OCC Bulletin 2013-29 & 2020-10

Overview

The OCC Bulletins 2013-29 and 2020-10 outline the expectations for national banks and federal savings associations regarding the effective management of risks associated with third-party relationships. This guidance emphasizes a risk-based approach throughout the entire lifecycle of the relationship.

Bulletin 2020-10 supplements 2013-29 by clarifying that the principles apply to all third-party relationships, not just critical ones, and highlights the importance of governance and independent reviews.

Status

Active - 2013-29 (Oct 2013), 2020-10 (Mar 2020)

Jurisdiction

United States

Regulatory Authority

Office of the Comptroller of the Currency (OCC)

Applicability

National banks and federal savings associations

Key Lifecycle Requirements

The OCC emphasizes managing third-party risks throughout the entire relationship lifecycle

1. Planning

Before entering into a third-party relationship, banks should develop plans that articulate the strategic purpose and assess the complexity and risks involved.

Strategic Alignment: Ensure the relationship aligns with the bank's strategic goals and objectives.
Risk Assessment: Identify and assess the inherent risks associated with the activity, including operational, compliance, strategic, and reputation risks.
Resource Analysis: Evaluate the bank's capacity to manage the relationship and the associated risks.
Cost-Benefit Analysis: Conduct a thorough analysis comparing the benefits versus the costs and risks.

2. Due Diligence & Third-Party Selection

Banks must conduct comprehensive due diligence to assess the third party's ability to perform the activity reliably, securely, and in compliance with laws and regulations.

Scope and Depth: Due diligence should be commensurate with the level of risk and complexity of the relationship.
Key Areas: Evaluate the third party's financial condition, business experience, reputation, legal/regulatory compliance, operational controls, information security posture, and business continuity/resilience.
Subcontractor Review: Assess the third party's ability to manage its own subcontractors (fourth parties).
Independent Reviews: Consider independent reviews or certifications (e.g., SOC reports).

3. Contract Negotiation

Contracts should clearly define the rights and responsibilities of each party, address risks, and comply with legal and regulatory requirements.

Clear Expectations: Define scope, service levels, performance standards, and responsibilities.
Risk Allocation: Address security, data ownership, confidentiality, and liability.
Right to Audit: Include provisions for the bank and regulators to access records and conduct audits.
Business Continuity: Specify requirements for the third party's business continuity and contingency plans.
Default & Termination: Outline conditions for default and termination, including data return/destruction provisions.

4. Ongoing Monitoring

Banks must implement a continuous monitoring process to verify the third party's performance, compliance, and risk profile throughout the relationship.

Performance Review: Monitor adherence to SLAs and performance metrics.
Risk Reassessment: Periodically reassess risks based on performance, control testing, and changes in the environment.
Financial Condition: Monitor the third party's financial stability.
Compliance Verification: Ensure ongoing compliance with laws, regulations, and contractual terms.
Incident Response: Review the third party's handling of security incidents or service disruptions.

5. Termination

Banks should have strategies for terminating relationships in an orderly manner, whether planned or unexpected.

Exit Strategy: Develop and maintain exit strategies, considering transition complexity and potential impacts.
Data Management: Ensure secure return or destruction of bank data and records.
Contingency Planning: Have plans for transitioning services to an alternative provider or bringing them in-house.
Contractual Provisions: Ensure termination rights and processes are clearly defined in the contract.

Oversight and Accountability

The OCC emphasizes strong governance and board involvement

Board Responsibility

The board of directors has ultimate responsibility for overseeing the bank's risk management processes, including those related to third-party relationships.

Management Accountability

Senior management is responsible for developing and implementing the TPRM program, policies, and procedures.

Independent Review

The TPRM process should be subject to periodic independent reviews (e.g., by internal audit) to assess its effectiveness.

Documentation & Reporting

Maintaining comprehensive documentation and providing regular reporting to the board and senior management is crucial.

Additional Resources

Official OCC publications and related materials

OCC Bulletin 2013-29

Original guidance on third-party relationships risk management.

Access document

OCC Bulletin 2020-10

Supplemental guidance clarifying the principles of Bulletin 2013-29.

Access document

FAQs for 2013-29

Frequently Asked Questions regarding OCC Bulletin 2013-29.

Access FAQs

Comptroller's Handbook

Relevant sections of the OCC's handbook on third-party relationships.

Access Handbook

Tools for OCC Compliance

Solutions to help manage third-party risk according to OCC expectations

Lifecycle Management

Platform to manage vendors through planning, due diligence, contracting, monitoring, and termination.

Risk Assessment Module

Tools for conducting inherent risk assessments and due diligence tailored to OCC guidance.

Contract Repository

Centralized system for storing and managing third-party contracts and key clauses.

Continuous Monitoring

Automated monitoring of vendor performance, security posture, and compliance status.

Audit Trail & Reporting

Comprehensive documentation and reporting capabilities for examiners and internal reviews.

Fourth-Party Mapping

Visibility into subcontractor relationships and associated risks.

Cyber Score