Third Party Risk Management

OCC Supervisory Priorities and Objectives – 2023

The Office of the Comptroller of the Currency (OCC) released its supervision priorities and objectives for its fiscal year 2023 (October 1, 2022 – September 30, 2023). OCC managers and staff use this plan to guide their supervisory priorities, planning, and resource allocations.

To whom does this announcement apply?

Individual national banks Third Party service providers
Federal savings associations Federal Branches
Agencies of foreign banking organizations (collectively, banks)

The OCC continues to use a risk-based supervision with heightened focus in 2023 on the following areas.

Safety and soundness, and fairness Operational resilience and cybersecurity
Third parties and related concentrations Credit
Allowances for credit losses (ACL) Interest rate risk
Liquidity risk management Consumer compliance
Bank Secrecy Act (BSA), anti-money laundering (AML) and Office of Foreign Assets Control (OFAC) Fair Lending
Community Reinvestment Act (CRA) New products and services
Climate-related financial risks

Important Area of Note

Third-party relationships are called out in two ways: the financial institution’s use of and controls surrounding third-party relationships AND the controls that a third party deploys.

Management, clear contractual terms, and controls surrounding third-party relationships remain vital. Conducting a deep dive into the critical relationships, including full documentation of how an institution determines who is and is not a critical partner (including a periodic refresh of the inventory), is important to have on hand as the regulatory definition of vendors/third parties is purposefully broad.

Examiners will look for cyber-related risks that may develop because of a third-party relationship, evaluation of the institution’s review of the third-party’s own cybersecurity risk management and resilience skills, and whether all parties in this relationship have qualified staff that can meet the contractual obligations.

If you are unclear of your own institution’s preparedness, contact Fortrex Technologies today for conversation.