OCC Issues Third-Party Risk Management Exam Procedures
January 25, 2017 / Source: OCC
OCC BULLETIN 2017-7
Subject: Third-Party Relationships
Date: January 24, 2017
To: Chief Executive Officers and Chief Risk Officers of All National Banks and Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties
Description: Supplemental Examination Procedures
The Office of the Comptroller of the Currency (OCC) is issuing examination procedures to supplement OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. The supplemental procedures promote consistency when examining national banks and federal savings associations' (collectively, banks) risk management of third-party relationships. These procedures expand on the core assessment contained in the “Community Bank Supervision,” “Large Bank Supervision,” and “Federal Branches and Agencies Supervision” booklets of the Comptroller’s Handbook. These procedures use the concepts and definitions contained in OCC Bulletin 2013-29, including appendix A. Appendix B of OCC Bulletin 2013-29 provides additional guidance about third-party risk management practices in specific areas.
Note for Community Banks
These procedures may be used during examinations of a bank’s risk management of third-party relationships.
These procedures are designed to help examiners
- tailor the examination of each bank commensurate with the level of risk and complexity of the bank’s third-party relationships.
- assess the quantity of the bank’s risk associated with its third-party relationships.
- assess the quality of the bank’s risk management of third-party relationships involving critical activities.
- determine whether there is an effective risk management process throughout the life cycle of the third-party relationship.
Please contact Judi McCormick, Governance and Operational Risk Policy Analyst, Operational Risk Policy Division, at (202) 649-6550.
Bethany A. Dugan
Deputy Comptroller for Operational Risk