There is a huge patchwork of guidance, standards and regulations that should be taken into account in your third-party risk management programs. Here we provide an overview of the most relevant and common. In addition to guidance on third-party risk management, there’s also a large body of regulations and standards that you will want to ensure that your third parties comply with.
Aravo allows companies to collect attestation and certifications from third parties in respect to compliance with these and other laws and standards. What the regulators have made quite clear, is that while you can outsource activities, you can’t outsource or neglect the associated compliance obligations.
Quick Links
Financial Services: Current rules on vendor risk from financial services regulators.
Insurance: Review state and federal insurance litigation on vendor risk.
Healthcare: Third party risk concerns of the health care industry.
General: Examine third party risk management regulatory guidance.
ABAC: Anti-bribery and corruption and third party risk.
Human Rights: Know your vendor, review human rights risks and third parties.
Conflict Minerals: Conflict minerals third party due diligence and regulatory schemes.
Environmental: Third party risk and ESG, regulatory framework.
Privacy: Vendor due diligence and privacy concerns.
Health & Safety: Third party risk and safety at work regulations.
Office of the Comptroller of the Currency (OCC), USA
Over the years, the Office of the Comptroller of the Currency (OCC) has issued a series of bulletins that have provided guidance on how banks (and their examiners) should approach third-party risk.
OCC Bulletin 2013-29
The OCC issued explicit and detailed guidance on Third-party Risk Management in 2013. It rescinded all previous guidance. The bulletin provides guidance to national banks and federal savings associations (collectively, banks) for assessing and managing risks associated with third-party relationships. A third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise.
“The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third-parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
“A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships. A bank should ensure risk management and oversight of third-party relationships involving critical activities.”
In 2017, the OCC issued Bulletin 2017-7 which provides detail into the procedures that may be used during examinations of a bank’s risk management of third-party relationships.
“These procedures are designed to help examiners:
tailor the examination of each bank commensurate with the level of risk and complexity of the bank’s third-party relationships.
assess the quantity of the bank’s risk associated with its third-party relationships.
assess the quality of the bank’s risk management of third-party relationships involving critical activities.
determine whether there is an effective risk management process throughout the life cycle of the third-party relationship.”
In 2020, The Office of the Comptroller of the Currency (OCC) also issued frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29.
“The OCC expects a bank to practice effective risk management regardless of whether the bank performs an activity internally or through a third party. A bank’s use of third parties does not diminish the bank’s responsibility to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations. A bank’s third-party risk management should be commensurate with the level of risk and complexity of its third-party relationships; the higher the risk of the individual relationship, the more robust the third-party risk management should be for that relationship.”
FED SR 13-19 / CA 13-21: Guidance on Managing Outsourcing Risk
This guidance issued by the Federal Reserve in 2013 addresses the characteristics, governance, and operational effectiveness of a financial institution’s service provider risk management program for outsourced activities beyond traditional core bank processing and information technology services. The guidance applies to all service provider relationships regardless of the type of bank activity that is outsourced.
“The use of service providers does not relieve a financial institution’s board of directors and senior management of their responsibility to ensure that outsourced activities are conducted in a safe-and-sound manner and in compliance with applicable laws and regulations. Policies governing the use of service providers should be established and approved by the board of directors, or an executive committee of the board.”
Federal Financial Institutions Examination Council, USA
FFIEC includes five banking regulators—the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). The FFIEC Information Technology Examination Handbook (IT Handbook) is comprised of 11 booklets that provide guidance for examiners.
Various sections of the Handbook cover third-party risk, including:
FFIEC IT Examination Handbook: Vendor and Third-Party Management
Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”
FFIEC IT Examination Handbook Appendix J: Strengthening the Resilience of Outsourced Technology Services
This section of the Federal Financial Institutions Examinations Council’s (FFIEC) IT Examination Handbook focuses specifically on the business continuity risks created by the use of third parties. In particular, the document says that financial services firms must be responsible for the business continuity risks posed by their third-parties. The document also addressed cyber-resilience issues.
“Many financial institutions depend on third-party service providers to perform or support critical operations. These financial institutions should recognize that using such providers does not relieve the financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. The responsibility for properly overseeing outsourced relationships lies with the financial institution’s board of directors and senior management. An effective third-party management program should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing.”
Guidance for Managing Third-Party Risk / FIL-44-2008
Published in 2008, the Federal Deposit Insurance Corporation (FDIC) guidance provides a general framework that the regulator wants financial services firm boards of directors and senior management to use to provide appropriate oversight and risk management of significant third-party relationships. It outlines some key risks that can arise from third-party relationships and a third-party risk management framework.
“Financial institutions often rely upon third-parties to perform a wide variety of services and other activities. An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”
New York State Department of Financial Services, USA
Cybersecurity requirements for financial services companies (23 NYCRR 500)
This state-level set of regulations focusing on cyber risk and cybersecurity became effective in 2017. Among other requirements, it asks covered financial services firms to perform risk assessments and due diligence on third-parties’ cybersecurity practices.
The Consumer Financial Protection Bureau (CFPB), USA
The CFPB is responsible for consumer protection in the financial sector. Part of their expectation is that institutes will treat customers fairly – directly and through any third parties they choose to engage with. In particular there’s implications for third-party risk management through their enforcement of UDAAP, or Unfair, Deceptive or Abusive Acts or Practices. The CFPB stresses the need for thorough oversight of third-party service providers.
Monetary Authority of Singapore (MAS), Singapore
MAS – Guidelines On Outsourcing (issued 2016)
Issued in 2016, the Outsourcing Guidelines provide expanded guidance to the industry on prudent risk management practices for outsourcing, including cloud services.
“Outsourcing does not diminish the obligations of an institution, and those of its board and senior management to comply with relevant laws and regulations in Singapore, it is thus important that an institution adopts a sound and responsive risk management framework for its outsourcing arrangements.”
The European Banking Authority (EBA) is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
The main task of the EBA is to contribute to the creation of the European Single Rulebook in banking whose objective is to provide a single set of harmonised prudential rules for financial institutions throughout the EU.
EBA/GL/2019/02 – EBA Guidelines on outsourcing arrangements
In early 2019, The European Banking Authority (EBA) published its revised Guidelines on outsourcing arrangements setting out specific provisions for the governance frameworks of all financial institutions within the scope of the EBA’s mandate with regard to their outsourcing arrangements and related supervisory expectations and processes.
“Each financial institution’s management body remains responsible for that institution and all of its activities, at all times; to this end, the management body should ensure that sufficient resources are available to appropriately support and ensure the performance of those responsibilities, including overseeing all risks and managing the outsourcing arrangements. Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell’ that lacks the substance to remain authorised.”
Basel Committee on Banking Supervision Outsourcing in Financial Services (issued 2005)
“Outsourcing has the potential to transfer risk, management and compliance to third-parties who may not be regulated, and who may operate offshore.”
“Regulated entities can mitigate these risks by taking steps (as discussed in the principles) to: draw up comprehensive and clear outsourcing policies, establish effective risk management programmes, require contingency planning by the outsourcing firm, negotiate appropriate outsourcing contracts, and analyse the financial and infrastructure resources of the service provider.”
In the UK, a financial services firm cannot contract out its regulatory obligations to a third party, and so it needs to take steps to ensure it is meeting those obligations. This section of the regulatory handbook provides additional guidance on managing outsourcing arrangements in relation to operational risk. According to the handbook, “Outsourcing may affect a firm’s exposure to operational risk through significant changes to, and reduced control over, people, processes and systems used in outsourced activities.”
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions
Published in July 2014, this document provides a list of questions for financial services firms to consider when evaluating or engaging with third parties for technology services which are critical to firms’ operations. The questions cover the decision to use an outsource provider, the selection of a provider, and ongoing maintenance of the relationship with the provider, among other issues.
Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018
A survey, released in November 2018, of 296 firms by the FCA highlighted key areas of regulatory development going forward. Firms acknowledged challenges in managing their third parties. For example, third-party issues, such as an IT failure at an important supplier, accounted for 15% of the operational incidents reported to the FCA — this was the second highest root cause. As well, only 66% of large firms and 59% of smaller firms understood their third-parties’ response and recovery plans.
Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services
Published in July 2018 after a consultation period, the guidance includes a list of areas that UK-based financial services firms should consider when engaging with third-parties to provide IT services. The FCA wants firms to consider international standards, legal and regulatory obligations, risk management, the oversight of the service provider, data security, access to the third-party’s premises, business continuity, and other issues.
Building the UK financial sector’s operational resilience discussion paper
The Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) published a joint discussion paper (DP) on an approach to improve the operational resilience of firms and financial market infrastructures (FMIs). Released in July 2018, this discussion paper examines issues around resiliency for financial services firms, including within third-party relationships. Although cyber risk is a particular focus of the paper, the paper proposes that firms focus on the continuity of the most important business services as an essential component of managing operational resilience; set board-approved impact tolerances which quantify the level of disruption that could be tolerated; and plan on the assumption that disruption will occur as well as seeking to prevent it.
China Banking Regulatory Commission (CBRC) (Now the China Banking and Insurance Regulatory Commission)
Notice on Issuing the Guidelines on Internal Control of Commercial Banks – Article 25
In 2014, the CBRC issued Guidelines on Internal Control of Commercial Banks, which included a provision for outsourcing controls.
“Commercial banks should establish and improve an outsourcing management system with defined organizational framework and responsibility and conduct a full risk assessment on outsourcing business at least once a year. Functions that involve development strategy, risk management, internal auditing and other core competence shall not to be outsourced.”
Others
The Gramm-Leach-Bliley Act (GLB) Act of 1999
The GLB Act includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule, and pretexting provisions.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection.
The PCI DSS is a set of requirements for enhancing security of payment customer account data. It was developed to help facilitate global adoption of consistent data security measures. PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The guidance states that third-party service providers are responsible for demonstrating their PCI DSS through an annual assessment or multiple on-demand assessments.
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule
FACTA is an amendment to the Fair Credit Reporting Act that is intended to help consumers avoid identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in the legislation. The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations.
The NAIC is a standard-setting and regulatory support organization consisting of the top insurance regulators from the 50 states, District of Columbia, and five U.S. territories. The NAIC formally adopted the model law in October 2017.
“(1) A Licensee shall exercise due diligence in selecting its Third-Party Service Provider; and (2) A Licensee shall require a Third-Party Service Provider to implement appropriate administrative, technical, and physical measures to protect and secure the Information Systems and Nonpublic Information that are accessible to, or held by, the Third-Party Service Provider.“
United States Department of Health and Human Services
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was enacted in 1996 to improve the efficiency and effectiveness of the health care system. It requires the adoption of national standards for electronic health care transactions and code sets, as well as unique health identifiers for providers, health insurance plans, and employers. The law also incorporates provisions for guarding the security and privacy of personal health information.
(b)(1) Standard: Business associate contracts and other arrangements. “A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.”
This rule, issued in 2013 makes business associates of covered entities directly liable for compliance with certain parts of the HIPAA Privacy and Security Rules’ requirements.
“Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities, shall be treated as business associates; requiring HIPAA covered entities and business associates to provide for notification of breaches of ‘‘unsecured protected health information’’;
“…it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information…”
The Health Information Technology for Economic and Clinical Health Act (HITECH)
Part of the American Recovery and Reinvestment Act of 2009, the HITECH Act modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement
The Sarbanes-Oxley Act was enacted in 2002 and is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. It defines audit requirements and the records businesses should store and for how long.
Institute of Internal Auditors: Practice Guide on Auditing Third-Party Risk Management
This document, available to members, was published in November 2018, and explains to audit teams how to understand and assess risks related to the use of third parties. It looks at risks across the full vendor life cycle, including the appropriate sourcing, ongoing management, and termination of vendors. The document also gives a framework for planning and executing third-party risk audits based on the size and type of organization in question.
The Foreign Corrupt Practices Act of 1977 (FCPA) forbids bribery and corruption by companies and their third-party partners, including resellers, distributors, and marketing agencies.
The UK Bribery Act of 2010 is modeled on the OECD Anti-Bribery Convention and forbids bribery and corruption by companies and their third-party partners who are doing business in the UK.
This anti-bribery and corruption (ABAC) law came into force in 2017. It requires companies that employ more than 500 employees and that have a turnover exceeding €100 million to implement a series of ABAC policies, including adopting a code of conduct, putting in place a whistleblowing system, creating a risk map, and conducting due diligence on major clients, suppliers, and intermediaries.
OECD Anti-Bribery Convention
Also known officially as the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Published in 1999, this OECD convention was created to help reduce political corruption and corporate crime in developing countries. It asks those who agree to it to criminalize the act of offering or giving a bribe.
ISO 37001:2016 specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing, and improving an anti-bribery management system.
The California Transparency in Supply Chains Act of 2010 requires companies subject to the law to disclose information regarding their efforts to eradicate human trafficking and slavery within their supply chains on their website or, if a company does not have a website, through written disclosures.
The Modern Slavery Act of 2015 gives UK law enforcement the tools to fight slavery, ensure perpetrators receive suitably severe punishment and protect victims of these crimes. Companies subject to the law are expected to explain the steps the organization has taken during the previous financial year to ensure that slavery and human trafficking are not taking place in any of its supply chains and in any part of its own business.
Title VII of the U.S. Civil Rights Act of 1964 The U.S. Civil Rights Act of 1991
Title VII of the Civil Rights Act of 1964 (Pub. L. 88-352) & The Civil Rights Act of 1991 (Pub. L. 102-166) prohibits an employer with fifteen or more employees from discriminating on the basis of race, national origin, gender, or religion. Companies will want to ensure that their third parties are in compliance with this regulation.
Wages and the Fair Labor Standards Act (FLSA) and Equal Pay Act (EPA)
Wages and the Fair Labor Standards Act (FLSA) and the Equal Pay Act (EPA) of 1963 (Pub. L. 88-38) establishes minimum wage, overtime pay, record keeping, and youth employment standards. Companies will want to ensure that their third parties are in compliance with this regulation.
Dodd-Frank 1502 and Clean Diamonds Trade Act (CDTA) Conflict Minerals
Dodd-Frank Wall Street Reform and Consumer Protection Act 1502 and Clean Diamonds Trade Act (CDTA) defines restrictions on the mining, transporting, and commerce of Conflict Minerals. Dodd-Frank Act mandated the SEC to ensure the sale of conflict materials (e.g. coltan, tantalum, tin, tungsten, and gold) does not benefit armed groups in or near the Democratic Republic of Congo.
The Clean Air Act of 1963 as defined in U.S. Code Title 42, Chapter 85, Subchapter I, Part A, § 7412 and § 7420 designates what is a hazardous air pollutant, how to dispose of it and what are the penalties for non-compliance with the Environmental Protection Agency’s (EPA) Standards.
The GDPR standardizes data protection law across all 28 EU countries and imposes strict rules on controlling and processing personally identifiable information (PII).
The California Consumer Privacy Act of 2018 (CCPA)
This law is similar to the European Union’s General Data Protection Regulation (GDPR) in what it is seeking to achieve, and so it is sometimes referred to as California’s GDPR. The law seeks to protect the rights of individuals regarding their personal data, and imposes obligations on companies that do business in California to help support those rights. This includes third parties who work with data.
OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data
Updated in 2013, these guidelines are the foundation of many of the new data privacy regulations that are being created around the world, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). For companies, they can be a source of best practices around data privacy.
COPPA took effect in 2000, and applies to the online collection of personal information from children under 13. Monitored by the Federal Trade Commission (FTC), the rules limit how companies may collect and disclose children’s personal information.
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements
An information security standard that was published on the 25th September 2013, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is a specification for an information security management system (ISMS).
The Health and Safety at Work etc. Act 1974 (also referred to as HSWA, the HSW Act, the 1974 Act or HASAWA) provides for securing the health, safety, and welfare of persons at work. Companies will want to ensure that their third parties are in compliance with this regulation.
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 2013 requires employers, the self-employed, and those in control of premises to report specified workplace incidents.