OCC-supervised banks use the interagency third-party risk management guidance through the OCC's supervisory lens. The guidance is risk-based: a bank should tailor planning, due diligence, contracting, monitoring, and termination to the nature and risk of the relationship.
The point is not to treat every vendor the same. The point is to know which relationships matter most and to preserve evidence that the bank is managing those risks.
Official sources
- OCC Bulletin 2023-17
- OCC third-party risk management topic page
- Interagency Guidance on Third-Party Relationships: Risk Management
OCC Bulletin 2023-17 transmitted the interagency guidance and rescinded certain prior OCC third-party risk bulletins. Banks should check current OCC materials for supplemental examination context.
What OCC expects banks to understand
The bank remains responsible for risk created by third-party relationships. A third party might support payments, lending, compliance, operations, cloud hosting, technology, customer service, data, or marketing. If the relationship affects safety and soundness, compliance, customers, or operations, the bank needs governance and evidence proportionate to that risk.
What to operationalize
- risk-based planning before entering the relationship;
- due diligence and selection based on the provider and activity;
- contract provisions for performance, rights, confidentiality, security, reporting, audit,
subcontracting, continuity, and termination;
- ongoing monitoring of performance, controls, incidents, complaints, changes, and issues;
- termination and transition planning for important relationships;
- board and management oversight of significant risk and program performance.
Evidence to maintain
- Third-party inventory and risk tiering.
- Critical activity or high-risk relationship analysis.
- Due diligence, approval, contract review, and monitoring evidence.
- Issues, incidents, remediation, complaints, and provider changes.
- Exit and contingency plans.
- Management and board reporting.
Common gaps
- Critical activity analysis is not documented clearly enough for examiners.
- Contract requirements do not become operational monitoring tasks.
- The bank reviews providers annually but misses acquisitions, outages, cyber events, or
subcontractor changes between reviews.
- Exit plans are too generic for services the bank could not quickly replace.
How Halbarad helps
Halbarad helps OCC-supervised banks maintain a single third-party record with relationship risk, evidence, contracts, monitoring, issues, and exit posture.
Halbarad can support provider diligence, Nth-Party Discovery, continuous monitoring, approval routing, residual-risk records, remediation, reporting, and audit trail. It helps evidence the program; it does not replace OCC supervisory judgment.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.