OCC Bulletin 2023-17

In 2023, the OCC released comprehensive and specific instructions regarding the management of Third-party Risk Management. This new guidance supersedes all previous instructions. The bulletin aims to assist banks, including national banks and federal savings associations, in evaluating and controlling the risks involved in their partnerships with external entities. A third-party relationship refers to any formal or informal business agreement between a bank and another organization.

Regardless of a banking organization’s approach, applying a sound methodology to designate which activities and third-party relationships receive more comprehensive oversight is key for effective risk management. It is important for each banking organization to assess risks presented by each of its third-party relationships and tailor its risk management processes accordingly.” (Page 9)

“With respect to commenters focused on steps to limit the burdens of due diligence, including collaboration with other banking organizations and engaging with third parties that specialize in conducting due diligence, the agencies note that such collaborative efforts could be beneficial and reduce burden, especially for community banking organizations, and have made certain clarifying revisions to the guidance in that regard. However, use of any collaborative efforts does not abrogate the responsibility of banking organizations to manage third-party relationships in a safe and sound manner and consistent with applicable laws and regulations (including antitrust laws). It is important for the banking organization to evaluate the conclusions from such collaborative efforts.” (Page 17)