Latest Report: The Gartner® Market Guide for IT Vendor Risk Management Solutions
In July 2021, the Board of Governors of the Federal Reserve System (the Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) proposed uniform guidance on managing risks associated with third-party relationships in banking organizations. The Proposed Guidance is based on the OCC’s 2013 guidance and 2020 FAQs. It will replace each agency’s existing guidance on third-party relationships and apply to all banking organizations supervised by the agencies.
With the Proposed Guidance set to become final in 2023, and full compliance expected with 12 months, now is the time for regulated banks to review the recommendations and determine how their third-party risk management programs will be impacted. This post examines the goal of the Proposed Guidance and its defining principles, while offering best practices for achieving these goals.
The goal of the proposed Interagency Guidance is to bring uniformity and consistency to how banking organizations develop and enforce risk management principles as they relate to third-party relationships. The Proposed Guidance:
“[…] offers a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.”
The Proposed Guidance defines a third-party relationship as “any business arrangement between a banking organization and another entity, by contract or otherwise;” describes the third-party risk management life cycle; and identifies principles applicable to each stage of the third-party life cycle, including:
“(1) developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party;
(2) performing proper due diligence in selecting a third party;
(3) negotiating written contracts that articulate the rights and responsibilities of all parties;
(4) having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews;
(5) conducting ongoing monitoring of the third party’s activities and performance; and
(6) developing contingency plans for terminating the relationship in an effective manner.”
Each of the six principles in the Proposed Interagency Guidance on Third-Party Relationships maps to a stage of the third-party lifecycle. Here are key requirements and recommended best practices for each stage.
At the earliest stage of a third-party relationship, the Proposed Guidance recommends evaluating the types and nature of risks in the relationship and developing a plan to manage the relationship and its related risks. As part of the process to establish or refine your third-party risk management program, consider:
Each of these items is critical to building a comprehensive TPRM program plan.
Prepare Your TPRM Program for the Proposed Guidance
The U.S. Financial Interagency Guidance on Third-Party Relationships: Best Practices Guide examines the requirements that organizations should be prepared to address at each stage of a third-party relationship.
Once a third party has been identified, it is essential to conduct thorough due diligence before selecting and entering into a contract. The Proposed Interagency Guidance on Third-Party Relationships suggests that due diligence should include assessing a third party’s ability to perform the activity as expected, adhering to policies, complying with all applicable laws, regulations, and requirements, and operating in a safe and sound manner.
Success that this stage requires assessing and monitoring third parties based on the extent of threats to information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk includes:
From this inherent risk assessment, your team can automatically tier third parties; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
The Proposed Guidance recommends reviewing existing contracts periodically, particularly those involving critical activities, to ensure they continue to address pertinent risk controls and legal protections.
Meeting this requirements means centralizing the distribution, discussion, retention and review of third party contracts so that all applicable teams can participate in contract reviews to ensure the appropriate clauses are included and managed.
Key practices to consider in managing third party contracts include:
The Proposed Interagency Guidance on Third-Party Relationships requires the organization’s board of directors and management to be responsible for overseeing risk management processes. That effort begins by determining the key performance indicators (KPIs) and key risk indicators (KRIs) important for decision making.
When it comes to measuring KPIs and KRIs, categorize them into these four categories to ensure the board and executive team have the right view of third parties:
Then, be sure to tie results back to contract provisions to provide complete governance over the process.
Finally, ensure your team is fluent in understanding what type of information the board should see. This approach should enable your team to:
Successful third-party risk management programs include periodic internal controls-based assessments against industry standard frameworks and ongoing monitoring to confirm the quality and sustainability of the third party’s controls.
To accomplish this, continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.
Monitoring sources should include:
Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives.
Organizations can be exposed to post-contract risk, yet research shows that few organizations conduct risk management at the end of a relationship. The Proposed Interagency Guidance says that it is important for management to terminate third-party relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued.
To streamline the vendor offboarding process, automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure:
Effectively addressing the requirements in the Proposed Guidance is virtually impossible if you rely on spreadsheets to collect, analyze, remediate and report on cybersecurity controls. With the Prevalent Third-Party Risk Management Platform, your financial services institution can automate and accelerate its compliance initiatives. The platform enables you to:
To learn more about complying with the Proposed Interagency Guidance on Third-Party Relationships, download our best practices guide or contact us to schedule a demo.
Review key PDPA requirements and share best practices for simplifying the compliance process.
Prevalent offers a complete framework for policy management, auditing and reporting related to third-party risk and...
MAS has established detailed requirements for managing third-party outsourcing and non-outsourcing relationships. Read how you can...