Third-Party Relationship Requirements
The OCC has decided to update and in several respects substantively revise 2013 standards on third-party vendors with frequently-asked questions (FAQs) that lay out new official views in an arena of growing importance due to “rent-a-bank” arrangements, cloud computing, the growing use of data aggregators, and other fintech developments. The new FAQs also rescind a 2017 FAQ statement dealing with some of these questions, although all of it is retained largely unchanged.1 As in its prior statements, the OCC here emphasizes that using a vendor or third party to perform a function does not absolve a national bank of its responsibility to ensure effective risk controls, with more due diligence, monitoring, and control needed as the importance of a third-party relationship increases. This obligation is not absolved by a bank’s lack of negotiating power – a common community-bank concern – but new procedures are detailed to make it possible for banks still to do business with third parties in such cases.

VENDOR8.pdf