Skip to main content

OCC Updated Guidance on Third-Party Risk

March 16, 2017

Recently, the Office of the Comptroller of the Currency (OCC), released updated guidance for bank examiners as they scrutinize third-party risk programs in banks and other financial institutions. The OCC’s guidance emphasizes bank examiners’ inspection of banks’ third-party risk programs to ensure that they are effectively managing the risk related to their third parties throughout the lifecycle of third-party relationships, and that banks’ risk management programs are themselves effective in the context of third-party risk.

Blog OCC2

The updated guidance adds color to the OCC’s previous bulletin on third-party risk that was published in 2013. That bulletin superseded guidance published in 2001. This should make it clear that third-party risk is increasing in its importance and that the practice of third-party risk has changed significantly in the past fifteen years.

Look at how financial institutions process information today. Unlike two decades ago when nearly all processing was in-house and on-premise, information processing often includes third parties, whether for main account processing or for ancillary tasks that banks decide are too expense to duplicate in house. The result: third-party organizations routinely do heavy lifting for core functions as well as features that make customer experience richer and stickier. 

The takeaway is this: third parties have as much to do with information processing as in-house services. The rigor required in managing third parties, including a deep understanding of risk issues and processes to address them, is commensurate to the proportion of work they perform for banks.

Organizations not regulated by the OCC should take notice of this development, for it is a reflection of the growing critical role that third parties play in virtually every organization. There is inherently more risk related to outsourcing information processing than in performing it in-house. While a bank can outsource parts of its operations, it cannot outsource accountability.

For organizations that do not have a mature risk management program, the increased risk associated with outsourcing information processing may represent a great call-to-action: business risks have gone up, and it’s time to develop not only an effective third-party risk program but also a risk management program.

    Peter Gregory

By: Peter Gregory

Director, Information Security

See More

Related Blogs

June 17, 2014

Recovery Capacity Objective: A New Metric for Business Continuity & Disaster Recovery Planning

Business continuity and disaster recovery planning professionals rely on well-known metrics that are used to drive planning of emergency operations pr...

See Details

September 25, 2017

DDoS Threats: Are Your Third Parties Protecting You?

There’s evidence that ransomware may be evolving beyond holding data hostage. In recent news, DDoS attacks were used as a threat against organizations...

See Details

August 16, 2016

Five Ways to Minimize Risk Exposure

Risk management is something to be taken very seriously. Few things are more harmful to a company's reputation and bottom line, than a breach of clien...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.