In July of 2013, several government agencies released a joint request for comment to their Proposed Interagency Guidance on Third-Party Relationships: Risk Management. The Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), and the Federal Deposit Insurance Corporation (FDIC) announced this as a response to requests within the industry for aligned approaches to third-party risk management (TPRM) guidance. The deadline for comment submission is this week, on September 17th.
This guidance will seek to create cohesive, uniform assessment standards between these regulators. The request for comments focuses on the concepts in the 2020 OCC FAQ (OCC Bulletin 2020-10, Third Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29), and should be included in any final guidance that would be helpful to banking organizations.
What the Request for Comments Covers
The FDIC, OCC, and FRB have actively been seeking comments on their proposed guidance in order to promote consistency and provide clear, risk-based procedures and processes for TPRM. The request for comments focuses on the following areas:
Tailored Approach to TPRM:
This guidance will seek to provide a framework on risk management principles banking organizations can use when developing and implementing practices for all stages of the TPRM lifecycle. These will consider the complexity and level of risks, the size of the organization, and the nature of these vendor relationships. This guidance will include best practices for smaller, less complex organizations to help them adopt practices and procedures appropriate to their level of risk and program maturity.
Third-Party Relationships:
This area for comment examines the nature of third-party relationships within banking organizations, focusing specifically on technology vendors, and areas where compliance and operational infrastructure are affected, including customer service, fraud detection, and anti-money laundering (AML). Questions asked include:
What can the proposed guidance provide for banking organizations when they manage risks related to third parties?
What revisions to the proposed guidance can be made to help organizations assess their risks as technologies evolve?
How can the guidance help banking organizations examine the risks associated with vendors that engage with end customers?
What third-party risk best practices are most useful when considering regulatory compliance?
Due Diligence and Collaborative Arrangements:
The proposed guidance takes time to acknowledge that multiple banking organizations can use the same third party, and that collaboration could be beneficial in order to improve overall risk management and lower costs. Collaboration during due diligence, contract negotiation, and ongoing monitoring can benefit all in terms of sharing resources and knowledge. Requests for comments ask banking organizations to provide insights into how the proposed guidance can help this process.
Subcontractors:
While third-party risk management is becoming more acknowledged, subcontractor (4th party and beyond) relationships can still be overlooked. When companies do not include subcontractors in their TPRM programs they leave themselves vulnerable to supply chain risks. The proposed guidance will cover contract negotiations and due diligence when working with a 4th party and will include procedures related to storing of information, confidentiality, and conflicting contractual arrangements. The areas for comment ask organizations to provide insights into how the proposed guidance can provide more clarity on performing due diligence for subcontractors, and what factors should be considered when a company is faced with subcontracting within their third-party relationships.
Information Security:
This area of the proposed guidance will provide consistent principles and regulations related to information security of third-party relationships, including assessing and mitigating vulnerabilities. This will acknowledge the dependency many banking organizations have on their third parties. Questions asked in the request for comments include: What information should the proposed guidance include regarding how an organization assesses a third-party’s information security, and their inherent risks?
OCC’s 2020 FAQs:
The request for comments also includes areas that can be expanded upon within the OCC’s 2020 FAQ, and the best ways to incorporate these concepts.
What the Proposed TPRM Guidance Will Cover
In addition to the areas where comments are requested, listed above, the Proposed Guidance on Third-Party Relationships will take an interagency approach to the following risk management areas:
Planning:
Prior to entering into a third-party relationship, banking organizations should examine all vendor risks and implement a plan to manage the relationship. This guidance will provide deeper insights into examining the benefits and risks of the third parties, aligning to the strategic purpose of the business, the nature of interaction with customers, potential information security risks, and more.
Due Diligence and Third-Party Selection:
Performing due diligence prior to contracting with a third party is necessary in order to gauge a vendor’s ability to perform their service, adhere to policies, comply with laws, and operate safely. Due diligence also provides insights into the risks they bring an organization, and where it affects critical activities. The proposed guidance will provide further insights into what factors due diligence should cover including, regulatory compliance, financial condition, qualifications, risk management, information security, operational resilience, incident reporting, physical security, insurance coverage, and more.
Contract Negotiation:
Contract negotiation is a critical part of any third-party relationship as it sets responsibilities and provisions. Contracts with third parties can be complex, and it can be sometimes difficult to negotiate terms that satisfy the organization’s needs. The proposed guidance will cover factors contributing to this including, nature and scope, performance benchmarks, responsibilities and roles, right to audit and remediation, responsibility for compliance, confidentiality, indemnification, business continuity, dispute resolution, and more.
Oversight and Accountability:
The board of directors and management for banking organizations are responsible for overseeing third-party risk management processes, implementation, and accountability. The proposed guidance will provide an outline of these responsibilities for the board of directors, management, independent reviews, and documentation and reporting.
Ongoing Monitoring:
In addition to initial due diligence, ongoing monitoring is critical to TPRM as it monitors the duration of the vendor relationship. Ongoing monitoring is particularly important in higher-risk third-party relationships often seen in banking, and helps organizations to re-assess existing relationships, examine changing risks throughout the lifecycle, and determine the type and frequency of reports and assessments needed to effectively manage the relationship. The proposed interagency guidance will provide ongoing monitoring insights such as the effectiveness of third-party relationships, changes to business strategy, a third party’s financial condition, the adequacy of insurance coverage, legal and regulatory updates, and more.
Termination:
If a banking organization needs to terminate a vendor relationship for any reason it is important to manage these efficiently, and securely. The proposed guidance will cover factors to consider during this process including resources needed to transition activities, data retention and destruction risks, information system connections, handling of intellectual property, potential operational or customer disruptions, and more.
TPRM Guidance That Organizations Can Implement Now
While there is no formalized interagency guidance yet, and comments are still being submitted, there are considerations and best practices that banks can act on today in order to boost their organizational resiliency and strengthen their TPRM programs.
Know who your third parties are, and what they do:
The first step to managing third-party risks is to gain a comprehensive understanding of who your vendors are, how dependent you are on them, and how/if they interact with customers. Identifying all of your third parties and what they do is critical for understanding the risks and vulnerabilities they can present to your operations.
Know your subcontractors:
As outlined in the proposed guidance, banking organizations are not only reliant on their third parties, but their fourth parties (their vendors’ subcontractors). Without this understanding, companies leave themselves vulnerable to issues such as cyberattacks, supply chain disruptions, and penalties. Tools such as TPRM software help companies understand the complexities of their third-party relationships so that if an issue were to occur regarding a subcontractor, companies are made aware of it and can take steps to manage it.
Perform due diligence and ongoing monitoring:
Risks related to third parties don’t disappear after your organization contracts with them. Due diligence should be risk-based and appropriate to the risk profile of the vendor. Performing ongoing due diligence and ongoing monitoring helps manage risks or changes as they occur.
If you have any questions regarding managing complex third-party relationships, our experts are on hand to assist. You can also browse our resources at any time for thought-leadership content that’s at your fingertips.
Hannah Tichansky
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.
Hannah holds over 12 years of writing and marketing experience, with 6 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.