FFIEC IT Examination Handbook Compliance

Third Party Management

"Establishing a well-defined relationship with technology service providers (TSPs) is essential to business resilience. A financial institution's third-party management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangement. To ensure business resilience, the program should include outsourced activities that are critical to the financial institution's ongoing operations."

The Prevalent TPRM platform enables internal control-based assessments (based on industry-standard framework questionnaires and/or custom questionnaires). This selection enables an organization to match the assessment’s requirements to the level of risk presented by the relationship.

In addition, the platform includes built-in workflow capabilities that enable assessors to interact efficiently with third parties during the due diligence collection and review periods.

Third Party Management – Due Diligence

"As part of its due diligence, a financial institution should assess the effectiveness of a TSP's business continuity program, with particular emphasis on recovery capabilities and capacity. In addition, an institution should understand the due diligence process the TSP uses for its subcontractors and service providers. Furthermore, the financial institution should review the TSP's BCP program and its alignment with the financial institution's own program, including an evaluation of the TSP's BCP testing strategy and results to ensure they meet the financial institution's requirements and promote resilience."

Prevalent’s standards-based and custom questionnaires focus on Business Continuity Planning, including impact analysis, operational risk assessment, and business recovery management. The Prevalent Assessment service examines the risk posed by both technology service providers and their subcontractors.

Third Party Management – Contracts

"Right to audit: Agreements should provide for the right of the financial institution or its representatives to audit the TSP and/or to have access to audit reports. A financial institution should review available audit reports addressing TSPs' resiliency capabilities and interdependencies (e.g., subcontractors), BCP testing, and remediation efforts, and assess the impact, if any, on the financial institution's BCP."

The Prevalent TPRM platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.

Third Party Management – Ongoing Monitoring

“Effective ongoing monitoring assists the financial institution in ensuring the resilience of outsourced technology services. The financial institution should perform periodic in-depth assessments of the TSP's control environment, including BCP, through the review of service provider business continuity plan testing activities, independent and/or third-party assessments to assess the potential impact on the financial institution's business resilience. The financial institution should ensure that results of such reviews are documented and reported by the TSP to the appropriate management oversight committee or the board of directors and used to determine any necessary changes to the financial institution's BCP and, if warranted, the service provider contract.”

The Prevalent Third-Party Risk Management platform provides a complete solution for performing assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance.

Cyber Resilience

“Cyber threats will continue to challenge business continuity preparedness. Financial institutions and TSPs should remain aware of emerging cyber threats and scenarios and consider their potential impact to operational resilience. Because the impact of each type of cyber event will vary, preparedness is the key to preventing or mitigating the effects of such an event.”

The Prevalent Cyber & Business Monitoring service provides both snapshot and continuous vendor monitoring for immediate notification of high-risk issues, prioritization, and remediation recommendations. Data security and business risk monitoring enables you to look beyond tactical vendor health for a more strategic view of a vendor’s overall information security risk.

Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks.

Examples of business information collected during the analysis include:

• M&A activity
• Layoffs
• Lawsuits
• Data breaches
• Product recalls
• Bankruptcy
• Capital transactions: debt, equity

II.C.20 Oversight of Third-Party Service Providers

"Management should verify that third-party service providers implement and maintain controls sufficient to appropriately mitigate risks. The institution's contracts should do the following:

Include minimum control and reporting standards
Provide for the right to require changes to standards as external and internal environments change
Specify that the institution or an independent auditor has access to the service provider to perform evaluations of the service provider's performance against the Information Security Standards."

The Prevalent Assessment service simplifies compliance and reduces risk with automated collection and analysis of vendor surveys using industry standard and custom questionnaires. Bi-directional workflows provide back and forth communication with technology service providers to address findings and remediation efforts. Robust reporting and full audit capabilities streamlines proper performance review. Access to completed assessments and audits can be delegated to auditors via standard RBAC capabilities in the platform.