On 3/5/20, the OCC issued updated frequently asked questions (FAQs) to to supplement a 2013 bulletin (2013-29) titled “Third-Party Relationships: Risk Management Guidance.” The new FAQs were issued to clarify the OCC’s existing guidance and reflect evolving industry trends. The new bulletin also rescinds OCC Bulletin 2017-21, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29,” issued on June 7, 2017. The FAQs from OCC Bulletin 2017-21 have been incorporated unchanged into this new bulletin, except for question No. 24, which was updated to reflect current AICPA Service Organization Control report information.

Topics addressed in the new FAQs include

• the terms “third-party relationship” and “business arrangement.”

• when cloud computing providers are in a third-party relationship with a bank.

• when data aggregators are in a third-party relationship with a bank.

• risk management when the bank has limited negotiating power in contractual arrangements.

• critical activities and how a bank can determine the risks associated with third-party relationships.

• bank management’s responsibilities regarding a third party’s subcontractors.

• reliance on and use of third party-provided reports, certificates of compliance, and independent audits.

• risk management when third party has limited ability to provide the same level of due diligence-related information as larger or more established third parties.

• risk management when using a third-party model or when using a third party to assist with model risk management.

• use of third-party assessment services in managing third-party relationship risks.

• a board’s approval of contracts.

• risk management when obtaining alternative data from a third party.

The full OCC bulletin can be found here.