Complying with OCC’s TPRM Guidance: A Guide for Community Banks

The Office of the Comptroller of the Currency (OCC) plays a vital role in ensuring the safety and soundness of the American banking system. A key component of this mission involves managing risks associated with relationships with third-party vendors and service providers. 

In OCC Bulletin 2024-11, titled “Third-Party Relationships: A Guide for Community Banks,” The Office of the Comptroller of the Currency (OCC) outlines its expectations for national banks and federal savings associations regarding third-party risk management (TPRM). This guide serves as a resource for bank management, aligning with the principles outlined in the “Interagency Guidance on Third-Party Relationships: Risk Management”

This article explores the key takeaways from the OCC’s Third-Party Risk Management (TPRM) Guidance, a comprehensive framework designed to help community banks navigate these risks effectively.

The Importance of a Risk-Based Approach

The OCC’s TPRM Guidance emphasizes a risk-based approach to managing third-party relationships. This means the level of oversight applied to a third party should be proportional to the level of risk it introduces. 

Higher-risk activities, especially those involving critical bank operations or customer data, require more rigorous risk management practices. Community banks can tailor their TPRM practices based on their size, complexity, and overall risk profile.

The Continuous Risk-management Lifecycle

The guide recommends a continuous life cycle approach to managing third-party relationships. This means there are distinct stages a relationship goes through, and effective TPRM involves managing risks at each stage. The five key stages are:

1. Planning: Carefully assessing potential risks associated with a new third-party relationship before entering into a contract. This includes considering the nature of the activity, compliance requirements, internal capabilities, and potential exit strategies.
2. Due Diligence and Third-Party Selection: Conducting a thorough assessment of a potential third party’s ability to perform the required activity, adhere to regulations, and safeguard confidential information.
3. Contract Negotiation: Establishing a formal written agreement that clearly defines roles, responsibilities, service level expectations, termination clauses, data security protocols, and information sharing practices.
4. Ongoing Monitoring: Continuously monitoring the performance and risk posture of the third party. This may involve reviewing periodic reports, conducting audits, and reevaluating risks as circumstances change.
5. Termination: Developing a robust plan for terminating relationships with third-party providers, ensuring a smooth transition and minimal disruption to bank operations.

Governance in Third-Party Risk Management

The OCC places ultimate responsibility for third-party risk management with the bank’s board of directors. The board is responsible for overseeing management’s implementation of effective TPRM practices. Management, in turn, is accountable for developing and implementing a TPRM program commensurate with the bank’s risk appetite and the complexity of its third-party relationships.

The guide emphasizes three key governance practices for effective TPRM:

1. Oversight and Accountability: Clear roles and responsibilities for managing third-party risks are established, with the board of directors holding management accountable.
2. Independent Reviews: Periodic independent assessments are conducted to verify the effectiveness of the bank’s TPRM processes.
3. Documentation and Reporting: Effective documentation and reporting on third-party relationships are crucial for internal and external oversight.

Key Resources for Community Banks

The OCC’s TPRM Guidance provides a wealth of resources for community banks of all sizes. Here are some of the key highlights:

• Identifying High-Risk Relationships: The guide highlights the importance of identifying critical activities and third parties involved in those activities. Factors to consider when assessing risk include access to sensitive data, processing transactions, and providing essential technology or business services.
• Sample Considerations During Planning: The guide offers a range of questions a bank should consider during the planning stage. These questions cover understanding the relationship, risk management practices, financial considerations, technology integration, third-party access and controls, customer interaction, information security, and exit strategies.
• Due Diligence Considerations: The guide outlines a range of questions a bank should consider when evaluating a third party, including financial and operational capability, policies, processes, and controls, information security, past performance and risk factors, experience with similar services, and potential sources of information for due diligence.
• Contract Negotiation Considerations: The guide highlights key considerations for contract negotiation, such as comprehensiveness, termination and continuity clauses, governance and oversight protocols, information sharing and security, data access and recovery, business continuity, and risk exposure. The guide also offers resources to aid in contract negotiation, such as risk assessment findings, service level agreements, and access to third-party reports.
• Termination Considerations: The guide emphasizes the importance of managing the termination process efficiently, regardless of the reason. It outlines key considerations when terminating a relationship, including the impact on operations and compliance, financial implications, alternatives, internal readiness for in-sourcing, intellectual property, data access and removal, transition risks and controls, and information sources for effective termination.