Rapid Ratings Blog

OCC Issues Bulletin 2017-21, an FAQ to Supplement Guidance on Third-Party Relationships

Posted by RapidRatings on August 14, 2017

New bulletin clarifies role of fintechs and emphasizes need to evaluate financial condition throughout the lifecycle


In the four years since the Office of the Comptroller of the Currency (OCC) issued Bulletin 2013-29 on managing third-party relationships, the bulletin’s lack of prescriptive instruction left banks and federal savings associations questioning how to best operationalize the OCC’s guidance to maintain compliance and avoid the dreaded MRAs (Matters Requiring Attention), or worse. 

On June 7, 2017, the OCC issued Bulletin 2017-21 with fourteen frequently asked questions to supplement the existing guidance, providing clarity on the role of fintech companies and on conducting due diligence and ongoing monitoring of the financial condition for ALL third-party relationships, not just critical ones.

4 Key Takeaways on Financial Condition from OCC’s Bulletin 2017-21

1.     Financial condition of ALL third parties must be assessed at the onset AND throughout the relationship – According to the FAQ, “banks should consider the financial condition of their third parties during the due diligence stage of the life cycle before the banks have selected or entered into contracts or relationships with third parties.”  Not only does financial health assessment need to be a part of the due diligence process, but “assessing changes to the financial condition of third parties is an expectation of the ongoing monitoring stage of the life cycle” as well, per FAQ question No. 8.
2.     Yes, you must assess private third parties (including fintechs) – As banks become more reliant on financial technologies to perform critical operations, the OCC expects banks to include fintech companies in the risk management process. Understanding that fintechs are often start-up companies with limited financial information, the FAQ makes it clear that the financial condition must be considered. “Because it may be receiving limited financial information, the bank should have appropriate contingency plans in case the start-up fintech company experiences a business interruption, fails, or declares bankruptcy and is unable to perform the agreed-upon activities or services.” In order to meet compliance requirements, banks can no longer allow private companies to hide behind their private status.
3.     Payment history is not sufficient; you need to look at actual financial statements – Bulletin 2013-29 stated that banks must evaluate the financial condition of third parties, “including reviews of the third party’s audited financial statements.” The FAQ went on to define this evaluation of financial condition as considering a company’s “funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect the third party’s overall financial stability,” all of which can be found in a company’s financial statements. Payment history, on the other hand, looks only at a company’s historical trend of trade credit. Using payment history itself is too narrow and limiting to give you the comprehensive financial analysis you need.
4.     Automation achieves consistency & scale – Considering the number of third parties that banks must evaluate, as outlined in FAQ question No. 4, banks may take advantage of tools that “offer standardized approaches to perform due diligence and ongoing monitoring of third-party service providers” to help meet the expectations for managing third-party risk specified in OCC Bulletin 2013-29.

Banks need to have a pulse on each of their third parties, regardless of the level of risk

One major clarification is about the degree of diligence to give third parties that fall outside of the “critical” designation.  While Bulletin 2013-29 highlighted that risk management efforts should be commensurate with the level of risk that the third-party relationship poses, the FAQ dives a little deeper to distinguish the expectations. For third-party relationships that support bank’s critical activities, “the OCC expects that due diligence and ongoing monitoring will be robust, comprehensive, and appropriately documented.” For third-parties that “bank management determines to be low risk, management should follow the bank’s board-established policies and procedures for due diligence and ongoing monitoring.”

The major takeaway here is that the OCC “expects banks to perform due diligence and ongoing monitoring for all third-party relationships,” not just critical third parties and the level of that diligence is a board issue. It is critical that banks have a pulse on each of their third parties. The key distinguisher is that different levels of risk may be evaluated at different frequencies, as prescribed by the board.


Monitoring changes in financial condition is a requirement throughout the relationship

In Bulletin 2013-29, the OCC declared that banks must evaluate the financial condition of third parties with reviews of their audited financial statements at the onset of each relationship. When it came to ongoing monitoring, though, the OCC left it to the discretion of the bank to decide which of the outlined due diligence activities continued, ensuring once more, that they adapted according to the level and types of risks associated with the third-party relationship. The FAQ addressed this in part, by specifically stating that “assessing changes to the financial condition of third parties is an expectation of the ongoing monitoring stage of the life cycle.”

The OCC’s expectations for third-party risk management in the Bulletin 2013-29 to “engage in a robust analytical process to identify, measure, monitor, and control the risks associated with third-party relationships and to avoid excessive risk taking that may threaten a bank’s safety and soundness” left banks questioning which relationships to include and what types of assessments to perform. However, taking the above clarifications together shows that banks need to be conducting financial assessments on all their third party’s financial conditions, not just the ones they deem critical. Moreover, these financial assessments aren’t a one-and-done during the due diligence stage; rather, it should be an ongoing practice before and for the duration of the relationship.


Topics: Financial Services, Regulatory Compliance, Third-Party Risk Management