In the world of third-party risk management, organizations need to navigate a complex and expanding web of guidance, standards and regulations. Here, you can explore an overview of major industry standards and regulations that can help you ensure third-party compliance and build a more resilient business.
Regulators have made clear that third parties should attest to and align to your compliance, ethics, and risk management standards and obligations. Aravo enables customers to easily capture, update, manage and retain third party attestations and certifications with these regulations and other ethics and compliance standards.
African Union Convention on Preventing and Combating Corruption
Jurisdiction: African Countries
The African Union Convention on Preventing and Combating Corruption is a regional treaty aimed at addressing anti-bribery and anti-corruption (ABAC) measures in Africa. It promotes cooperation among African Union member states to prevent and combat corruption, including bribery of public officials and illicit enrichment. The convention emphasizes the need for effective legal frameworks, enforcement mechanisms, and international cooperation to promote transparency, accountability, and good governance across the African continent.
Council of Europe Criminal Law Convention on Corruption
The Council of Europe Criminal Law Convention on Corruption is an international treaty that focuses on anti-bribery and anti-corruption (ABAC) measures. It aims to combat corruption by establishing common criminal offenses, enhancing cooperation among member states, and promoting international legal standards. The convention covers various aspects of corruption, including bribery in the public and private sectors, trading in influence, and laundering of proceeds from corruption.
Also known officially as the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Published in 1999, this OECD convention was created to help reduce political corruption and corporate crime in developing countries. It asks those who agree to it to criminalize the act of offering or giving a bribe.
The Clean Company Act, also known as Law No. 12,846, is a Brazilian legislation focused on anti-bribery and anti-corruption (ABAC) measures. It holds companies liable for corrupt practices, including bribery of public officials. The Act establishes stringent penalties for violations, such as fines, disgorgement of profits, and even dissolution of the company, while also encouraging the implementation of compliance programs to prevent corruption.
The Corruption of Foreign Public Officials Act (CFPOA)
The Corruption of Foreign Public Officials Act (CFPOA) is a Canadian legislation aimed at combating bribery of foreign public officials. It prohibits individuals and organizations from offering, bribing, or providing any undue advantage to foreign public officials in order to obtain or retain business advantages. The CFPOA establishes penalties for violations and promotes international anti-corruption efforts, aligning with Canada’s commitment to combatting corruption globally.
The Criminal Law of the People’s Republic of China
The Criminal Law of the People’s Republic of China encompasses provisions related to anti-bribery and anti-corruption (ABAC) measures. It criminalizes various acts, including bribery of public officials, offering bribes, and accepting bribes. The law establishes penalties for offenders, including imprisonment and fines, and serves as a key instrument in combating corruption in China’s public and private sectors.
The German Criminal Code addresses anti-bribery and anti-corruption (ABAC) measures through provisions that prohibit bribery of public officials and commercial bribery. These provisions aim to ensure fair competition, maintain public trust, and hold offenders accountable. Violations of ABAC laws can result in imprisonment and fines under German law.
The Singaporean Prevention of Corruption Act is legislation that addresses anti-bribery and anti-corruption (ABAC) measures. It prohibits both public and private sector corruption, including bribery, extortion, and abuse of office. The Act establishes strict penalties for offenders and establishes a robust framework to promote transparency, integrity, and accountability in Singapore’s public and private sectors.
This anti-bribery and corruption (ABAC) law came into force in 2017. It requires companies that employ more than 500 employees and that have a turnover exceeding €100 million to implement a series of ABAC policies, including adopting a code of conduct, putting in place a whistleblowing system, creating a risk map, and conducting due diligence on major clients, suppliers, and intermediaries.
UK Bribery Act of 2010
The UK Bribery Act of 2010 is modeled on the OECD Anti-Bribery Convention and forbids bribery and corruption by companies and their third-party partners who are doing business in the UK.
The UN Convention against Corruption (UNCAC) is a global treaty that addresses anti-bribery and anti-corruption (ABAC) measures. It sets international standards and guidelines to prevent, detect, and punish corruption, including bribery of public officials. The convention promotes cooperation among nations, encourages asset recovery, and emphasizes the importance of transparency, accountability, and integrity in both public and private sectors to combat corruption effectively.
Institute of Internal Auditors: Practice Guide on Auditing Third-Party Risk Management
This document, available to members, was published in November 2018, and explains to audit teams how to understand and assess risks related to the use of third parties. It looks at risks across the full vendor life cycle, including the appropriate sourcing, ongoing management, and termination of vendors. The document also gives a framework for planning and executing third-party risk audits based on the size and type of organization in question.
The Sarbanes-Oxley Act was enacted in 2002 and is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. It defines audit requirements and the records businesses should store and for how long.
Dodd-Frank 1502 and Clean Diamonds Trade Act (CDTA) Conflict Minerals
Dodd-Frank Wall Street Reform and Consumer Protection Act 1502 and Clean Diamonds Trade Act (CDTA) defines restrictions on the mining, transporting, and commerce of Conflict Minerals. Dodd-Frank Act mandated the SEC to ensure the sale of conflict materials (e.g. coltan, tantalum, tin, tungsten, and gold) does not benefit armed groups in or near the Democratic Republic of Congo.
European Union Conflict Minerals Regulation (EU 2017/821)
This regulation requires EU companies that import tin, tantalum, tungsten, or gold (in mineral or metal form) to conduct due diligence if they choose to import from conflict-affected and high-risk areas. The regulation is directly linked to the OECD Due Diligence Guidance.
OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas
This is an internationally recognized due diligence framework that provides detailed guidance for companies to respect human rights and avoid contributing to conflict through their mineral or metal purchasing decisions and practices. It outlines a five-step framework for due diligence to assist companies in respecting human rights and avoiding contributing to conflict through their mineral purchasing decisions and practices.
CEPA is a federal law that aims to prevent pollution, protect the environment, and manage toxic substances. It addresses various aspects such as air and water pollution, hazardous substances, and waste management.
The Clean Air Act of 1963 as defined in U.S. Code Title 42, Chapter 85, Subchapter I, Part A, § 7412 and § 7420 designates what is a hazardous air pollutant, how to dispose of it and what are the penalties for non-compliance with the Environmental Protection Agency’s (EPA) Standards.
Directive 2011/92/EU defines the environmental impact assessment (EIA) process which ensures that projects likely to have significant effects on the environment are made subject to an assessment, prior to their authorisation.
This standard provides guidance on how businesses and organizations can operate in a socially responsible way, including respect for human rights. It emphasizes the importance of due diligence, which includes understanding the social impacts of an organization’s activities and business relationships.
European Union Human Rights and Environmental Due Diligence Directive
On February 23, the European Commission released a draft regulation on human rights and environmental due diligence. The draft regulation requires large EU companies, and some non-European companies doing significant business in Europe, to assess their actual and potential human rights and environmental impacts throughout their operations and down their supply chains.
The GRI Standards provide a framework for sustainability reporting, which includes reporting on human rights issues. They include several standards specifically related to human rights, including GRI 412: Human Rights Assessment, which encourages organizations to identify and assess the human rights impacts of their operations and supply chains.
Organization for Economic Cooperation and Development (OECD) Guidelines for Multinational Enterprises
The OECD Guidelines include a chapter on human rights which stipulates that enterprises should respect human rights, which means they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved. This includes the human rights impacts associated with their business relationships, such as suppliers and other partners.
The California Transparency in Supply Chains Act of 2010 requires companies subject to the law to disclose information regarding their efforts to eradicate human trafficking and slavery within their supply chains on their website or, if a company does not have a website, through written disclosures.
Title VII of the U.S. Civil Rights Act of 1964 The U.S. Civil Rights Act of 1991
Title VII of the Civil Rights Act of 1964 (Pub. L. 88-352) & The Civil Rights Act of 1991 (Pub. L. 102-166) prohibits an employer with fifteen or more employees from discriminating on the basis of race, national origin, gender, or religion. Companies will want to ensure that their third parties are in compliance with this regulation.
The Modern Slavery Act of 2015 gives UK law enforcement the tools to fight slavery, ensure perpetrators receive suitably severe punishment and protect victims of these crimes. Companies subject to the law are expected to explain the steps the organization has taken during the previous financial year to ensure that slavery and human trafficking are not taking place in any of its supply chains and in any part of its own business.
United Nations Guiding Principles on Business and Human Rights (UNGPs)
The UNGPs were endorsed by the UN Human Rights Council in 2011. They provide a global standard for preventing and addressing the risk of adverse human rights impacts linked to business activities. The Principles provide a roadmap for businesses to “know and show” that they respect human rights in their own operations and through their business relationships, which includes their supply chains.
Adopted by the United Nations General Assembly in 1948, the UDHR sets out the fundamental human rights and freedoms to which all individuals are entitled, regardless of nationality, race, religion, gender, or other status. It serves as a foundation for subsequent human rights instruments.
Wages and the Fair Labor Standards Act (FLSA) and Equal Pay Act (EPA)
Wages and the Fair Labor Standards Act (FLSA) and the Equal Pay Act (EPA) of 1963 (Pub. L. 88-38) establishes minimum wage, overtime pay, record keeping, and youth employment standards. Companies will want to ensure that their third parties are in compliance with this regulation.
Building the UK financial sector’s operational resilience discussion paper
The Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) published a joint discussion paper (DP) on an approach to improve the operational resilience of firms and financial market infrastructures (FMIs). Released in July 2018, this discussion paper examines issues around resiliency for financial services firms, including within third-party relationships. Although cyber risk is a particular focus of the paper, the paper proposes that firms focus on the continuity of the most important business services as an essential component of managing operational resilience; set board-approved impact tolerances which quantify the level of disruption that could be tolerated; and plan on the assumption that disruption will occur as well as seeking to prevent it.
DP3/22 – Operational resilience: Critical third parties to the UK financial sector
The paper outlines potential measures to manage the systemic risks posed by certain third parties to the UK financial sector. These third parties, referred to as ‘critical third parties’ (CTPs), could be designated as such by HM Treasury (HMT) under proposed changes to UK legislation.
“The supervisory authorities hold firms and FMIs responsible, and ultimately accountable, for their operational resilience, regardless of whether or not they rely upon third parties to support the delivery of their important business services. But no single firm or FMI can adequately monitor or manage the systemic risks that certain third parties pose to the supervisory authorities’ objectives.”
FMI outsourcing and third party risk management Policy Statement
The Bank of England’s Policy Statement (PS) on Financial Market Infrastructures (FMIs) outsourcing and third-party risk management provides feedback on three Consultation Papers (CPs) covering outsourcing and third-party risk management for different types of FMIs, including Central Counterparties (CCPs), Central Securities Depositories (CSDs), and Recognised Payment System Operators (RPSOs) and Specified Service Providers (SSPs).
“The final SS and CoP in the Annex set out how the Bank expects FMIs to comply with the range of requirements and expectations on outsourcing and third party risk management, throughout the lifecycle of such arrangements.”
Outsourcing and third party risk management Supervisory Statement: central counterparties
The document details the Bank’s expectations on governance and accountability, risk management, and record-keeping. It addresses the criticality and risk assessments of their outsourcing and other third-party arrangements, including notification to the Bank where required, and CCPs’ due diligence on third parties.
“When a CCP outsources services or activities to a third party, it shall remain fully responsible for discharging all of its obligations, and outsourcing does not result in the delegation of its responsibility. This is a key principle underlying all requirements and expectations regarding outsourcing and other third party arrangements.”
SS2/21 – Outsourcing and third party risk management
The Supervisory Statement (SS) 2/21, titled “Outsourcing and third party risk management,” issued by the Prudential Regulation Authority (PRA) of the Bank of England in March 2021, outlines the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third-party risk management.
“Firms should implement proportionate, risk-based, suitable controls. These controls do not necessarily have to be the same as those that apply to outsourcing arrangements. However, the controls should be appropriate to the materiality and risks of the third party arrangement and as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality or risk. It follows that firms should apply stricter controls to material, non-outsourcing third party arrangements than to non-material outsourcing arrangements.”
Basel Committee on Banking Supervision Outsourcing in Financial Services (issued 2005)
“Outsourcing has the potential to transfer risk, management and compliance to third-parties who may not be regulated, and who may operate offshore.”
“Regulated entities can mitigate these risks by taking steps (as discussed in the principles) to: draw up comprehensive and clear outsourcing policies, establish effective risk management programmes, require contingency planning by the outsourcing firm, negotiate appropriate outsourcing contracts, and analyse the financial and infrastructure resources of the service provider.”
Revisions to the principles for the sound management of operational risk (issued 2021)
The document emphasizes that banks should have a comprehensive understanding of the operational risks associated with outsourcing arrangements and ensure that effective risk management policies and practices are in place to manage the risk in outsourcing activities.
“While recourse to entities such as, but not limited to third-party service providers can help manage costs, provide expertise, expand product offerings, and improve services, it also introduces risks that management should address. The board of directors and senior management are responsible for understanding the operational risks associated with outsourcing arrangements and ensuring that effective risk management policies and practices are in place to manage the risk in outsourcing activities.”
Notice on Issuing the Guidelines on Internal Control of Commercial Banks – Article 25
In 2014, the CBRC issued Guidelines on Internal Control of Commercial Banks, which included a provision for outsourcing controls.
“Commercial banks should establish and improve an outsourcing management system with defined organizational framework and responsibility and conduct a full risk assessment on outsourcing business at least once a year. Functions that involve development strategy, risk management, internal auditing and other core competence shall not to be outsourced.”
European Banking Authority
Digital Operational Resilience Act
The document discusses the importance of monitoring third-party ICT service providers to ensure the digital resilience of financial entities. It emphasizes the need for harmonized contractual elements and the use of standard contractual clauses for cloud computing services.
“Critical ICT third-party service providers should be subject to a Union Oversight Framework to promote convergence and efficiency in relation to supervisory approaches to ICT third-party risk to the financial sector, strengthen the digital operational resilience of financial entities which rely on critical ICT third-party service providers for the performance of operational functions, and thus to contribute to preserving the Union’s financial system stability, the integrity of the single market for financial services.”
EBA/GL/2019/02 – EBA Guidelines on outsourcing arrangements
In early 2019, The European Banking Authority (EBA) published its revised Guidelines on outsourcing arrangements setting out specific provisions for the governance frameworks of all financial institutions within the scope of the EBA’s mandate with regard to their outsourcing arrangements and related supervisory expectations and processes.
“Each financial institution’s management body remains responsible for that institution and all of its activities, at all times; to this end, the management body should ensure that sufficient resources are available to appropriately support and ensure the performance of those responsibilities, including overseeing all risks and managing the outsourcing arrangements. Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell’ that lacks the substance to remain authorised.”
EBA/GL/2019/04 – EBA Guidelines on ICT and security risk management
The guidelines provide a comprehensive framework for financial institutions to manage information and communication technology (ICT) and security risks. They cover various aspects of technology risk management, including the management of third-party services, system availability, system recoverability, cyber security operations, and IT project management.
“Financial institutions should test their BCPs periodically. In particular, they should ensure that the BCPs of their critical business functions, supporting processes, information assets and their interdependencies (including those provided by third parties, where applicable) are tested at least annually, in accordance with paragraph 89.”
FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processor / FIL-41-2014
The FDIC issued a clarification in 2014 regarding its supervisory approach to institutions establishing account relationships with third-party payment processors (TPPPs). The FDIC stated that as part of its regular safety and soundness examination activities, it reviews and assesses the extent to which institutions having account relationships with TPPPs follow the outstanding guidance.
“The focus of the FDIC’s supervisory approach to institutions establishing account relationships with TPPPs is to ensure institutions have adequate procedures for conducting due diligence, underwriting, and ongoing monitoring of these relationships. When an institution is following the outstanding guidance, it will not be criticized for establishing and maintaining relationships with TPPPs. It is the FDIC’s policy that insured institutions that properly manage customer relationships are neither prohibited nor discouraged from providing services to any customer operating in compliance with applicable law.”
Federal Financial Institutions Examination Council, USA
FFIEC IT Examination Handbook: Vendor and Third-Party Management
Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.
Interagency Guidance on Third-Party Relationships: Risk Management / FIL-29-2023
On June 6, 2023, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) issued final guidance on managing risks associated with third-party relationships. The guidance provides principles that support a risk-based approach to third-party risk management for all stages in the life cycle of third-party relationships.
“Responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations, including but not limited to those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices) and those addressing financial crimes.” (Page 1)
“Regardless of a banking organization’s approach, a key element is to ensure that the banking organization’s risk management processes for third-party relationships are commensurate with the level of risk and complexity of its third-party relationships.” (Page 7)
The Federal Deposit Insurance Corporation (FDIC) issued a revised guidance in 2012, addressing potential risks associated with relationships with third-party entities that process payments for telemarketers, online businesses, and other merchants. The guidance emphasizes that these relationships can pose increased risk to institutions and require careful due diligence and monitoring.
“Financial institutions should ensure that their contractual agreements with payment processors provide them with access to necessary information in a timely manner. These agreements should also protect financial institutions by providing for immediate account closure, contract termination, or similar action, as well as establishing adequate reserve requirements to cover anticipated charge backs.”
Technology Outsourcing: Informational Tools for Community Bankers / FIL-13-2014
On April 7, 2014, the FDIC re-issued three documents related to technology outsourcing as an informational resource for community banks. These documents provide insights on how to select service providers, draft contract terms, and oversee multiple service providers when outsourcing for technology products and services.
“Fintech partnerships can enhance a bank’s capacity to serve its customers, improve operational efficiencies, and keep pace with technological innovation. However, these partnerships also present unique challenges and risks, particularly for community banks.”
“Clear definitions of accountability are important to ensure that both the bank and the service provider understand their roles and responsibilities for each service level requirement. Incentives and penalties can play a key role in establishing accountability.”
Federal Financial Institutions Examination Council, USA
FFIEC IT Examination Handbook Appendix J: Strengthening the Resilience of Outsourced Technology Services
This section of the Federal Financial Institutions Examinations Council’s (FFIEC) IT Examination Handbook focuses specifically on the business continuity risks created by the use of third parties. In particular, the document says that financial services firms must be responsible for the business continuity risks posed by their third-parties. The document also addressed cyber-resilience issues.
“Many financial institutions depend on third-party service providers to perform or support critical operations. These financial institutions should recognize that using such providers does not relieve the financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. The responsibility for properly overseeing outsourced relationships lies with the financial institution’s board of directors and senior management. An effective third-party management program should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing.”
FFIEC IT Examination Handbook: OUTSOURCING TECHNOLOGY SERVICES
The Outsourcing Technology Services Booklet provides guidance for financial institutions on outsourcing technology services to third-party service providers. It covers topics such as board and management responsibilities, risk management, risk assessment, service provider selection, contract issues, ongoing monitoring, business continuity planning, information security, and outsourcing to foreign service providers. The booklet includes examination procedures, laws, regulations, and guidance, as well as appendices on foreign-based third-party service providers and managed security service providers.
“When outsourcing to a subsidiary or affiliate is considered, management must assure that the components outlined above evidence an arms-length transaction. An arrangement between a financial institution and an affiliate or subsidiary should be on terms that are substantially the same, or at least as favorable to the institution, as those prevailing at the time for comparable transactions with a non-affiliated third party.” (Page 11)
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions
Published in July 2014, this document provides a list of questions for financial services firms to consider when evaluating or engaging with third parties for technology services which are critical to firms’ operations. The questions cover the decision to use an outsource provider, the selection of a provider, and ongoing maintenance of the relationship with the provider, among other issues.
Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018
A survey, released in November 2018, of 296 firms by the FCA highlighted key areas of regulatory development going forward. Firms acknowledged challenges in managing their third parties. For example, third-party issues, such as an IT failure at an important supplier, accounted for 15% of the operational incidents reported to the FCA — this was the second highest root cause. As well, only 66% of large firms and 59% of smaller firms understood their third-parties’ response and recovery plans.
Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services
Published in July 2018 after a consultation period, the guidance includes a list of areas that UK-based financial services firms should consider when engaging with third-parties to provide IT services. The FCA wants firms to consider international standards, legal and regulatory obligations, risk management, the oversight of the service provider, data security, access to the third-party’s premises, business continuity, and other issues.
SYSC 8.1 Outsourcing sets out requirements for firms to manage the risks associated with outsourcing activities, including those involving third-party service providers.
“Outsourcing of important operational functions must not impair materially the quality of a firm’s internal control and the ability of the FCA to monitor the firm’s compliance with all obligations under the regulatory system.”
FIN-2012-A010 – Risk Associated with Third-Party Payment Processors
The advisory emphasizes that while third-party payment processors can enhance services and make transactions more cost-effective, they can also make the payment system vulnerable to money laundering, identity theft, fraud schemes, and illicit transactions. Therefore, financial institutions must exercise proper due diligence before entering into a relationship and set up controls to monitor performance.
“There are potential risks associated with relationships with third-party entities, in particular foreign-located payment processors that process payments for telemarketers, online businesses, and other merchants. These relationships can pose increased risk to institutions and may require careful due diligence and monitoring.”
Labour Program of Employment and Social Development Canada (ESDC), Canada
Fighting Against Forced Labour and Child Labour in Supply Chains Act
The Act outlines the responsibilities and obligations of the government and its entities when entering into contracts or agreements with third parties. It also provides guidelines for the management and disbursement of public funds, including the procurement of goods and services from third parties.
“A department may enter into a contract for the provision of any work, the rendering of any service or the supply of any articles, materials or equipment that are required for the management, administration, operation or program delivery of the department.”
MAS – Guidelines on Business Continuity Management (issued 2022)
The guidelines emphasize the need for financial institutions to conduct thorough risk assessments of their third-party service providers, ensure these providers have robust business continuity plans in place, and regularly test and review these plans. They also recommend including specific business continuity-related provisions in contracts with third-party service providers. These measures aim to mitigate the risk of service disruptions from third-party providers and ensure a coordinated response to any potential crises.
“The FI should also put in place plans and procedures to address any unforeseen disruption, failure or termination of third-party arrangements to minimize the impact of such adverse events on the continuity of its critical business services.”
MAS – Guidelines on Technology Risk Management (issued 2021)
The guidelines provide a comprehensive framework for financial institutions (FIs) to manage technology risks. They cover various aspects of technology risk management, including the management of third-party services, system availability, system recoverability, cyber security operations, and IT project management.
“A well-defined vetting process should be implemented for assessing third parties’ suitability in connecting to the FI via APIs, as well as governing third party API access. The vetting criteria should take into account factors such as the third party’s nature of business, cyber security posture, industry reputation and track record.”
MAS Notice 634 Banking Secrecy – Conditions for Outsourcing
The purpose of this notice is to provide guidelines for banks when outsourcing any operational function to a service provider, particularly when the outsourced function will be performed by the service provider outside Singapore and involves the disclosure of customer information. Banks in Singapore that rely on the exception provided in paragraph 3 of Part II of the Third Schedule of the Banking Act are required to comply with the conditions set out in the Appendix to this Notice.
“In all outsourcing arrangements involving the disclosure of customer information to the service provider, banks shall ensure that the confidentiality of customer information is protected. In selecting a service provider, except when the service provider is the Head Office or the parent bank, banks are to take appropriate due diligence measures, including the assessment of the track record, reputation, financial soundness of the service provider and its ability to safeguard the confidentiality of information entrusted to it.”
01-CU-20 – Due Diligence Over Third-Party Service Providers
The Supervisory Letter provides guidance to credit unions on managing third-party relationships. The letter emphasizes that while third-party relationships can enhance services provided to members and make programs more cost-effective, they can also result in financial stresses due to unanticipated costs, legal disputes, and asset losses. Therefore, credit unions must exercise proper due diligence before entering into a relationship and set up controls to monitor performance.
“Credit union officials are responsible for planning, directing, and controlling the credit union’s affairs. To fulfill these duties, the officials should require a due diligence review prior to entering into any arrangement with a third party.”
21-CU-16 – Relationships with Third Parties that Provide Services Related to Digital Assets
The letter from the National Credit Union Administration (NCUA) provides clarity about the existing authority of federally insured credit unions (FICUs) to establish relationships with third-party providers that offer digital asset services to their members, provided certain conditions are met.
“A FICU’s relationship with third parties offering these services and related technologies will be evaluated by the NCUA in the same manner as all other third-party relationships. This includes a FICU exercising sound judgment and conducting the necessary due diligence, risk assessment, and planning when choosing to introduce or bring together an outside vendor with its members. FICUs should establish effective risk measurement, monitoring, and control practices for such third-party arrangements.”
SL No. 07-01 – Evaluating Third Party Relationships
The Supervisory Letter provides guidance to credit unions on managing third-party relationships. The letter emphasizes that third-party relationships, when properly managed and controlled, can offer a wide range of benefits to credit unions and their members, including expertise, economies of scale, and access to new members. However, these relationships also present potential risks that credit unions must carefully consider and manage.
“Credit unions outsourcing functions without the appropriate level of due diligence and oversight may be taking on undue risk. Ultimately, credit unions are responsible for safeguarding member assets and ensuring sound operations irrespective of whether or not a third party is involved.”
New York State Department of Financial Services, USA
Cybersecurity requirements for financial services companies (23 NYCRR 500)
This state-level set of regulations focusing on cyber risk and cybersecurity became effective in 2017. Among other requirements, it asks covered financial services firms to perform risk assessments and due diligence on third-parties’ cybersecurity practices.
Office of the Comptroller of the Currency (OCC), USA
OCC Bulletin 2002-16
The bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank’s operations.
“As with domestic outsourcing arrangements, the board of directors and senior management are responsible for understanding the risks associated with the bank’s outsourcing relationships with foreign-based service providers and ensuring that effective risk management practices are in place.”
“Specifically, before a national bank contracts for the services of a foreign-based service provider, it should properly assess the associated risks and exercise appropriate due diligence, including careful consideration of contract matters and choice of law and forum provisions. Additionally, the bank should have in place sufficient risk management policies, performance monitoring and oversight processes, expertise, and access to critical information to enable it to properly oversee the risks of the outsourcing relationship, including country and compliance risks.”
In 2021, the OCC issued Bulletin 2021-40 which provides information relating to six common areas of due diligence discussed in existing supervisory guidance. This guide was published by the OCC, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the agencies) to provide community banks with information that may be relevant when conducting due diligence on financial technology companies.
The guide is designed for community banks. Although the guide discusses community bank relationships with fintech companies, the content may be useful for banks of any size and for other types of third-party relationships.
“Engaging a third party does not diminish a bank’s responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including federal consumer protection laws and regulations, just as if the bank were to perform the service or activity itself.”
“During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements.”
In 2023, the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency collectively issued a regulatory guidance document that provides a comprehensive framework for banking organizations to manage their third-party relationships.
The document provides a framework for assessing and managing risks associated with third-party relationships. This includes identifying, assessing, and mitigating known and emerging threats and vulnerabilities. Banking organizations with limited resources for security often depend on support from third parties or on security tools provided by third parties to assess information security risks
“Bank management should conduct in-depth due diligence and ongoing monitoring of each of the bank’s third-party service providers that support critical activities.”
“The board of directors and management are responsible for overseeing the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews.”
In 2023, the OCC released comprehensive and specific instructions regarding the management of Third-party Risk Management. This new guidance supersedes all previous instructions. The bulletin aims to assist banks, including national banks and federal savings associations, in evaluating and controlling the risks involved in their partnerships with external entities. A third-party relationship refers to any formal or informal business agreement between a bank and another organization.
“Regardless of a banking organization’s approach, applying a sound methodology to designate which activities and third-party relationships receive more comprehensive oversight is key for effective risk management. It is important for each banking organization to assess risks presented by each of its third-party relationships and tailor its risk management processes accordingly.” (Page 9)
“With respect to commenters focused on steps to limit the burdens of due diligence, including collaboration with other banking organizations and engaging with third parties that specialize in conducting due diligence, the agencies note that such collaborative efforts could be beneficial and reduce burden, especially for community banking organizations, and have made certain clarifying revisions to the guidance in that regard. However, use of any collaborative efforts does not abrogate the responsibility of banking organizations to manage third-party relationships in a safe and sound manner and consistent with applicable laws and regulations (including antitrust laws). It is important for the banking organization to evaluate the conclusions from such collaborative efforts.” (Page 17)
Recommendations for the next phase of open banking in the UK
The document titled “Recommendations for the next phase of open banking in the UK” by the Joint Regulatory Oversight Committee provides a roadmap for the future of open banking in the UK, with a focus on improving the ecosystem for third-party providers (TPPs).
“We understand that some firms may be passing on Faster Payments payment statuses to TPPs. We ask all ASPSPs to consider whether the correct processes are in place to provide TPPs with relevant Faster Payments payment status information as soon as it has been received and until a final status for the payment has been reached by end of Q3 2023. This would considerably enhance TPPs’ visibility.”
S7-09-22: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
The document acknowledges that cybersecurity incidents involving third-party service provider vulnerabilities are becoming more frequent. The proposed rules require companies to disclose whether they have policies and procedures to oversee and identify the cybersecurity risks associated with their use of third-party service providers. This includes providers that have access to or have information about the company’s customer and employee data.
“The proposed amendments are intended to better inform investors about cybersecurity incidents and the cybersecurity risk management, strategy, and governance of registrants of all types and sizes which are subject to the Exchange Act reporting requirements.”
The Consumer Financial Protection Bureau (CFPB), USA
CFPB Bulletin 2016-02
The Bulletin emphasizes that the Consumer Financial Protection Bureau (CFPB) expects supervised banks and nonbanks to manage their relationships with service providers in a way that ensures compliance with Federal consumer financial law.
“The mere fact that a supervised bank or nonbank enters into a business relationship with a service provider does not absolve the supervised bank or nonbank of responsibility for complying with Federal consumer financial law to avoid consumer harm. A service provider that is unfamiliar with the legal requirements applicable to the products or services being offered, or that does not make efforts to implement those requirements carefully and effectively, or that exhibits weak internal controls, can harm consumers and create potential liabilities for both the service provider and the entity with which it has a business relationship. Depending on the circumstances, legal responsibility may lie with the supervised bank or nonbank as well as with the supervised service provider.” (Page 2)
The bulletin provides guidance to covered persons and service providers about the potential for violations of sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act’s prohibition on engaging in unfair, deceptive, or abusive acts or practices (UDAAPs) when assessing phone pay fees.
“Lack of employee monitoring or service provider oversight may lead to misrepresentations or failure to disclose available options and fees. A number of entities have policies and procedures in place requiring phone representatives to disclose all available phone pay options and fees to consumers, including requiring the use of detailed phone scripts. But deviations from call scripts may potentially cause phone representatives to misrepresent the available phone payment options and fees resulting in a consumer being charged a higher fee than otherwise would have been applicable. Entities can reduce the risk of misrepresentations through adequate monitoring.”
The Consumer Financial Protection Bureau (CFPB) issued a bulletin outlining its expectations for supervised banks and nonbanks to ensure compliance with federal consumer financial law and protect the interests of consumers.
“The CFPB recognizes that the use of service providers is often an appropriate business decision for supervised banks and nonbanks. Supervised banks and nonbanks may outsource certain functions to service providers due to resource constraints, use service providers to develop and market additional products or services, or rely on expertise from service providers that would not otherwise be available without significant investment.”
SR 21-15 / CA 21-11: Guide for Community Banking Organizations Conducting Due Diligence on Financial Technology Companies
Issued on August 27, 2021, “SR 21-15 / CA 21-11: Guide for Community Banking Organizations Conducting Due Diligence on Financial Technology Companies” is a resource developed by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency. This guide is intended for banking organizations with $10 billion or less in consolidated assets supervised by the Federal Reserve.
“Understanding a fintech company’s qualifications and strategic direction will help a community bank assess the fintech company’s ability to meet the community bank’s expectations and support a community bank’s objectives.”
“A community bank may evaluate a fintech company’s ability to continue operations through a disruption. Depending on the activity, a community bank may look to the fintech company’s processes to identify, respond to, and protect itself and customers from threats and potential failures, as well as recover and learn from disruptive events.”
SR 23-4: Interagency Guidance on Third-Party Relationships: Risk Management
This guidance issued by the Federal Reserve in 2023 emphasizes that the scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship.
“A banking organization’s use of third parties does not diminish its responsibility to meet these requirements to the same extent as if its activities were performed by the banking organization in-house.”
“For certain relationships, clearly defined performance measures can assist a banking organization in evaluating the performance of a third party. In particular, a service-level agreement between the banking organization and the third party can help specify the measures surrounding the expectations and responsibilities for both parties.”
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule
FACTA is an amendment to the Fair Credit Reporting Act that is intended to help consumers avoid identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in the legislation. The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection.
The PCI DSS is a set of requirements for enhancing security of payment customer account data. It was developed to help facilitate global adoption of consistent data security measures. PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The guidance states that third-party service providers are responsible for demonstrating their PCI DSS through an annual assessment or multiple on-demand assessments.
The GLB Act includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule, and pretexting provisions.
This code is the primary federal law that regulates workplace safety and health in Canada. It sets forth standards for workplace safety and health and requires employers to comply with those standards.
ISO 45003 Occupational health and safety management systems
ISO 45003 is an international standard that provides guidelines for implementing and managing an occupational health and safety management system. It offers a framework for organizations to identify and control health and safety risks, improve performance, and promote a safe and healthy working environment. The standard emphasizes the importance of employee participation, hazard identification, risk assessment, and continuous improvement in managing occupational health and safety.
The Health and Safety at Work etc. Act 1974 (also referred to as HSWA, the HSW Act, the 1974 Act or HASAWA) provides for securing the health, safety, and welfare of persons at work. Companies will want to ensure that their third parties are in compliance with this regulation.
UK Management of Health and Safety at Work Regulations 1999
Jurisdiction: United Kingdom
The UK Management of Health and Safety at Work Regulations 1999 is a legislation that outlines the responsibilities of employers and employees in ensuring health and safety in the workplace. It requires employers to assess and manage risks, provide information and training to employees, and establish procedures for responding to accidents and emergencies.
The UK Work at Height Regulations 2005 focus on the safety of individuals working at height. The regulations apply to both employers and employees involved in activities such as working on ladders, scaffolds, or rooftops.
Federal Information Security Management Act (FISMA)
This U.S. legislation outlines security requirements for federal agencies, including healthcare organizations that handle federal information. It emphasizes the need to manage third-party risks effectively.
The HCSA is a Singaporean legislation that provides regulatory oversight for healthcare institutions and healthcare professionals. It includes provisions related to data protection and patient confidentiality.
This international standard outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of an organization. It can be applied to healthcare organizations to manage third-party risk.
Personal Information Protection and Electronic Documents Act (PIPEDA)
This federal privacy law applies to the collection, use, and disclosure of personal information by organizations engaged in commercial activities. It includes provisions for protecting personal health information.
United States Department of Health and Human Services
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was enacted in 1996 to improve the efficiency and effectiveness of the health care system. It requires the adoption of national standards for electronic health care transactions and code sets, as well as unique health identifiers for providers, health insurance plans, and employers. The law also incorporates provisions for guarding the security and privacy of personal health information.
This rule, issued in 2013 makes business associates of covered entities directly liable for compliance with certain parts of the HIPAA Privacy and Security Rules’ requirements.
“Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities, shall be treated as business associates; requiring HIPAA covered entities and business associates to provide for notification of breaches of ‘‘unsecured protected health information’’;
“…it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information…”
(b)(1) Standard: Business associate contracts and other arrangements. “A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.”
The Health Information Technology for Economic and Clinical Health Act (HITECH)
Part of the American Recovery and Reinvestment Act of 2009, the HITECH Act modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It widens the scope of privacy and security protections available under HIPAA, increases the potential legal liability for non-compliance and provides for more enforcement
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements
An information security standard that was published on the 25th September 2013, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is a specification for an information security management system (ISMS).
This primary legislation regulates financial services, including insurance, in the UK. It establishes the regulatory framework for insurance companies, intermediaries, and other financial institutions.
The NAIC is a standard-setting and regulatory support organization consisting of the top insurance regulators from the 50 states, District of Columbia, and five U.S. territories. The NAIC formally adopted the model law in October 2017.
“(1) A Licensee shall exercise due diligence in selecting its Third-Party Service Provider; and (2) A Licensee shall require a Third-Party Service Provider to implement appropriate administrative, technical, and physical measures to protect and secure the Information Systems and Nonpublic Information that are accessible to, or held by, the Third-Party Service Provider.“
The Solvency II Directive is a comprehensive framework for insurance regulation in the EU. It sets out prudential requirements and risk management standards for insurance companies operating within the EU. The directive aims to ensure the financial stability and soundness of insurance undertakings.
Office of the Superintendent of Financial Institutions (OSFI)
Insurance Companies Act
This federal legislation governs the incorporation, organization, and conduct of insurance companies in Canada. It sets out various regulatory requirements and provisions related to the insurance industry.
The California Privacy Rights Act (CPRA) is a significant piece of privacy legislation in the United States that expands upon the California Consumer Privacy Act (CCPA). Enacted in 2020 and set to take effect on January 1, 2023, it introduces several new rights and obligations.
COPPA took effect in 2000, and applies to the online collection of personal information from children under 13. Monitored by the Federal Trade Commission (FTC), the rules limit how companies may collect and disclose children’s personal information.
OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data
Updated in 2013, these guidelines are the foundation of many of the new data privacy regulations that are being created around the world, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). For companies, they can be a source of best practices around data privacy.
The Privacy Shield Framework is an agreement between the United States and the European Union (EU) that allows for the transfer of personal data from the EU to the US. The framework requires that US companies that receive personal data from the EU comply with certain privacy principles, such as providing individuals with access to their data and allowing them to correct or delete it.
The SCCs are a set of clauses that can be used to supplement data transfer agreements between organizations in different countries. The SCCs are designed to ensure that the recipient of personal data in a third country (outside of the EU) complies with the EU’s data protection requirements.
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
One of the requirements of the New York SHIELD Act is that businesses must have in place reasonable safeguards to protect the security, confidentiality, and integrity of private information. As part of these safeguards, businesses are expected to have a security program that includes measures to manage the risks associated with third-party service providers.
Specifically, businesses are required to implement reasonable administrative, technical, and physical safeguards, which include:
Selecting service providers that can maintain appropriate safeguards for the private information at issue.
Contractually requiring service providers to implement those safeguards.
This means that if a business shares the private information of New York residents with a third-party service provider, the business is responsible for ensuring that the service provider can and will maintain appropriate safeguards for that information. This is where third-party risk management comes into play under the SHIELD Act. Businesses need to assess the risks associated with their third-party service providers and take steps to manage those risks to comply with the Act.
The California Consumer Privacy Act of 2018 (CCPA)
This law is similar to the European Union’s General Data Protection Regulation (GDPR) in what it is seeking to achieve, and so it is sometimes referred to as California’s GDPR. The law seeks to protect the rights of individuals regarding their personal data, and imposes obligations on companies that do business in California to help support those rights. This includes third parties who work with data.
The information contained on this page is for reference and informational purposes only. As such, Aravo expressly disclaims any and all legal and professional liability associated with the content and any suggestions and/or recommendations provided therewith.
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.