Third Party Risk Management

OCC FAQs – Results of Our Comparison

The Office of the Comptroller of the Currency (OCC) rescinded OCC Bulletin 2017-21 and issued OCC BULLETIN 2020-10 Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29 effective March 5, 2020.

We have performed a comparison of the rescinded and newly issued OCC Bulletins and our observations are listed below.

The newly issued OCC Bulletin 2020-10:

  • Includes all fourteen questions and answers from the rescinded OCC Bulletin 2017-21
  • Reflects current AICPA Service Organization Control references and information regarding SOC1 type 2 reports as well as the reliance on various reports, certificates of compliance, and independent audits
  • Reinforces the OCC Bulletin 2013-29 guidance and scope required to build effective Third Party Risk Management (TPRM) programs including clarification of:
    • common misinterpretations
    • management determination of risk associated with third party relationships
    • board of director involvement in critical activities and contract approval
  • Provides expanded terms, definitions, and additional information to support effective TPRM regarding:
    • business arrangements
    • referral arrangements
    • appraisers
    • professional service providers
    • maintenance, catering, and custodial services
    • cloud computing services
    • data aggregation services
    • limited negotiating power in contractual arrangements
    • subservice organizations (fourth parties)
    • fintechs and start-ups
    • compliance management systems
    • model risk management
    • the use of alternative data

Our recommendation:

Financial institutions should ensure that all new and/or updated regulatory guidance is carefully reviewed in its entirety by qualified staff to ensure the guidance is appropriately distributed and implemented within the organization.

The OCC Bulletin 2020-10 is available on the OCC website here:

Contact us to discuss how to make your TPRM program effective and efficient.