocumentationofalltheireffortstoobtaininformationandrelateddecisions.
1/6
6/7/2017
ensurethatcontractsmeetthebanksneeds.

2.OCCBulletin201329definesthirdpartyrelationshipsverybroadlyandreadslikeitcanapply
tolowerriskrelationships.Howcanabankreduceitsoversightcostsforlowerrisk
relationships?

Notallthirdpartyrelationshipspresentthesamelevelofrisk.Thesamerelationshipmaypresentvarying
levelsofriskacrossbanks.Bankmanagementshoulddeterminetherisksassociatedwitheachthird
partyrelationshipandthendeterminehowtoadjustriskmanagementpracticesforeachrelationship.The
goalisforthebanksriskmanagementpracticesforeachrelationshiptobecommensuratewiththelevel
ofriskandcomplexityofthethirdpartyrelationship.Thisriskassessmentshouldbeperiodicallyupdated
throughouttherelationship.Itshouldnotbeaonetimeassessmentconductedatthebeginningofthe
relationship.

TheOCCexpectsbankstoperformduediligenceandongoingmonitoringforallthirdpartyrelationships.
Thelevelofduediligenceandongoingmonitoring,however,maydifferfor,andshouldbespecificto,
eachthirdpartyrelationship.Thelevelofduediligenceandongoingmonitoringshouldbeconsistentwith
thelevelofriskandcomplexityposedbyeachthirdpartyrelationship.Forcriticalactivities,theOCC
expectsthatduediligenceandongoingmonitoringwillberobust,comprehensive,andappropriately
documented.Additionally,foractivitiesthatbankmanagementdeterminestobelowrisk,management
shouldfollowthebanksboardestablishedpoliciesandproceduresforduediligenceandongoing
monitoring.

3.Howshouldbanksstructuretheirthirdpartyriskmanagementprocess?

Thereisnoonewayforbankstostructuretheirthirdpartyriskmanagementprocess.OCCBulletin2013
29notesthattheOCCexpectsbankstoadoptaneffectivethirdpartyriskmanagementprocess
commensuratewiththelevelofriskandcomplexityoftheirthirdpartyrelationships.Somebankshave
dispersedaccountabilityfortheirthirdpartyriskmanagementprocessamongtheirbusinesslines.Other
bankshavecentralizedthemanagementoftheprocessundertheircompliance,informationsecurity,
procurement,orriskmanagementfunctions.Nomatterwhereaccountabilityresides,eachapplicable
businesslinecanprovidevaluableinputintothethirdpartyriskmanagementprocess,forexample,by
completingriskassessments,reviewingduediligencequestionnairesanddocuments,andevaluatingthe
controlsoverthethirdpartyrelationship.Personnelincontrolfunctionssuchasaudit,riskmanagement,
andcomplianceprogramsshouldbeinvolvedinthemanagementofthirdpartyrelationships.Howevera
bankstructuresitsthirdpartyriskmanagementprocess,theboardisresponsibleforoverseeingthe
developmentofaneffectivethirdpartyriskmanagementprocesscommensuratewiththelevelofriskand
complexityofthethirdpartyrelationships.Periodicboardreportingisessentialtoensurethatboard
responsibilitiesarefulfilled.

4.Whenmultiplebanksusethesamethirdpartyserviceproviders,cantheycollaborate1tomeet
expectationsformanagingthirdpartyrelationshipsspecifiedinOCCBulletin201329?

Iftheyareusingthesameserviceproviderstosecureorobtainlikeproductsorservices,banksmay
collaborate2tomeetcertainexpectations,suchasperformingtheduediligence,contractnegotiation,and
ongoingmonitoringresponsibilitiesdescribedinOCCBulletin201329.Likeproductsandservicesmay,
however,presentadifferentlevelofrisktoeachbankthatusesthoseproductsorservices,making
collaborationausefultoolbutinsufficienttofullymeetthebanksresponsibilitiesunderOCCBulletin
201329.Collaborationcanleverageresourcesbydistributingcostsacrossmultiplebanks.Inaddition,
manybanksthatuselikeproductsandservicesfromtechnologyorotherserviceprovidersmaybecome
membersofusergroups.Frequently,theseusergroupscreatetheopportunityforbanks,particularly
communitybanks,tocollaboratewiththeirpeersoninnovativeproductideas,enhancementstoexisting
productsorservices,andcustomerserviceandrelationshipmanagementissueswiththeservice
providers.Banksthatuseacustomizedproductorservicemaynot,however,beabletousecollaboration
tofullymeettheirduediligence,contractnegotiation,orongoingresponsibilities.

Banksmaytakeadvantageofvarioustoolsdesignedtohelpthemevaluatethecontrolsofthirdparty
serviceproviders.Ingeneral,thesetypesoftoolsofferstandardizedapproachestoperformduediligence
andongoingmonitoringofthirdpartyserviceprovidersbyhavingparticipatingthirdpartiescomplete
commonsecurity,privacy,andbusinessresiliencycontrolassessmentquestionnaires.Afterthirdparties
completethequestionnaires,theresultscanbesharedwithnumerousbanksandotherclients.

2/6
6/7/2017
Collaborationcanresultinincreasednegotiatingpowerandlowercoststobanksduringthecontract
negotiationphaseoftheriskmanagementlifecycle.

Somecommunitybankshavejoinedanalliancetocreateastandardizedcontractwiththeircommon
thirdpartyserviceprovidersandimprovenegotiatingpower.

5.Whencollaboratingtomeetresponsibilitiesformanagingarelationshipwithacommonthird
partyserviceprovider,whataresomeoftheresponsibilitiesthateachbankstillneedsto
undertakeindividuallytomeettheexpectationsinOCCBulletin201329?

Whilecollaborativearrangementscanassistbankswiththeirresponsibilitiesinthelifecyclephasesfor
thirdpartyriskmanagement,eachindividualbankshouldhaveitsowneffectivethirdpartyrisk
managementprocesstailoredtoeachbanksspecificneeds.Someindividualbankspecific
responsibilitiesincludedefiningtherequirementsforplanningandtermination(e.g.,planstomanagethe
thirdpartyserviceproviderrelationshipanddevelopmentofcontingencyplansinresponsetotermination
ofservice),aswellas

integratingtheuseofproductanddeliverychannelsintothebanksstrategicplanningprocessand
ensuringconsistencywiththebanksinternalcontrols,corporategovernance,businessplan,and
riskappetite.
assessingthequantityofriskposedtothebankthroughthethirdpartyserviceproviderandthe
abilityofthebanktomonitorandcontroltherisk.
implementinginformationtechnologycontrolsatthebank.
ongoingbenchmarkingofserviceproviderperformanceagainstthecontractorservicelevel
agreement.
evaluatingthethirdpartysfeestructuretodetermineifitcreatesincentivesthatencourage
inappropriaterisktaking.
monitoringthethirdpartysactionsonbehalfofthebankforcompliancewithapplicablelawsand
regulations.
monitoringthethirdpartysdisasterrecoveryandbusinesscontinuitytimeframesforresuming
activitiesandrecoveringdataforconsistencywiththebanksdisasterrecoveryandbusiness
continuityplans.

6.Whatcollaborationopportunitiesexisttoaddresscyberthreatstobanksaswellastotheir
thirdpartyrelationships?

Banksmayengagewithanumberofinformationsharingorganizationstobetterunderstandcyberthreats
totheirowninstitutionsaswellastothethirdpartieswithwhomtheyhaverelationships.Banks
participatingininformationsharingforumshaveimprovedtheirabilitytoidentifyattacktacticsand
successfullymitigatecyberattacksontheirsystems.BanksmayusetheFinancialServicesInformation
SharingandAnalysisCenter(FSISAC),theU.S.ComputerEmergencyReadinessTeam(USCERT),
InfraGard,andotherinformationsharingorganizationstomonitorcyberthreatsandvulnerabilitiesandto
enhancetheirriskmanagementandinternalcontrols.BanksalsomayusetheFSISACtoshare
informationwithotherbanks.

7.Isafintechcompanyarrangementconsideredacriticalactivity?

Abanksrelationshipwithafintechcompanymayormaynotinvolvecriticalbankactivities,dependingon
anumberoffactors.OCCBulletin201329providescriteriathatabanksboardandmanagementmay
usetodeterminewhatcriticalactivitiesare.Itisuptoeachbanksboardandmanagementtoidentifythe
criticalactivitiesofthebankandthethirdpartyrelationshipsrelatedtothesecriticalactivities.Theboard
(orcommitteesthereof)shouldapprovethepoliciesandproceduresthataddresshowcriticalactivitiesare
identified.UnderOCCBulletin201329,criticalactivitiescanincludesignificantbankfunctions(e.g.,
payments,clearing,settlements,andcustody),significantsharedservices(e.g.,informationtechnology),
orotheractivitiesthat

couldcausethebanktofacesignificantriskifathirdpartyfailstomeetexpectations.
couldhavesignificantbankcustomerimpact.
requiresignificantinvestmentinresourcestoimplementthirdpartyrelationshipsandmanage
risks.
couldhavemajorimpactonbankoperationsifthebankhastofindanalternativethirdpartyorif
theoutsourcedactivitieshavetobebroughtinhouse.

3/6
6/7/2017

TheOCCexpectsbankstohavemorecomprehensiveandrigorousmanagementofthirdparty
relationshipsthatinvolvecriticalactivities.

8.Canabankengagewithastartupfintechcompanywithlimitedfinancialinformation?

OCCBulletin201329statesthatbanksshouldconsiderthefinancialconditionoftheirthirdpartiesduring
theduediligencestageofthelifecyclebeforethebankshaveselectedorenteredintocontractsor
relationshipswiththirdparties.Inassessingthefinancialconditionofastartuporlessestablishedfintech
company,thebankmayconsideracompanysaccesstofunds,itsfundingsources,earnings,netcash
flow,expectedgrowth,projectedborrowingcapacity,andotherfactorsthatmayaffectthethirdpartys
overallfinancialstability.Assessingchangestothefinancialconditionofthirdpartiesisanexpectationof
theongoingmonitoringstageofthelifecycle.Becauseitmaybereceivinglimitedfinancialinformation,
thebankshouldhaveappropriatecontingencyplansincasethestartupfintechcompanyexperiencesa
businessinterruption,fails,ordeclaresbankruptcyandisunabletoperformtheagreeduponactivitiesor
services.

Somebankshaveexpressedconfusionaboutwhetherthirdpartyserviceprovidersneedtomeetabanks
creditunderwritingguidelines.OCCBulletin201329statesthatdependingonthesignificanceofthe
thirdpartyrelationship,abanksanalysisofathirdpartysfinancialconditionmaybeascomprehensive
asifthebankwereextendingcredittothethirdpartyserviceprovider.Thisstatementmayhavebeen
misunderstoodasmeaningabankmaynotenterintorelationshipswiththirdpartiesthatdonotmeetthe
bankslendingcriteria.ThereisnosuchrequirementorexpectationinOCCBulletin201329.

9.Howcanabankofferproductsorservicestounderbankedorunderservedsegmentsofthe
populationthroughathirdpartyrelationshipwithafintechcompany?

Bankshavecollaboratedwithfintechcompaniesinseveralwaystohelpmeetthebankingneedsof
underbankedorunderservedconsumers.Banksmaypartnerwithfintechcompaniestooffersavings,
credit,financialplanning,orpaymentsinanefforttoincreaseconsumeraccess.Insomeinstances,banks
serveonlyasfacilitatorsforthefintechcompaniesproductsorserviceswithoneoftheproductsor
servicescomingfromthebanks.Forexample,severalbankshavepartneredwithfintechcompaniesto
establishdedicatedinteractivekiosksorautomatedtellermachines(ATM)withvideoservicesthatenable
theconsumertospeakdirectlytoabankteller.Frequently,theseinteractivekiosksorATMsareinstalled
inretailstores,seniorcommunitycenters,orotherlocationsthatdonothavebranchestoservethe
community.Somefintechcompaniesofferotherwaysforbankstopartnerwiththem.Forexample,a
bankscustomerscanlinkhisorhersavingsaccountwiththefintechcompanysapplication,whichcan
offerincentivestothebankscustomerstosaveforshorttermemergenciesorachievespecificsavings
goals.

Intheseexamples,thefintechcompanyisconsideredtohaveathirdpartyrelationshipwiththebankthat
fallsunderthescopeofOCCBulletin201329.

10.Whatshouldabankconsiderwhenenteringamarketplacelendingarrangementwithnonbank
entities?

Whenengaginginmarketplacelendingactivities,abanksboardandmanagementshouldunderstandthe
relationshipsamongthebank,themarketplacelender,andtheborrowersfullyunderstandthelegal,
strategic,reputation,operational,andotherrisksthatthesearrangementsposeandevaluatethe
marketplacelenderspracticesforcompliancewithapplicablelawsandregulations.Aswithanythird
partyrelationship,managementatbanksinvolvedwithmarketplacelendersshouldensuretherisk
exposureisconsistentwiththeirboardsstrategicgoals,riskappetite,andsafetyandsoundness
objectives.Inaddition,boardsshouldadoptappropriatepolicies,inclusiveofconcentrationlimitations,
beforebeginningbusinessrelationshipswithmarketplacelenders.

Banksshouldhavetheappropriatepersonnel,processes,andsystemssothattheycaneffectively
monitorandcontroltherisksinherentwithinthemarketplacelendingrelationship.Risksinclude
reputation,credit,concentrations,compliance,market,liquidity,andoperationalrisks.Forcreditrisk
management,forexample,banksshouldhaveadequateloanunderwritingguidelines,andmanagement
shouldensurethatloansareunderwrittentotheseguidelines.Forcomplianceriskmanagement,banks
shouldnotoriginateorsupportmarketplacelendersthathaveinadequatecompliancemanagement
processesandshouldmonitorthemarketplacelenderstoensurethattheyappropriatelyimplement
applicableconsumerprotectionlaws,regulations,andguidance.Whenbanksenterintomarketplace
lendingorservicingarrangements,thebankscustomersmayassociatethemarketplacelenders
4/6
6/7/2017
productswiththoseofthebanks,therebyintroducingreputationriskiftheproductsunderperformorharm
customers.Also,operationalriskcanincreasequicklyiftheoperationalprocessesofthebanksandthe
marketplacelendersdonotincludeappropriatelimitsandcontrols,suchascontractuallyagreedtoloan
volumelimitsandproperunderwriting.

Toaddresstheserisks,banksduediligenceofmarketplacelendersshouldincludeconsultingwiththe
banksappropriatebusinessunits,suchascredit,compliance,finance,audit,operations,accounting,
legal,andinformationtechnology.Contractsorothergoverningdocumentsshouldlayoutthetermsof
servicelevelagreementsandcontractualobligations.Subsequentsignificantcontractualchangesshould
promptreevaluationofbankpolicies,processes,andriskmanagementpractices.

11.DoesOCCBulletin201329applywhenabankengagesathirdpartytoprovidebank
customerstheabilitytomakemobilepaymentsusingtheirbankaccounts,includingdebitand
creditcards?

Whenusingthirdpartyserviceprovidersinmobilepaymentenvironments,banksareexpectedtoactina
mannerconsistentwithOCCBulletin201329.Banksoftenenterintobusinessarrangementswiththird
partyserviceproviderstoprovidesoftwareandlicensesinmobilepaymentenvironments.Thesethird
partyserviceprovidersalsoprovideassistancetothebanksandthebankscustomers(forexample,
paymentauthentication,deliveringpaymentaccountinformationtocustomersmobiledevices,assisting
cardnetworksinprocessingpaymenttransactions,developingormanagingmobilesoftware(apps)or
hardware,managingbackendservers,ordeactivatingstolenmobilephones).

Manybankcustomersexpecttousetransactionaccountsandcredit,debit,orprepaidcardsissuedby
theirbanksinmobilepaymentenvironments.Becausealmostallbanksissuedebitcardsandoffer
transactionaccounts,banksfrequentlyparticipateinmobilepaymentenvironmentseveniftheydonot
issuecreditcards.Banksshouldworkwithmobilepaymentproviderstoestablishprocessesfor
authenticatingenrollmentofcustomersaccountinformationthatthecustomersprovidetothemobile
paymentproviders.

12.Mayacommunitybankoutsourcethedevelopment,maintenance,monitoring,andcompliance
responsibilitiesofitscompliancemanagementsystem?

Banksmayoutsourcesomeorallaspectsoftheircompliancemanagementsystemstothirdparties,so
longasbanksmonitorandensurethatthirdpartiescomplywithcurrentandsubsequentchangesto
consumerlawsandregulations.Somebanksoutsourcemaintenanceormonitoringorusethirdpartiesto
automatedatacollectionandmanagementprocesses(forexample,tofilecompliancereportsunderthe
BankSecrecyActorformortgageloanapplicationprocessingordisclosures).TheOCCexpectsallbanks
todevelopandmaintainaneffectivecompliancemanagementsystemandprovidefairaccesstofinancial
services,ensurefairtreatmentofcustomers,andcomplywithconsumerprotectionlawsandregulations.
Strongcompliancemanagementsystemsincludeappropriatepolicies,procedures,practices,training,
internalcontrols,andauditsystemstomanageandmonitorcomplianceprocessesaswellasa
commitmentofappropriatecomplianceresources.

13.Canbanksobtainaccesstointeragencytechnologyserviceproviders(TSP)reportsof
examination?

TSPreportsofexamination3areavailableonlytobanksthathavecontractualrelationshipswiththeTSPs
atthetimeoftheexamination.BecausetheOCCs(andotherfederalbankingregulators)statutory
authorityistoexamineaTSPthatentersintoacontractualrelationshipwitharegulatedfinancial
institution,theOCC(andotherfederalbankingregulators)cannotprovideacopyofaTSPsreportof
examinationtofinancialinstitutionsthatareeitherconsideringoutsourcingactivitiestotheexaminedTSP
orthatenterintoacontractafterthedateofexamination.

BankscanrequestTSPreportsofexaminationthroughthebanksrespectiveOCCsupervisoryoffice.
TSPreportsofexaminationareprovidedonarequestbasis.TheOCCmay,however,proactively
distributeTSPreportsofexaminationincertainsituationsbecauseofsignificantconcernsorother
findingstobankswithcontractualrelationshipswiththatparticularTSP.

AlthoughabankmaynotshareaTSPreportofexaminationorthecontentsthereinwithotherbanks,a
bankthathasnotcontractedwithaparticularTSPmayseekinformationfromotherbankswith
informationorexperiencewithaparticularTSPaswellasinformationfromtheTSPtomeetthebanks
duediligenceresponsibilities.

5/6
6/7/2017

14.CanabankrelyonathirdpartysServiceOrganizationControl(SOC)report,preparedin
accordancewiththeAmericanInstituteofCertifiedPublicAccountantsStatementonStandards
forAttestationEngagementsNo.18(SSAE18)?

Inmeetingitsduediligenceandongoingmonitoringresponsibilities,abankmayreviewathirdpartys
SOCreportpreparedinaccordancewithSSAE18toevaluatetheeffectivenessofthethirdpartysrisk
managementprogram,includingpolicies,processes,andinternalcontrols.4Ifathirdpartyuses
subcontractors(alsoreferredtoasfourthparties),abankmayfindthethirdpartysSSAE18report
particularlyuseful,asSSAE18requirestheauditortodetermineandreportontheeffectivenessof
controlsthethirdpartyhasimplementedtomonitorthecontrolsofthesubcontractor.Inotherwords,the
SSAE18reportwilladdressthequestionastowhetherthethirdpartyhaseffectiveoversightofits
subcontractors.AbankshouldconsiderwhetheranSSAE18reportcontainssufficientinformationandis
sufficientinscopetoassessthethirdpartysriskenvironmentorwhetheradditionalauditorreviewis
requiredforthebanktoproperlyassessthethirdpartyscontrolenvironment.

FurtherInformation

TheOCCencouragesbankstocontacttheirassignedlocalfieldofficeportfoliomanager,assistantdeputy
comptroller,orappropriatelargebanksupervisionstaffmemberstodiscussproductsandservices
involvingthirdpartiestheyareconsideringortobetterunderstandhowtomeettheirresponsibilitiesfor
managingthirdpartyrelationshipsunderOCCBulletin201329.

ForquestionsregardingthisbulletinorOCCBulletin201329,pleasecontactJudiMcCormick,
GovernanceandOperationalRiskPolicyAnalyst,OperationalRiskPolicyDivision,at(202)6496550.
TheOCCintendstoreviewbanksquestionsonOCCBulletin201329fromtimetotimeandissuefuture
FAQsorotherguidancewhenitdeemsnecessary.

BethanyA.Dugan
DeputyComptrollerforOperationalRisk

1RefertoOCCNewsRelease20151,CollaborationCanFacilitateCommunityBanksCompetitiveness,OCCSays,January13,

2015.

2Anycollaborativeactivitiesamongbanksmustcomplywithantitrustlaws.RefertotheFederalTradeCommissionandU.S.

DepartmentofJusticesAntitrustGuidelinesforCollaborationsAmongCompetitors.

3TheOCCconductsexaminationsofservicesprovidedbysignificantTSPsbasedonauthoritiesgrantedbytheBankService

CompanyAct,12USC1867.TheseexaminationstypicallyareconductedincoordinationwiththeBoardofGovernorsoftheFederal
ReserveBoard,FederalDepositInsuranceCorporation,andotherbankingagencieswithsimilarauthorities.Thescopeof
examinationsfocusontheservicesprovidedandkeytechnologyandoperationalcontrolscommunicatedintheFFIECInformation
TechnologyExaminationHandbookandotherregulatoryguidance.

4AsofMay2017,SSAE18replacedSSAE16forSOC1engagements.

6/6