Aravo Pattern - Header

Third-Party Risk Management Guidance, Regulations & Standards

In the world of third-party risk management, organizations need to navigate a complex and expanding web of guidance, standards and regulations. Here, you can explore an overview of major industry standards and regulations that can help you ensure third-party compliance and build a more resilient business.

Regulators have made clear that third parties should attest to and align to your compliance, ethics, and risk management standards and obligations. Aravo enables customers to easily capture, update, manage and retain third party attestations and certifications with these regulations and other ethics and compliance standards. 

Financial Services

 Office of the Comptroller of the Currency (OCC), USA

OCC Bulletin 2002-16

The bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank’s operations.

“As with domestic outsourcing arrangements, the board of directors and senior management are responsible for understanding the risks associated with the bank’s outsourcing relationships with foreign-based service providers and ensuring that effective risk management practices are in place.”

“Specifically, before a national bank contracts for the services of a foreign-based service provider, it should properly assess the associated risks and exercise appropriate due diligence, including careful consideration of contract matters and choice of law and forum provisions. Additionally, the bank should have in place sufficient risk management policies, performance monitoring and oversight processes, expertise, and access to critical information to enable it to properly oversee the risks of the outsourcing relationship, including country and compliance risks.”

OCC Bulletin 2017-7 – Supplemental Examination Procedures

In 2017, the OCC issued Bulletin 2017-7 which provides detail into the procedures that may be used during examinations of a bank’s risk management of third-party relationships.

“These procedures are designed to help examiners:

  • tailor the examination of each bank commensurate with the level of risk and complexity of the bank’s third-party relationships.
  • assess the quantity of the bank’s risk associated with its third-party relationships.
  • assess the quality of the bank’s risk management of third-party relationships involving critical activities.
  • determine whether there is an effective risk management process throughout the life cycle of the third-party relationship.”

OCC Bulletin 2021-40

In 2021, the OCC issued Bulletin 2021-40 which provides information relating to six common areas of due diligence discussed in existing supervisory guidance. This guide was published by the OCC, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the agencies) to provide community banks with information that may be relevant when conducting due diligence on financial technology companies.

The guide is designed for community banks. Although the guide discusses community bank relationships with fintech companies, the content may be useful for banks of any size and for other types of third-party relationships.

“Engaging a third party does not diminish a bank’s responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including federal consumer protection laws and regulations, just as if the bank were to perform the service or activity itself.”

“During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements.”

OCC Bulletin 2021-42

In 2023, the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency collectively issued a regulatory guidance document that provides a comprehensive framework for banking organizations to manage their third-party relationships.

The document provides a framework for assessing and managing risks associated with third-party relationships. This includes identifying, assessing, and mitigating known and emerging threats and vulnerabilities. Banking organizations with limited resources for security often depend on support from third parties or on security tools provided by third parties to assess information security risks

“Bank management should conduct in-depth due diligence and ongoing monitoring of each of the bank’s third-party service providers that support critical activities.”

“The board of directors and management are responsible for overseeing the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews.”

OCC Bulletin 2023-17

In 2023, the OCC released comprehensive and specific instructions regarding the management of Third-party Risk Management. This new guidance supersedes all previous instructions. The bulletin aims to assist banks, including national banks and federal savings associations, in evaluating and controlling the risks involved in their partnerships with external entities. A third-party relationship refers to any formal or informal business agreement between a bank and another organization.

Regardless of a banking organization’s approach, applying a sound methodology to designate which activities and third-party relationships receive more comprehensive oversight is key for effective risk management. It is important for each banking organization to assess risks presented by each of its third-party relationships and tailor its risk management processes accordingly.” (Page 9)

“With respect to commenters focused on steps to limit the burdens of due diligence, including collaboration with other banking organizations and engaging with third parties that specialize in conducting due diligence, the agencies note that such collaborative efforts could be beneficial and reduce burden, especially for community banking organizations, and have made certain clarifying revisions to the guidance in that regard. However, use of any collaborative efforts does not abrogate the responsibility of banking organizations to manage third-party relationships in a safe and sound manner and consistent with applicable laws and regulations (including antitrust laws). It is important for the banking organization to evaluate the conclusions from such collaborative efforts.” (Page 17)

The information contained on this page is for reference and informational purposes only.  As such, Aravo expressly disclaims any and all legal and professional liability associated with the content and any suggestions and/or recommendations provided therewith.

Our Expertise
Who We Help

Learn More About Our Partners

Interested in partnering with Aravo?