- The OCC, Federal Reserve, and FDIC jointly issued Bulletin 2023-17, establishing a unified framework for third-party risk management applicable to all OCC-supervised institutions.
- Banks must now conduct rigorous due diligence and continuous oversight across the full lifecycle of every third-party relationship — from vendor selection through contract termination.
- Fintech firms, cloud providers, and technology vendors serving US banks face heightened scrutiny and must be prepared to meet elevated transparency and audit requirements.
What the Interagency Guidance Establishes
The Office of the Comptroller of the Currency (OCC), alongside the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation (FDIC), published Bulletin 2023-17 — a landmark piece of interagency guidance replacing and consolidating prior fragmented advisories on third-party risk. Effective upon issuance in 2023, the guidance applies to all OCC-supervised national banks, federal savings associations, and federal branches of foreign banks operating within US jurisdiction. For the first time, all three principal federal banking regulators have aligned under a single, coherent risk management standard, eliminating the compliance ambiguity that had long plagued institutions managing multi-regulator relationships.
The guidance defines a third-party relationship broadly — encompassing any business arrangement between a bank and another entity, whether formalised by contract or not. This deliberately expansive definition captures cloud infrastructure providers, core banking technology vendors, payment processors, data analytics firms, and a wide range of fintech partnerships that have proliferated across the industry over the past decade.
The Full Lifecycle Compliance Obligation
At the core of Bulletin 2023-17 is the expectation that regulated institutions implement a risk management lifecycle framework covering six distinct stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, termination, and oversight by the board and senior management. Regulators are explicit that risk management cannot be a point-in-time exercise — banks are required to maintain continuous, documented oversight for the duration of every material third-party engagement. Institutions that rely on third parties for critical activities, defined as functions that could cause significant disruption if they failed, face the most stringent obligations under the framework.
“Banks must apply more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities.”
Implications for Fintech and Technology Vendors
The downstream impact on fintech companies and technology vendors is substantial. Any firm providing services to a US nationally chartered bank must now anticipate that its banking clients will demand far greater contractual transparency, audit rights, incident reporting protocols, and subcontractor disclosure than has historically been standard practice. Vendors that cannot satisfy these requirements risk contract non-renewal or exclusion from competitive procurement processes. For UAE-based and MENA-region fintechs seeking US banking partnerships, demonstrating robust internal controls and compliance posture has shifted from a differentiator to a baseline entry requirement.
Board-Level Accountability and Governance Requirements
Bulletin 2023-17 places explicit governance accountability at the board and senior management level, requiring that leadership not only approve third-party risk policies but actively oversee their implementation. Boards are expected to review and approve arrangements involving critical activities, receive regular management reporting on third-party performance and risk exposure, and ensure that internal audit functions independently assess the overall third-party risk management programme. This positions third-party oversight as a fiduciary responsibility, not merely an operational compliance checkbox.
Enforcement Posture and Supervisory Expectations
While the guidance is non-binding in the statutory sense, it carries significant supervisory weight. OCC examiners are expected to assess bank compliance with these principles during routine examinations, and deficiencies identified in third-party risk programmes can result in Matters Requiring Attention (MRAs) or, in serious cases, formal enforcement actions. Banks operating at the intersection of traditional finance and emerging technology — particularly those with extensive Banking-as-a-Service (BaaS) or embedded finance arrangements — should treat this guidance as near-regulatory in its practical effect.
Bulletin 2023-17’s full-lifecycle mandate is a direct response to the explosive growth of BaaS and embedded finance models, where banks have increasingly delegated critical functions to lightly regulated technology intermediaries. For fintech operators with US banking clients, the compliance cost of maintaining audit-ready documentation, subcontractor registers, and incident response protocols will rise materially — but those that invest now will hold a structural competitive advantage in securing and retaining institutional partnerships. The alignment of OCC, Fed, and FDIC under one standard also signals that fragmented regulatory arbitrage across federal charters is no longer a viable risk management strategy.
