User acknowledges that it has reviewed the User Agreement and the Privacy Policy governing this site, and that continued use constitutes acceptance of the terms and conditions stated therein.

How OCC Manages Third-Party Risk

By Kirstin Wells, Vice President, Enterprise Risk Management
August 4, 2016

As a Systemically Important Financial Market Utility (SIFMU) and the foundation for secure markets, OCC is one of the few market utilities that considers third-party risk in a broad context. It is common to think of vendor risk when thinking of third-party risk, however, OCC considers its third-party risk in five pillars. These are: clearing members, settlement banks and liquidity providers, exchanges, other financial market utilities and critical vendors.

As a SIFMU, OCC is subject to Title VIII of Dodd-Frank, part of which requires supervisory agencies to promulgate risk management standards for SIFMUs that are based on the Principles for Financial Market Infrastructures (PFMI). One key theme in the PFMI is the risk posed by interconnectedness. OCC relies on our interconnected third-party relationships to deliver our core clearing and settlement and risk management services. And as OCC relies on them, they also rely on us. As a result, our enterprise risk management framework considers the risks we bear from and pose to our third party connections.

An example of third-party risk management is cyber risk, which is a top risk in the financial services industry. Cyber risk management is both inward- and outward- facing at OCC: we have a system of safeguards and controls to keep our systems safe and ensure continuity of clearing services in the event of a cyber-disruption, and, we monitor for cyber risks that we are exposed to from linkages to our interconnected third parties.

At OCC, we take seriously our role as the foundation for secure markets and will continue our purpose of ensuring confidence in the financial markets and broader economy through sound, third-party risk management.

To learn more about OCC's thought leadership on industry issues, visit OCC's Blog.

Categories: Cyber Security, Operational Risk Management, Risk Management