OCC Risk Management Guidance October 2013

2 minute read

October 2013

The Office of the Comptroller of Currency recently sent a bulletin regarding third party relationship OCC 2013-29 – Third-Party Relationships & Risk Management Guidance


1. A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.

2. A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities

3. An effective risk management process throughout the life cycle of the relationship includes:

  • plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
  • proper due diligence in selecting a third party.
  • written contracts that outline the rights and responsibilities of all parties.
  • ongoing monitoring of the third party’s activities and performance.
  • contingency plans for terminating the relationship in an effective manner.
  • clear roles and responsibilities for overseeing and managing the relationship and risk management process.
  • Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
  • Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.


The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. The OCC has identified instances in which bank management has

• failed to properly assess and understand the risks and direct and indirect costs involved in third party relationships.

• failed to perform adequate due diligence and ongoing monitoring of third-party relationships.

• entered into contracts without assessing the adequacy of a third party’s risk management practices.

• entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party’s revenues.

• engaged in informal third-party relationships without contracts in place.

These examples represent trends whose associated risks reinforce the need for banks to maintain effective risk management practices over third-party relationships.

ProcessUnity’s Vendor Risk Management solution helps banks and financial institutions comply with OCC guidance and reduces the costs of managing third party risks.   For more information please read our white paper: Four Keys to Creating a Vendor Risk Management Program That Works


Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.