OCC 2017 FAQ 5 – When collaborating to meet responsibilities for managing a relationship with a common third-party service provider, what are some of the responsibilities that each bank still needs to undertake individually?

Compliance > Third Party Relationships / Vendor Mgmt.
Q:  When collaborating to meet responsibilities for managing a relationship with a common third-party service provider, what are some of the responsibilities that each bank still needs to undertake individually to meet the expectations in OCC Bulletin 2013-29?
 
A:  While collaborative arrangements can assist banks with their responsibilities in the life cycle phases for third-party risk management, each individual bank should have its own effective third-party risk management process tailored to each bank’s specific needs. Some individual bank-specific responsibilities include defining the requirements for planning and termination (e.g., plans to manage the third-party service provider relationship and development of contingency plans in response to termination of service), as well as
  • integrating the use of product and delivery channels into the bank’s strategic planning process and ensuring consistency with the bank’s internal controls, corporate governance, business plan, and risk appetite.
  • assessing the quantity of risk posed to the bank through the third-party service provider and the ability of the bank to monitor and control the risk.
  • implementing information technology controls at the bank.
  • ongoing benchmarking of service provider performance against the contract or service-level agreement.
  • evaluating the third party’s fee structure to determine if it creates incentives that encourage inappropriate risk taking.
  • monitoring the third party’s actions on behalf of the bank for compliance with applicable laws and regulations.
  • monitoring the third party’s disaster recovery and business continuity time frames for resuming activities and recovering data for consistency with the bank’s disaster recovery and business continuity plans.
 
 
ADDITIONAL INFORMATION:
This information was obtained from the OCC’s Bulletin 2017-21 – Frequently asked Questions to Supplement OCC Bulletin 2013-29 - https://www.occ.gov/news-issuances/bulletins/index.html
 

Add Feedback