OCC Guidance on Third-Party Relationships


How does the OCC differentiate between “high risk” and “low risk” third-party relationships, and how does the risk management process differ between these two categories?



OCC Bulletin 2013-29 defines “high risk” third-party relationships as “critical activities [that] include significant bank functions (e.g., payments, clearing, settlements, and custody) or significant shared services (e.g., information technology) or other activities that:

  • Could cause a bank to face significant risk if the third party fails to meet expectations;
  • Could have significant customer impacts;
  • Require significant investment in resources to implement the third-party relationship and manage the risk; and/or
  • Could have a major impact on bank operations if the bank needs to find an alternate third party or if the outsourced activity has to be brought in-house.”

However, delivery of services deemed “critical activities” does not automatically categorize the relationship as “high risk.” It is the responsibility of bank management to evaluate the level of risk and complexity of each of its third-party relationships on a continual basis and adjust its risk management practices for each relationship in accordance with this assessment.


While the OCC expects banks to perform due diligence and ongoing monitoring for all third-party relationships, the level of this review may differ between “high-risk” and “low-risk” third-party relationships. The OCC expects a more comprehensive and rigorous oversight and management protocol for high-risk relationships, which should include robust, comprehensive, and appropriately documented due diligence, as well as ongoing monitoring. For low-risk relationships, bank management should follow previously-established policies and procedures developed by its Board of Directors for due diligence and ongoing monitoring.