On June 6, 2023, the Board of Governors of the Federal Reserve System (the Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued uniform guidance on managing risks associated with third-party relationships in banking organizations. Interagency Guidance on Third-Party Relationships: Risk Management is based on the OCC’s 2013 guidance and 2020 FAQs. It replaces each agency’s existing guidance on third-party relationships and applies to all banking organizations supervised by the agencies.
With full compliance expected with 12 months, now is the time for regulated banks to review the recommendations and determine how their third-party risk management programs are impacted. This post examines the goals of the Guidance and offers best practices for achieving compliance.
The goal of the Interagency Guidance is to bring uniformity and consistency to how banking organizations develop and enforce risk management principles as they relate to third-party relationships. According to the document, "the final guidance offers the agencies’ views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships."
The Guidance defines a third-party relationship as “any business arrangement between a banking organization and another entity, by contract or otherwise;” describes the third-party risk management life cycle; and identifies principles applicable to each stage of the third-party life cycle as depicted below:
Source: Board, FDIC, and OCC
Each of the six principles in the Interagency Guidance on Third-Party Relationships maps to a stage of the third-party lifecycle. Here are key requirements and recommended best practices for each stage.
At the earliest stage of a third-party relationship, the Guidance recommends evaluating the types and nature of risks in the relationship and developing a plan to manage the relationship and its related risks. As part of the process to establish or refine your third-party risk management program, consider:
Each of these items is critical to building a comprehensive TPRM program plan.
Align Your TPRM Program with Interagency Guidance
The Interagency Guidance on Third-Party Relationships: Best Practices Guide examines the requirements that organizations should address at each stage of a third-party relationship.
Once a third party has been identified, it is essential to conduct thorough due diligence before selecting and entering into a contract. The Interagency Guidance on Third-Party Relationships suggests that due diligence should include assessing a third party’s ability to perform the activity as expected, adhering to policies, complying with all applicable laws, regulations, and requirements, and operating in a safe and sound manner.
Success that this stage requires assessing and monitoring third parties based on the extent of threats to information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk includes:
From this inherent risk assessment, your team can automatically tier third parties; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
The Guidance recommends reviewing existing contracts periodically, particularly those involving critical activities, to ensure they continue to address pertinent risk controls and legal protections.
Meeting this requirements means centralizing the distribution, discussion, retention and review of third party contracts so that all applicable teams can participate in contract reviews to ensure the appropriate clauses are included and managed.
Key practices to consider in managing third party contracts include:
Ensuring sound contract lifecycle management will enable the organization to effectively:
Successful third-party risk management programs include periodic internal controls-based assessments against industry standard frameworks and ongoing monitoring to confirm the quality and sustainability of the third party’s controls.
To accomplish this, continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.
Monitoring sources should include:
Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives.
Organizations can be exposed to post-contract risk, yet research shows that few organizations conduct risk management at the end of a relationship. The Interagency Guidance says that it is important for management to terminate third-party relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued.
To streamline the vendor offboarding process, automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure:
Effectively addressing the requirements in the Guidance is virtually impossible if you rely on spreadsheets to collect, analyze, remediate and report on cybersecurity controls. With the Prevalent Third-Party Risk Management Platform, your financial services institution can automate and accelerate its compliance initiatives. The platform enables you to:
To learn more about complying with the Interagency Guidance on Third-Party Relationships, download our best practices guide or contact us to schedule a demo.
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024