Use Software to Follow OCC 2023-17 Interagency Risk Guidance

The Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) have issued new third-party risk management (TPRM) guidance, OCC 2023-17, to help banking organizations manage third-party risk. This interagency TPRM guidance supersedes the previous OCC guidance on managing third-party relationships, OCC 2013-29, and provides principles that organizations can adapt to their specific needs throughout the full relationship lifecycle. 

Who does this guidance apply to? 

According to the guidance itself, the document “addresses any business arrangement between a banking organization and another entity, by contract or otherwise.” This means that if a third-party organization does work for a banking organization, even if the two do not exchange money, and even if there is no contract between them, the banking organization can be held responsible for issues at the other company. 

What does the guidance cover? 

First, it lays out general principles for running a “safe and sound” TPRM program. The document asserts the responsibility of banking organizations to meet regulatory and legal requirements within its vendor ecosystem to the same extent as if the work was happening internally. After all, it doesn’t make a difference to your customers or legislators whether you allowed for an internal data breach or that breach happened at a partner organization—either way, the customer entrusted data to your organization, and it was compromised. 

The guidance then covers the principles of risk management: organizations must maintain an inventory of third-party relationships and assess the risk inherent to each. Then, the company must identify its critical activities and the third parties that support them to prioritize their management efforts and address the most critical risks as soon as possible. The guidance stresses that organizations must have a sound methodology for determining which third parties must receive more focused oversight than others. 

The guidance then details the full third-party lifecycle: 

1. Planning—Understanding the strategic purpose of a relationship and its associated risks, then determining the banking organization’s ability to manage this risk and outlining contingency plans in the case of a risk event. 

2. Due Diligence and Third-Party Selection—Assessing third parties’ ability to perform as expected and adhere to a banking organization’s policies before selecting which organization you will work with. 

3. Contract Negotiation—Deciding whether a written contract is needed, negotiating risk management and oversight provisions and negotiating to ensure that your needs are met. 

4. Ongoing Monitoring—Evaluating the quality of a third party’s controls over time, escalating issues and responding to concerns when identified. 

5. Termination—Managing risks associated with data retention and destruction, transitioning activities to another third party or bringing operations in-house. 

Next, it outlines three risk management governance practices that organizations should conduct throughout the TPRM lifecycle: 

1. Oversight and Accountability—The board of directors has ultimate responsibility for ensuring that the company’s risk managers set an appropriate risk appetite and approve the right policies. There should be policies in place to help the board review contracts and direct risk management activities. 

2. Independent Reviews—Banking organizations should independently review third parties’ alignment with company strategy, risk management practices and the adequacy of their own policies. This review may influence decisions regarding which third parties a company works with and how they manage their relationships moving forward. 

3. Documentation and Reporting—Companies must be prepared to report key risk management data both internally, to the board and key stakeholders, and to third parties. 

How does technology help? 

By using a strong TPRM platform like ProcessUnity for Third-Party Risk Management, a banking organization can quickly assess its policies and adhere to this guidance. By automating third-party onboarding and due diligence, organizations are able to continuously monitor their existing vendors and providing configurable reporting in seconds, the ProcessUnity platform makes good TPRM governance more efficient and effective.