OCC 2017 FAQ 3 – How should banks structure their third-party risk management process?

Compliance > Third Party Relationships / Vendor Mgmt.
Q:  How should banks structure their third-party risk management process?
 
A:  There is no one way for banks to structure their third-party risk management process. OCC Bulletin 2013-29 notes that the OCC expects banks to adopt an effective third-party risk management process commensurate with the level of risk and complexity of their third-party relationships. Some banks have dispersed accountability for their third-party risk management process among their business lines. Other banks have centralized the management of the process under their compliance, information security, procurement, or risk management functions. No matter where accountability resides, each applicable business line can provide valuable input into the third-party risk management process, for example, by completing risk assessments, reviewing due diligence questionnaires and documents, and evaluating the controls over the third-party relationship. Personnel in control functions such as audit, risk management, and compliance programs should be involved in the management of third-party relationships. However a bank structures its third-party risk management process, the board is responsible for overseeing the development of an effective third-party risk management process commensurate with the level of risk and complexity of the third-party relationships. Periodic board reporting is essential to ensure that board responsibilities are fulfilled.
 
 
ADDITIONAL INFORMATION:
This information was obtained from the OCC’s Bulletin 2017-21 – Frequently asked Questions to Supplement OCC Bulletin 2013-29 - https://www.occ.gov/news-issuances/bulletins/index.html
 

Add Feedback