Third-Party Vendor Best Practices

Nikki Kook- Marketing and New Business Coordinator

According to the OCC, a third-party relationship is defined as “any business arrangement between a bank and another entity, by contract or otherwise.”The OCC Bulletin 2013-29 recommends a community bank’s board and management should ensure risk management practices are in place throughout the relationship’s life cycle. The level of risk management should correlate to the complexity and importance of each task. Also, these risk management practices should be implemented at all of the following steps in the relationship: pre-planning, selection, plan execution, ongoing monitoring and contingency plan.

Third Party Vendor


Do your homework. Conduct due diligence on all potential third parties before making the selection and entering into a contract. Do your due diligence on the potential third party’s:

  • Ability to conduct business in compliance with all applicable laws and regulations.
  • Alignment with the bank’s strategic goals, objectives and risk appetite. Consider reviewing the third party’s service philosophies and employment policies and practices.
  • Adherence to the bank’s desired frequency and format of the service, product or function provided.
  • Impact on the bank’s relationship with its customers. If the third party has direct contact with your customers or to your customers’ data, ensure a privacy statement and a security plan is in place.
  • Reputation by conducting reference checks. This includes their previous experience providing the specific service and assessing their history of customer complaints or litigation.


After a thorough background check of the potential third parties, a contract must be agreed to between the bank and the desired third party.

  • Senior management should obtain board approval before the contract is signed.
  • Clearly define expectations, roles and responsibilities of each party to the contract.
  • The bank and the third party should agree on success metrics. For example, accuracy and compliance may be more important than speed and volume.
  • Agree to indemnification and insurance clauses.
  • Ensure the third party has an information security program and a plan for mitigating known and possible threats, including data breaches and client data usage.

Plan Execution

Proper documentation and reporting facilitates the accountability, monitoring and risk management associated with third party relationships. These documentations should help the bank and the third party:

  • Decide which kinds of activities should be presented to and approved by the bank’s board of directors before implementation.
  • Make it clear that employees and personnel from the third party should escalate significant issues to senior management.
  • State how the third party can use the bank’s information—such as technology and intellectual property (logo, trademark, etc).
  • Specify whether the bank or the third party is responsible for responding to customer complaints relating to the task.

Ongoing Monitoring

The playing field changes and obstacles arise, so the bank should ensure its ongoing monitoring adapts accordingly. Ensure the contract establishes the bank’s right to:

  • Audit compliance, review agreed upon metrics, monitor performance and require remediation when issues are identified
  • Change the frequency and types of required reports from the third party
  • Periodic independent internal or external audits of the third party and relevant subcontractors at a frequency consistent with the function’s complexity
  • Report results to senior management who then ensure the results are reported to the board

Contingency Plan

Review the third party’s succession plan for key management and support personnel working on your case. Also, consider the bank’s contingency plans in the event the bank needs to transition the activity to another third-party or bring it in-house. This should include:

  • Timely notification requirements to ensure the orderly conversion to another third party while still managing legal, regulatory, customer and other impacts that might arise
  • Timely return or destruction of the bank’s data to maintain privacy obligations
  • Assignment of all costs association with the transition and termination

In addition to the bank’s risk management at these stages, the OCC may use its authority to examine the functions or operations performed by a third party on the bank’s behalf. However, the OCC has the authority to charge the bank a fee for this special examination or investigation.

The OCC expects the bank to practice risk management at all stages in the third-party relationship. Banks are also expected to distribute the risk management in a manner that is proportionate to the task’s complexity. Without an effective third-party risk management process, the bank could enter into an “unsafe and unsound banking practice.”

To see the full OCC Bulletin, please click HERE.