OCC Issues FAQs on Bank Risk Management for Third-party Providers

June 13, 2017

The Office of the Comptroller of the Currency recently issued 14 frequently asked questions on risk management around third-party providers.

The major driver in publishing the FAQs was to explain how banks interact with newer fintech companies. Many banks have been reluctant to share information with these start-ups, even when customers give their approval, due to security concerns. For more on the FAQs, check out this analysis from the law firm Ballard Spahr.

While the FAQs are not directed at title and settlement companies, they do provide some parallels. Some of the more relevant FAQs are:

OCC Bulletin 2013-29 defines third-party relationships very broadly and reads like it can apply to lower-risk relationships. How can a bank reduce its oversight costs for lower-risk relationships?

The OCC's response to this question is that, while banks need to do due diligence on all third parties, this does not mean a one-size-fits-all approach. "Bank management should determine the risks associated with each third-party relationship and then determine how to adjust risk management practices for each relationship. The goal is for the bank's risk management practices for each relationship to be commensurate with the level of risk and complexity of the third-party relationship."

How should banks structure their third-party risk management process?

On this question, the OCC responded that banks should structure their programs to meet their needs and the risk of each business line. "There is no one way for banks to structure their third-party risk management process. OCC Bulletin 2013-29 notes that the OCC expects banks to adopt an effective third-party risk management process commensurate with the level of risk and complexity of their third-party relationships."

Can a bank rely on a third party's Service Organization Control (SOC) report, prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 18 (SSAE 18)?

Responding to this question, the OCC notes the value of reviewing third-party assessments, but cautions that the bank needs to evaluate how the assessment fits into the bank's established controls. "In meeting its due diligence and ongoing monitoring responsibilities, a bank may review a third party's SOC report [and] a bank may find the third party's SSAE 18 report particularly useful. A bank should consider whether an SSAE 18 report contains sufficient information and is sufficient in scope to assess the third party's risk environment."

The FAQs are similar, although more detailed, than the bulletin published last year by the CFPB. If you have any questions, email Steve Gottheim, ALTA's senior counsel.

Contact ALTA at 202-296-3671 or communications@alta.org.