Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Risk management guidance on third party relationships

January 30, 2014
Read Time: 0 min

Examiners have always expected banks and credit unions to perform appropriate vendor due diligence prior to engaging a third party. But with October 2013 guidance, Third-Party Relationships, the OCC provided definitions and guidelines for OCC banks as a risk management framework.

As the announcement points out, banks face new and increased operational, compliance, reputation, strategic and credit risks when entering into an agreement with a third party, especially when the agreement covers “critical activities.” As such, the OCC asks banks to develop a risk management process proportionate to the level of risk within the relationship.

Third-party relationships are defined as a business arrangement between a bank and an outside entity, by contract or otherwise. Some examples are tax, legal, audit or information technology. By entering into agreements with third parties, it is the board members’ and senior management’s responsibility that contracted activities fall in line with regulatory guidance and uphold safety and soundness for the institution.  

“Critical activities” are described as significant bank functions, services or activities that could have a major impact on the bank’s operations. Comptroller of the Currency Thomas Curry explains: “We have concerns regarding the quality of risk management on the growing volume, diversity, and complexity of banks’ third-party relationships, both foreign and domestic. This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner.” The new guidance set forth by the OCC supersedes prior Bulletin 2001-47, “Third Party Relationships: Risk Management Principles” and OCC Advisory Letter 2009-9, “Third-Party Risk.”

When circumstances warrant, the OCC will apply corrective measures to ensure banks’ relationship management standards are appropriate, and these measures could include enforcement actions, special examinations and the assessment of civil money penalties.

On December 5, 2013, shortly after the OCC release, the Board of Governors of the Federal Reserve System issued “Guidance on Managing Outsourcing Risk” to supplement guidance previously issued on technology service provider risk. While the Federal Reserve’s guidance is less comprehensive than the new guidance set forth by the OCC, many of the themes are similar.

For more information on the risk management process and best practices for evaluating third-party relationships, download the whitepaper: Risk Management Guidance on Third Party Relationships.

About the Author


Raleigh, N.C.-based Sageworks, a leading provider of lending, credit risk, and portfolio risk software that enables banks and credit unions to efficiently grow and improve the borrower experience, was founded in 1998. Using its platform, Sageworks analyzed over 11.5 million loans, aggregated the corresponding loan data, and created the largest

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.