Do You Meet the OCC’s 2020 Vendor Relationship Expectations?

The Office of the Comptroller of the Currency (OCC) legislates that a financial institution’s “use of third parties does not diminish the bank’s responsibility to perform the activity in a safe and sound manner and in compliance with
applicable laws and regulations.”

But the OCC’s bulletins on third-party risk management (TPRM) have led to confusion, partly due to the industry evolution which has fueled the need for clarification over the years.

Released on March 5, Bulletin 2020-10 republishes items issued in Bulletin 2017-21. That 2017 Bulletin was itself a clarification of the seminal industry third-party risk management guidance given by the OCC in Bulletin 2013-29. The latest Bulletin 2020-10 is again formatted in a frequently asked questions (FAQs) style in an attempt to clarify existing guidance and describe evolving industry trends and regulations.

Key takeaways from the new Bulletin are clarifications on a broader definition of third-party vendors, expectations of vendor review, and alternative evaluation methods to achieve adequate oversight of third-party risk. How can you keep up with these new requirements and ensure your third-party risk management program is in compliance with the OCC?

Critical themes in Bulletin 2020-10

The recurring theme throughout the update is that you need to widen your scope in assessing third parties and that all vendors need to be financially evaluated, says Jay Fitzhugh, Chief Regulatory Officer for Mitratech.

The definition of third-party vendors has become very broad. “Now it is being interpreted to encompass relationships that might not even involve contracts,” says Fitzhugh, including:

  • Referral arrangements
  • Appraisers and appraisal management companies
  • Professional service providers, such as attorneys
  • Maintenance, catering, and custodial service companies
  • Data aggregators

With regards to expanded review requirements, “In our experience, 98 out of 100 organizations have a risk-based approach to third-party financial evaluations,” he says. “They aren’t evaluating the financial condition of small, low risk, or insignificant vendors, but per the Bulletin, this could lead to program criticism.”

The OCC’s clarifying language on financial evaluations and vendor requirements indicate that many organizations have struggled with previous guidance. How can you make sure you’re gathering the necessary data to go above and beyond the OCC’s standards? A VRM solution with vendor due diligence capabilities can help you evaluate your vendors’ finances and track vendors of any size.

Prepare for the OCC’s guidelines

A vendor risk management (VRM) solution with the right the tools and functionalities can help you meet the requirements of Bulletin 2020-10:

  • The Bulletin states in point 4 that data aggregators are still the financial institution’s responsibility even if there is no direct service or business arrangement.

“The problem is financial institutions don’t always know who these data aggregators are,” says Fitzhugh. “These aggregators work independently with an institution’s clients to access and export a client’s financial information.”

To address this lack of visibility to these providers, find a VRM solution with a vendor due diligence content bundle that allows financial institutions to evaluate industry-leading data aggregators in one centralized place.

  • In the Bulletin point 17, “This segment of clarification defines that all third-party vendors require an evaluation of financial condition that must be performed during vendor due diligence and in ongoing continuous monitoring,” says Fitzhugh. “The explicit expansion of the vendor portfolio for appraisers, attorneys, and consultants, coupled with the requirement of the financial condition evaluation, is likely an expansion of existing vendor risk management efforts for most banks.”

The Bulletin goes on to define alternative methods in evaluating factors that may affect a third party’s overall financial stability, such as their:

  • Access to funds
  • Funding sources
  • Earnings
  • Net cash flow
  • Expected growth
  • Projected borrowing capacity

The OCC’s new interpretation sets a high bar for financial evaluations that can be met through vendor due diligence and evaluation capabilities of a flexible VRM solution that can define required third-party vendor review components.

Defend yourself against vendor and enterprise risk: Learn about our best-in-class VRM/ERM solutions.