Suggested Actions to Comply With OCC Bulletin 2017-7

If you’re in a regulated industry, you know it can be challenging to stay informed of different third-party risk management (TPRM) rules and guidance. Agencies will often update their existing guidance with supplemental information, such as the case with OCC Bulletin 2017-7.

This blog will cover some helpful tips that you can use to keep you in compliance with this guidance.

About Bulletin 2017-7

In early 2017, the Office of the Comptroller of the Currency (OCC) released this guidance as a follow up to Bulletin 2013-29, which is considered the gold standard for TPRM practices. Bulletin 2017-7 specifically addresses how examiners must review TPRM at federal banks and federal savings associations. The document is a highly detailed playbook of items that examiners should consider in a TPRM program. 

Unlike some regulatory guidance that exempts certain financial institutions based on asset size, this guidance applies to all organizations regulated by the OCC.

6 Actions to Comply with OCC Bulletin 2017-7

So, what do you need to do to make sure you’re in compliance with 2017-7? Here are six recommended actions:

1. Compare it with your TPRM program: Try making a side-by-side comparison of this exam procedure guideline with your existing TPRM program. Make a note of anything your program is missing. 
2. Inform your team: Senior leadership and the board should be informed of this updated guidance, so they understand the expectations.
3. Involve your legal and audit teams: Make sure to bring in your legal and audit teams to perform a review of your policy, program, and procedures alongside the updated guidance. Having extra eyes on the guidance will help you avoid missing any critical details.
4. Look for weaknesses: Consider if your program has any areas that need additional attention, staffing, or resources. 
5. Test the procedures: The procedures contain a list of questions that examiners are expected to ask banks about their third-party relationships. Review the questions to make sure you have adequate and well-documented answers. 
6. Report your findings: Document this all carefully and report the results to your senior leadership team and the board.

The procedures are sweeping and detailed and require great attention. When your next examination rolls into town, you’ll need to be prepared to meet these heightened expectations.

Going Beyond Compliance

Meeting regulatory compliance is of course an important goal to consider with your TPRM activities. However, it’s important to consider the other benefits of an effective program:

• Risk mitigation – One of the fundamental objectives in TPRM is detecting a vendor’s risk and mitigating it through proper controls. Due diligence and risk assessments are just two activities that help achieve this goal. 
• Quality control – TPRM involves many activities, some of which are directly related to the quality of your vendor’s products and services. Things like performance monitoring and contract management help ensure that your vendors are providing the benefits you expect to your organization and customers. 
• Operational resilience – Business-disrupting events can occur at any time, but TPRM activities can help you prevent significant impacts to your operations. Reviewing your critical vendors’ business continuity and disaster recovery plans and making sure they’re fully tested will help support resiliency in your organization.

Even if you’re not regulated by the OCC, it’s a smart business decision to implement these guidelines within your own TPRM program. Doing so will help mature your program and prove that you’re using best in class practices.