documents in the last year, 53

A footnote in OCC Bulletin 2013-29 provides examples of business arrangements (third-party relationships), such as activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which the bank has an ongoing relationship or may have responsibility for the associated records. As part of due diligence and ongoing monitoring, bank management should determine whether a third party appropriately oversees and monitors its subcontractors. 14. The agencies may pursue appropriate corrective measures, including enforcement actions, to Start Printed Page 38196address violations of law and regulations or unsafe or unsound banking practices by the banking organization or its third party. Additionally, the OCC's model risk management guidance contains important principles, including those that may leverage alternative data. Stipulate whether and how often the banking organization and the third party will jointly test business continuity plans. Collaboration can result in increased negotiating power and lower costs to banks during the contract negotiation phase of the risk management life cycle. should verify the contents of the documents against a final, official Reflect the associated risks in the overall assessment of the banking organization's risk profile. If so, what are the third-party risk management expectations? In general, the OCC will enter all comments received into the docket and publish the comments on the Regulations.gov website without change, including any business or personal information provided such as name and address information, email addresses, or phone numbers. Overview of Proposed Guidance on Third-Party Relationships, IV. It is not an official legal edition of the Federal

These third-party service providers also provide assistance to the banks and the banks' customers (for example, payment authentication, delivering payment account information to customers' mobile devices, assisting card networks in processing payment transactions, developing or managing mobile software (apps) or hardware, managing back-end servers, or deactivating stolen mobile phones). 20. Some banks outsource maintenance or monitoring or use third parties to automate data collection and management processes (for example, to file compliance reports under the Bank Secrecy Act or for mortgage loan application processing or disclosures). Where applicable, determine whether the third party's internal audit function independently and effectively tests and reports on the third party's internal controls. Banks should expect the third party to conduct ongoing performance monitoring and outcomes analysis of the model, disclose results to the bank, and make appropriate modifications and updates to the model over time, if applicable. Screen scraping: A common method for data aggregation is screen scraping, in which a data aggregator uses the customer's credentials (that the customer has provided) to access the bank's website as if it were the customer. When third parties, such as fintechs, start-ups, and small businesses, have limited due diligence information, the bank should consider alternative information sources. Bank management should understand and evaluate the results of validation and risk control activities that are conducted by third parties. Consider whether a third party periodically conducts thorough background checks on its senior Start Printed Page 38190management and employees, as well as on subcontractors, who may have access to critical systems or confidential information. Under OCC Bulletin 2013-29, critical activities can include significant bank functions (e.g., payments, clearing, settlements, and custody), significant shared services (e.g., information technology), or other activities that.

In these examples, the fintech company is considered to have a third-party relationship with the bank that falls under the scope of OCC Bulletin 2013-29. Effective Start Printed Page 38195monitoring activities enable banking organizations to confirm the quality and sustainability of the third party's controls and ability to meet service-level agreements (for example, ongoing review of third-party performance metrics). (Originally FAQ No. Assessing changes to the financial condition of third parties is an expectation of the ongoing monitoring stage of the life cycle. Risk does not depend on the size of the third-party relationship. Could cause a banking organization to face significant risk if the third party fails to meet expectations; require significant investment in resources to implement the third-party relationship and manage the risk; or. (Originally FAQ No. Banks should have the appropriate personnel, processes, and systems so that they can effectively monitor and control the risks inherent within the marketplace lending relationship. OCC Bulletin 2013-29 states that banks should consider the financial condition of their third parties during due diligence and ongoing monitoring. The information in this list is consistent with the Interagency Policy Statement on the Use of Alternative Data in Credit Underwriting. Capabilities, resources, and the time frame required to transition the activity while still managing legal, regulatory, customer, and other impacts that might arise; Potential third-party service providers to which the services could be transitioned; Risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party relationship; Handling of joint intellectual property developed during the course of the business arrangement; and. could cause a bank to face significant risk if the third party fails to meet expectations. The data aggregator typically uses automated scripts to capture various data, which is then provided to the customer or a financial technology (fintech) application that serves the customer or some other business. The compensation may also be non-financial such as cross-marketing. 17. When reviewing third party risk management, examiners typically: When circumstances warrant, the agencies may use their authorities to examine the functions or operations performed by a third party on the banking organization's behalf. These efforts may include research to confirm ownership and understand business practices of the firms; direct communication to learn security and governance practices; review of independent audit reports and assessments; and ongoing monitoring of data-sharing activities. 1. What should a bank consider when entering a marketplace lending arrangement with nonbank entities? Bank management should have as much knowledge in-house as possible, in case the third party or the bank terminates the contract, or if the third party is no longer in business. Some individual bank-specific responsibilities include defining the requirements for planning and termination (e.g., plans to manage the third-party service provider relationship and development of contingency plans in response to termination of service), as well as. OCC Bulletin 2013-29 states that a third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise. the material on FederalRegister.gov is accurately displayed, consistent with The proposed guidance is intended to provide principles that are useful for a banking organization of any size or complexity and uses the concept of critical activities to help banking organizations scale the nature of their risk management activities. What other aspects of third-party relationships, if any, should the guidance consider? Ongoing monitoring occurs after the third-party relationship is established and often leverages processes similar to due diligence. 1464(d)(7)(D)(ii) and 1867(c)(2). Collaboration may facilitate banking organizations' due diligence of particular third-party relationships by sharing expertise and resources. The agencies are including the OCC's 2020 FAQs, released in March 2020, as an exhibit, separate from the proposed guidance. This statement may have been misunderstood as meaning a bank may not enter into relationships with third parties that do not meet the bank's lending criteria. This guidance offers a framework based on sound risk management principles that banking organizations may use in developing practices appropriate for all stages in the risk management life cycle of a third-party relationship based on the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship. provide legal notice to the public or judicial notice to the courts. make sure completed work is incorporated into the bank's model risk management and third-party risk management processes. Data aggregators are entities that access, aggregate, share, or store consumer financial account and transaction data that they acquire through connections to financial services companies. with third parties, including technology companies, to serve a range of purposes. 23, a SOC 1, type 2, report may be particularly useful, as standards of the American Institute of Certified Public Accountants require the auditor to determine and report on the effectiveness of the client's internal controls over financial reporting and associated controls to monitor relevant subcontractors. or engage in joint efforts for performing due diligence to meet its established assessment criteria. A banking organization typically considers the following factors, among others, for ongoing monitoring of a third party: A banking organization may terminate a relationship for various reasons specified in the contract, such as expiration of or dissatisfaction with the contract, a desire to seek an alternate third party, a desire to bring the activity in-house or discontinue the activity, or a breach of contract. Whether a bank has a business arrangement with the data aggregator depends on the level of formality of any arrangements that the bank has with the data aggregator for sharing customer-permissioned data. Document Drafting Handbook

The degree of due diligence should be commensurate with the risk to the bank from the third-party relationship.

Sitemap 23