Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


OCC Issues New Guidance on Third-Party Risk Management

2 min read
Featured Image

On Mar 5, 2020, the Office of the Comptroller of the Currency (OCC) issued updated guidance on third-party risk management. Within the new guidance they’ve added to the frequently asked questions (FAQs) section that was in Bulletin 2017-21. Bulletin 2020-10 offers little new information other than an update to a question; however, it's still important to discuss what you need to know. For the most part, it’s Bulletin 2017-21 guidance restated. 

OCC Bulletin 2020-10 Highlights

Bulletin 2020-10 rescinds Bulletin 2012-21 and continues to address many topics through FAQs. Per the OCC, addressed in the FAQs are the following 12 topics:

  • The terms “third-party relationship” and “business arrangement”
  • When cloud computing providers are in a third-party relationship with a bank
  • When data aggregators are in a third-party relationship with a bank
  • Risk management when the bank has limited negotiating power in contractual arrangements
  • Critical activities and how a bank can determine the risks associated with third-party relationships
  • Bank management’s responsibilities regarding a third party’s subcontractors
  • Reliance on and use of third party-provided reports, certificates of compliance, and independent audits
  • Risk management when third party has limited ability to provide the same level of due diligence-related information as larger or more established third parties
  • Risk management when using a third-party model or when using a third-party to assist with model risk management
  • Use of third-party assessment services in managing third-party relationship risks
  • A board’s approval of contracts
  • Risk management when obtaining alternative data from a third-party

It’s important to put emphasis on that there is only one slight update to a frequently asked question. It’s question 24 which now reflects current American Institute of Certified Public Accountants (AICPA) Service Organization Control report information. Otherwise, the fundamental principles of third-party risk that have echoed since the OCC issued Bulletin 2013-29 on Oct 30, 2013, and the supplemental bulletins 2017-7 and 2017-21, remain in place.

Your Course of Action

When a new bulletin is issued it's important to review it and, even if it turns out to be quite minor changes such as this one, it's still crucial to be paying attention, just in case. There's danger in ignoring updates to third-party risk guidance. 

For now, remember that sticking to the standard requirements of third-party risk management is always the best course of action. Rigor and discipline around your program are the keys to success. While we always appreciate new bulletins and new clarifications, unless the fundamentals change, my advice to you is to stay the course and keep your program in order.

Dive deeper into learning how the industry is currently managing third-party risk. Download the whitepaper.

New call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo