accent graphic
accent graphic
Back to Blog

Understanding the OCC's Approach to Third-Party Risk Management

March 11, 2020|0 min read
linkedin iconfacebook iconx iconlink icon



The Office of the Comptroller of the Currency (OCC) is an independent bureau within the United States Department of the Treasury that was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and thrift institutions and the federally licensed branches and agencies of foreign banks in the United States.1

The Main Areas of Focus

The main objectives of the OCC include:

  • To ensure the safety and soundness of the national banking system;1

  • To foster competition by allowing banks to offer new products and services;1

  • To improve the efficiency and effectiveness of OCC supervision especially to reduce the regulatory burden;1

  • To ensure fair and equal access to financial services to all Americans;1

  • To enforce anti-money laundering and anti-terrorism finance laws that apply to national banks and federally licensed branches and agencies of international banks;1and

  • To investigate misconduct committed by institution-affiliated parties of national banks, including officers, directors, employees, agents and independent contractors (including appraisers, attorneys and accountants).1

What is the OCC Bulletin 2013-29?

On March 5, 2020 the Office of the Comptroller of the Currency (OCC) released Bulletin 2020-10, a supplement to OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. The OCC Bulletin 2013-29 addresses risk management of third-party relationships. It states that a third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise.2


The procedures in OCC Bulletin 2013-29 are designed to help examiners:

  • Tailor the examination of each bank commensurate with the level of risk and complexity of the bank’s third-party relationships.2

  • Assess the quantity of the bank’s risk associated with its third-party relationships.2

  • Assess the quality of the bank’s risk management of third-party relationships involving critical activities.2

  • Determine whether there is an effective risk management process throughout the life cycle of the third-party relationship.2

"When a bank does not receive all the information it seeks about third-party service providers that support the bank’s critical activities, the OCC expects the bank’s board of directors and management to:3

  • develop appropriate alternative ways to analyze these critical third-party service providers.3

  • establish risk-mitigating controls.3

  • be prepared to address interruptions in delivery (for example, use multiple payment systems, generators for power, and multiple telecommunications lines in and out of critical sites).3

  • make risk-based decisions that these critical third-party service providers are the best service providers available to the bank despite the fact that the bank cannot acquire all the information it wants.3

  • retain appropriate documentation of all their efforts to obtain information and related decisions.3

  • ensure that contracts meet the bank’s needs."3

How Does it Impact Fintechs and Financial Institutions?

Financial Institutions Using Data Aggregation

If a financial institution works with a third-party data aggregator to enhance its products with better data, that relationship is considered a business arrangement under the OCC Bulletin 2013-29. In these types of third-party relationships, risk management procedures including due diligence and monitoring should be put in place.

Sharing customer-permissioned data:

A financial institution works with a data aggregator to share customers’ information, with the approval from the customer. In this business relationship, the customer authorizes the sharing of information and the bank typically is not receiving a direct service or financial benefit from the third party.

How Does it Improve the Financial Industry?

Empowers Customers

Customer-permissioned data gives customers power over what information they want shared and what they’d rather keep private.

Safer data sharing

Anonymized, single-use digital tokens make it safer to share information than traditional screen scraping where users put in their full credentials.

More transparency

API connections give financial institutions more clarity into what data is being shared and who it’s shared with, so they can keep their customers’ information safe. And comply with the OCC expectations around reasonable assurances and controls.

Better relationships

Data sharing is fast becoming one of the main ways for financial institutions and fintechs to create better products and customer experiences.

Negative outcomes of not following regulations

Possible negative outcomes of not following regulations: Strategic, reputation, operational, compliance, and liquidity risk.

How MX Aids Banks with their 3P Compliance

Partners with banks for strong authentication mechanisms

With OAuth credential verification, financial institutions’ customers don’t have to give MX their credentials. In this way, the financial institution remains in control of their customers’ login flow and experience from beginning to end. Also, customers are able to log into their financial institution’s website and see where they’ve used their credentials to sign in and delete websites that they no longer want to share their login information with. Furthermore, because OAuth verification is one of the cleanest ways to prove where information is coming from, by requiring an established relationship with that provider, it helps financial institutions comply with Bulletin 2020-10. For the many banks that don't support OAuth yet, MX has a comprehensive fraud detection program to detect potential abuse of their customers accounts

Bases its security program on the same security frameworks that banks are audited against

MX uses the NIST Cybersecurity Framework to organize it’s security program. This is the same framework used by the FDIC and FFIEC when assessing bank security. Because of this, MX’s security program aligns very closely with what banks are doing themselves, which streamlines third-party risk assessments and provides confidence to our customers that we will continue to improve our program in the same manner that regulators will request that they do.

Control Evidence

  • We publish a SOC2 type II report to existing and prospective clients. The report covers security, availability, confidentiality, and privacy.

  • We are audited annually for compliance with the PCI-DSS

  • We routinely work with clients to supply evidence of controls upon request

Third party risk management

  • Rigorous practices for initial and ongoing due diligence of our third parties

    • CIS based control assessment

    • SOC2 type II reports (security, availability, confidentiality, privacy, and processing integrity)

    • PCI attestations of compliance

The Occ Infographic

Related Blog Posts
accent graphic