The Office of the Comptroller of the Currency (OCC) rescinded OCC Bulletin 2017-21 and issued OCC BULLETIN 2020-10 Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29 effective March 5, 2020.
We have performed a comparison of the rescinded and newly issued OCC Bulletins and our observations are listed below.
The newly issued OCC Bulletin 2020-10:
- Includes all fourteen questions and answers from the rescinded OCC Bulletin 2017-21
- Reflects current AICPA Service Organization Control references and information regarding SOC1 type 2 reports as well as the reliance on various reports, certificates of compliance, and independent audits
- Reinforces the OCC Bulletin 2013-29 guidance and scope required to build effective Third Party Risk Management (TPRM) programs including clarification of:
- common misinterpretations
- management determination of risk associated with third party relationships
- board of director involvement in critical activities and contract approval
- Provides expanded terms, definitions, and additional information to support effective TPRM regarding:
- business arrangements
- referral arrangements
- appraisers
- professional service providers
- maintenance, catering, and custodial services
- cloud computing services
- data aggregation services
- limited negotiating power in contractual arrangements
- subservice organizations (fourth parties)
- fintechs and start-ups
- compliance management systems
- model risk management
- the use of alternative data
Our recommendation:
Financial institutions should ensure that all new and/or updated regulatory guidance is carefully reviewed in its entirety by qualified staff to ensure the guidance is appropriately distributed and implemented within the organization.
The OCC Bulletin 2020-10 is available on the OCC website here: https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-10.html
Contact us to discuss how to make your TPRM program effective and efficient.
