On October 30, 2013, the OCC published a broad update of its guidance regarding national banks and their third-party relationships.  The guidance also applies to federal savings associations ("FSAs") as well as extending coverage of various prior OCC releases to FSAs.  In Bulletin 2013-29, the OCC maintains the central theme of its predecessor, Bulletin 2001-47 (now rescinded), published more than a decade ago, but updates the agency's guidance on planning, diligence, contracting, monitoring, and reporting in order to address increased reliance by national banks and FSAs on third parties to complete critical tasks and associated risks.  (The 2013 Bulletin also expressly rescinds the OCC's 2000 advisory letter on third party risk (AL 2000-9)).

Specifically, the 2013 Bulletin adds the notion of a risk management lifecycle, a concept aimed at ensuring safety and soundness in the face of continual change and evolution of third-party service providers and the functions that they undertake on behalf of national banks and FSAs.  Such third-party risk management lifecycle includes termination, oversight, and an independent review process.  In addition, the 2013 Bulletin cautions that when outsourced processes are moved back in-house, or cancelled, institutions must consider the transitional impact to the safety and soundness of their operations. Institutions must set out clear management responsibilities and ensure that those responsibilities are being met.  And institutions must maintain an independent review process in order to assess the third-party risks associated with their vendor relationships and whether their risk management process is adequate in maintaining vendor relationships in a sound manner.


  OCC Oct. 2013 Guidance FDIC June 2008 Guidance OCC Nov. 2001 Guidance
Third Party Risk Factors


Due Diligence/Structuring

Contract Issues




Oversight Accountability²

Independent Reviews³

The 2013 Bulletin supplements prior OCC and other agency guidance on third-party relationships, which we have discussed in previous PLA posts, including the following:

FDIC Clarifies its Supervisory Approach to Payment Processor Relationships (Oct 2013)

FTC Order Against Fraudulent Payment Processor Joins Growing List of Regulatory Actions Involving Third Party Service Providers (Mar 2013)

Regulatory Action Against First Bank of Delaware Reinforces BSA and AML Concerns with Third-Party Relationships (Dec 2012)

FFIEC Releases New Booklet for the Supervision of Technology Service Providers (Nov 2012)

CFPB’s First Enforcement Action Warns Financial Institutions About Liability for Third Party Activities on their Behalf; Related Compliance Bulletin Offers Guidance (July 2012)

OCC Issues Guidance on the Mechanics of Third-Party Service Agreements for Prepaid Access Programs (Sept 2011)

  ¹ Focuses on efficient termination of third-party relationships and whether functions previously contracted out will be transitioned, internalized, or discontinued ² Guidance on responsibility of financial institution directors, management, and staff focusing on level specific oversight functions ³ Guidance on the process of reviewing third-party risk management processes throughout the relationship