OCC Bulletin 2023-17 is the primary regulatory framework for third-party risk management at national banks and federal savings associations. It replaces and updates OCC Bulletin 2013-29 and reflects the joint interagency guidance issued collaboratively by the OCC, FDIC, and Federal Reserve in 2023. For community banks regulated by the OCC, it defines exactly what ongoing vendor monitoring must look like.
The Lifecycle Requirement
The most important concept in the interagency guidance is the third-party relationship lifecycle. The guidance requires risk management activity at every stage: planning (before entering a new vendor relationship), due diligence (before signing the contract), contract negotiation (ensuring adequate risk provisions), ongoing monitoring (throughout the relationship), and termination (when the relationship ends). Most community banks have something in place for due diligence and contract negotiation. The ongoing monitoring requirement is where the gap is most common and most documented.
What Ongoing Monitoring Must Cover
The OCC guidance specifies that ongoing monitoring should be commensurate with the risk level and criticality of the third-party relationship. For critical vendors — those providing services that are significant to the bank's operations or that involve customer data — the guidance expects monitoring to be frequent and comprehensive. This includes: reviewing the vendor's financial condition, monitoring for regulatory actions against the vendor, reviewing audit reports and certifications, and assessing whether the vendor's controls remain adequate as the relationship evolves.
The Risk-Based Tiering Requirement
The guidance does not require identical monitoring frequency for all vendors. It requires a risk-based approach: critical and significant vendors receive more frequent, more thorough monitoring than routine vendors. Banks are expected to document their tiering criteria and apply them consistently. An examiner reviewing vendor risk management will check whether the bank has a documented tiering framework and whether the monitoring frequency matches the tier assignments.
What Examiners Are Looking For
Based on documented examination findings, examiners are most commonly citing: absence of documented ongoing monitoring for critical vendors, OFAC screening applied to customers but not to vendors, financial health monitoring that consists only of annual questionnaires, and no process for detecting adverse events between scheduled review cycles. The Banking Vendor Risk AI Agent addresses all four citations with daily automated monitoring, OFAC screening, financial health tracking, and real-time adverse event detection.