OCC Issues FAQs on Third-Party Risk Management

The OCC today clarified its expectations for banks’ management of relationships with third-party providers, including fintech firms, cloud services providers and data aggregators. The agency published a set of FAQs intended to supplement 2013 guidance on third-party risk management and reflect evolving industry trends.

With respect to data aggregation, the FAQs establish that banks that have business arrangements with  data aggregators should conduct due diligence and ongoing monitoring commensurate with the risk these providers pose to the bank. The OCC noted that determining whether a bank has a business relationship with a data aggregator “depends on the level of formality of any arrangements that the bank has with the data aggregator for sharing customer-permissioned data.”

However, the guidance also noted that even in instances where banks are not receiving a direct service from a data aggregator and there is no business arrangement, there is still risk that should be managed. For example, the agency noted that banks should be engaging in risk management activities around screen-scraping activities—which typically involve customers sharing their bank login credentials with data aggregators.

“[B]ank management should perform due diligence to evaluate the business experience and reputation of the data aggregator to gain assurance that the data aggregator maintains controls to safeguard sensitive customer data,” the OCC said.