Aravo Pattern - Header

Third-Party Risk Management Guidance, Regulations & Standards

In the world of third-party risk management, organizations need to navigate a complex and expanding web of guidance, standards and regulations. Here, you can explore an overview of major industry standards and regulations that can help you ensure third-party compliance and build a more resilient business.

Regulators have made clear that third parties should attest to and align to your compliance, ethics, and risk management standards and obligations. Aravo enables customers to easily capture, update, manage and retain third party attestations and certifications with these regulations and other ethics and compliance standards. 

Financial Services

 Federal Financial Institutions Examination Council, USA

FFIEC IT Examination Handbook: Vendor and Third-Party Management

Financial institutions should establish and maintain effective vendor and third-party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.

FFIEC IT Examination Handbook Appendix J: Strengthening the Resilience of Outsourced Technology Services

This section of the Federal Financial Institutions Examinations Council’s (FFIEC) IT Examination Handbook focuses specifically on the business continuity risks created by the use of third parties. In particular, the document says that financial services firms must be responsible for the business continuity risks posed by their third-parties. The document also addressed cyber-resilience issues.

“Many financial institutions depend on third-party service providers to perform or support critical operations. These financial institutions should recognize that using such providers does not relieve the financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. The responsibility for properly overseeing outsourced relationships lies with the financial institution’s board of directors and senior management. An effective third-party management program should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing.”


The Outsourcing Technology Services Booklet provides guidance for financial institutions on outsourcing technology services to third-party service providers. It covers topics such as board and management responsibilities, risk management, risk assessment, service provider selection, contract issues, ongoing monitoring, business continuity planning, information security, and outsourcing to foreign service providers. The booklet includes examination procedures, laws, regulations, and guidance, as well as appendices on foreign-based third-party service providers and managed security service providers.

“When outsourcing to a subsidiary or affiliate is considered, management must assure that the components outlined above evidence an arms-length transaction. An arrangement between a financial institution and an affiliate or subsidiary should be on terms that are substantially the same, or at least as favorable to the institution, as those prevailing at the time for comparable transactions with a non-affiliated third party.” (Page 11)

Source Regulation

The information contained on this page is for reference and informational purposes only.  As such, Aravo expressly disclaims any and all legal and professional liability associated with the content and any suggestions and/or recommendations provided therewith.

Our Expertise
Who We Help

Learn More About Our Partners

Interested in partnering with Aravo?