OCC Bulletin 2021-42

In 2023, the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency collectively issued a regulatory guidance document that provides a comprehensive framework for banking organizations to manage their third-party relationships.

The document provides a framework for assessing and managing risks associated with third-party relationships. This includes identifying, assessing, and mitigating known and emerging threats and vulnerabilities. Banking organizations with limited resources for security often depend on support from third parties or on security tools provided by third parties to assess information security risks

“Bank management should conduct in-depth due diligence and ongoing monitoring of each of the bank’s third-party service providers that support critical activities.”

“The board of directors and management are responsible for overseeing the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews.”