Skip to main content

OCC Updated Guidance on Third-Party Risk

March 16, 2017

Recently, the Office of the Comptroller of the Currency (OCC), released updated guidance for bank examiners as they scrutinize third-party risk programs in banks and other financial institutions. The OCC’s guidance emphasizes bank examiners’ inspection of banks’ third-party risk programs to ensure that they are effectively managing the risk related to their third parties throughout the lifecycle of third-party relationships, and that banks’ risk management programs are themselves effective in the context of third-party risk.

Blog OCC2

The updated guidance adds color to the OCC’s previous bulletin on third-party risk that was published in 2013. That bulletin superseded guidance published in 2001. This should make it clear that third-party risk is increasing in its importance and that the practice of third-party risk has changed significantly in the past fifteen years.

Look at how financial institutions process information today. Unlike two decades ago when nearly all processing was in-house and on-premise, information processing often includes third parties, whether for main account processing or for ancillary tasks that banks decide are too expense to duplicate in house. The result: third-party organizations routinely do heavy lifting for core functions as well as features that make customer experience richer and stickier. 

The takeaway is this: third parties have as much to do with information processing as in-house services. The rigor required in managing third parties, including a deep understanding of risk issues and processes to address them, is commensurate to the proportion of work they perform for banks.

Organizations not regulated by the OCC should take notice of this development, for it is a reflection of the growing critical role that third parties play in virtually every organization. There is inherently more risk related to outsourcing information processing than in performing it in-house. While a bank can outsource parts of its operations, it cannot outsource accountability.

For organizations that do not have a mature risk management program, the increased risk associated with outsourcing information processing may represent a great call-to-action: business risks have gone up, and it’s time to develop not only an effective third-party risk program but also a risk management program.

    Peter Gregory

By: Peter Gregory

Director, Information Security

See More

Related Blogs

August 17, 2015

What Makes Organizations Resilient and Why You Should Care

Information systems are inherently fragile. Operating systems and applications are very complex machinery, and considering how many changes (such as s...

See Details

August 13, 2014

Why Wait for a Security Breach?

Headline-making security breaches have hardly faded away since the beginning of the year. Looking back on statements Neiman Marcus made to journalist ...

See Details

June 17, 2014

Recovery Capacity Objective: A New Metric for Business Continuity & Disaster Recovery Planning

Business continuity and disaster recovery planning professionals rely on well-known metrics that are used to drive planning of emergency operations pr...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.