Interagency Guidance on Third-Party Relationships Compliance

1. Planning

“Before entering into a third-party relationship, banking organizations evaluate the types and nature of risks in the relationship and develop a plan to manage the relationship and its related risks. Certain third parties, particularly those providing critical services, typically warrant significantly greater planning and consideration. For example, when critical activities are involved, such plans may be presented to and approved by a banking organization’s board of directors (or a designated board committee) […]”

As part of the process to establish or refine your third-party risk management program, consider:

• Governing policies, standards, systems and processes to protect systems and data
• Roles and responsibilities (e.g., RACI) of all team members involved
• Third-party inventories to understand the scale and scope of third-party involvement
• Third-party classification and categorization approaches
• Risk scoring and thresholds based on your organization’s risk tolerance
• Assessment and monitoring methodologies based on third-party criticality
• Fourth- and Nth-party involvement in delivering critical services
• Sources of continuous monitoring data (cyber, business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs) to measure your program and third parties
• Compliance and contractual reporting requirements
• Incident response processes
• Internal stakeholder reporting – for management and the Board
• Risk mitigation and remediation strategies

Each of these items is critical to building a comprehensive TPRM program plan.

2. Due Diligence and Third-Party Selection

“Conducting due diligence on third parties before selecting and entering into contracts or relationships is an important risk management activity. Relying solely on experience with or prior knowledge of a third party is not an adequate proxy for performing appropriate due diligence.

“The degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship. Due diligence will include assessing a third party’s ability to perform the activity as expected, adhere to a banking organization’s policies, comply with all applicable laws, regulations, and requirements, and operate in a safe and sound manner […]”

Assess and monitor third parties based on the extent of threats to information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically tier third parties; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables third-party categorization using a range of data interaction, financial, regulatory and reputational considerations.

a. Strategies and Goals

“Review the third party’s overall business strategy and goals to consider how the third party’s current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures, partnerships, joint ventures, or joint marketing initiatives) may affect the activity. Also consider reviewing the third party’s service philosophies, quality initiatives, efficiency improvements, and employment policies and practices. Consider whether the selection of a third party is consistent with a banking organization’s broader corporate policies and practices, including its diversity policies and practices […]”

Continuously track and analyze external threats to third parties by monitoring public and private sources of reputational, sanctions and financial information.

Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives.

Monitoring sources should include:

• Public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• Global news sources
• Politically exposed person profiles
• Global sanctions lists
• Corruption Perception Index (CPI) scores
• Modern Slavery statements

b. Legal and Regulatory Compliance

“Evaluate the third party’s ownership structure (including any beneficial ownership, whether public or private, foreign or domestic ownership) and its legal and regulatory compliance capabilities […]

“Consider the third party’s response to existing or recent regulatory compliance issues and its compliance status with applicable supervisory agencies and self-regulatory organizations, as appropriate […]”

As you evaluate a third party, build a centralized third-party profile that includes demographic information, beneficial ownership, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent regulatory findings and financial performance.

Options can include analyzing the sources of this data separately, or integrating it into a single view that is extensible to multiple internal teams.

c. Financial Condition

“Assess the third party’s financial condition, including reviews of the third party’s audited financial statements, annual reports, filings with the U.S. Securities and Exchange Commission (SEC), and other available financial information […]”

Leverage a global database of millions of businesses financial information, including organizational changes and financial performance, turnover, profit and loss, shareholder funds, etc.

Your team can analyze the sources of this data separately by downloading financial statements, or integrate financial analysis into a broader risk assessment strategy.

g. Risk Management

"Evaluate the effectiveness of the third party’s own risk management, including policies, processes, and internal controls. Consider whether the third party’s risk management processes align with applicable banking organization policies and expectations surrounding the activity. Assess the third party’s change management processes, including to ensure that clear roles, responsibilities, and segregation of duties are in place […]”

“If available, consider reviewing System and Organization Control (SOC) reports and whether these reports contain sufficient information to assess the third party’s risk or whether additional scrutiny is required through an assessment or audit by the banking organization or other third party at the banking organization’s request. For example, consider whether or not SOC reports from the third party include within their coverage the internal controls and operations of subcontractors of the third party that support the delivery of services to the banking organization. Consider any conformity assessment or certification by independent third parties related to relevant domestic or international standards (for example, those of the National Institute of Standards and Technology (NIST), Accredited Standards Committee X9, Inc. (X9), and the International Standards Organization (ISO)).”

Automate risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.
Ensure that your third-party assessment approach includes:

• A large library of standardized assessments (including those for NIST and ISO) and customization capabilities to assess third parties with flexibility
• Built-in workflow to automate the identification of risks (based on thresholds you set according to your organization’s risk tolerance) and their assignment to owners
• Built-in remediation recommendations to reduce residual risk
• Automated risk and compliance reporting

Results of assessments and continuous monitoring should be collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

For third parties that submit a SOC 2 report instead of a completed third-party risk assessment, map control gaps identified within the SOC 2 report, create risk items against the third party within a central assessment platform, and track and report against deficiencies along with other risks.

h. Information Security

“Assess the third party’s information security program. Consider the consistency of the third party’s information security program with the banking organization’s program, and whether there are gaps that present risk to the banking organization. Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. When technology supports service delivery, assess the third party’s data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests. Consider the extent to which the third party uses controls to limit access to the banking organization’s data and transactions, such as multifactor authentication, end-to-end encryption, and secured source code management. Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing.”

Conduct third-party cybersecurity assessments at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Ensure that assessments are backed by workflow, task management and automated evidence review capabilities.

Then, continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases.

Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives.

As noted in (g) above, you can then apply built-in workflow to triage and address risks through remediation recommendations.

j. Operational Resilience

“Assess the third party’s ability to deliver operations through a disruption from any hazard with effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions. Assess options to employ if a third party’s ability to deliver operations is impaired […]”

Automate the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity using a comprehensive business resilience assessment based on the ISO 22301 standard.

This approach will enable your team to:

• Categorize third parties according to their risk profile and criticality to the business
• Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
• Centralize system inventory, risk assessments, RACI charts, and third parties
• Ensure consistent communications with third parties during business disruptions
  To complement business resilience assessments and validate results:
• Automate continuous cyber monitoring that may predict possible third-party business impacts
• Access qualitative insights from public and private sources of reputational information that could signal instability
• Tap into financial information from a global network of businesses to identify third party financial health or operational concerns

This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements.

k. Incident Reporting and Management Programs

“Review and consider the third party’s incident reporting and management programs to ensure there are clearly documented processes, timelines, and accountability for identifying, reporting, investigating, and escalating incidents. Confirm that the third party’s escalation and notification processes meet the banking organization’s expectations and regulatory requirements.”

Consider structuring and benchmarking your third-party incident management on one of the following industry standard frameworks:

• NIST 800-61R2: Computer Security Incident Handling Guide
• ISO/IEC 27035-1: Information Security Incident Management part 1: Principles of Incident Management
• ISO/IEC 27035-2: Information Security Incident Management Part 2: Guidelines to Plan and Prepare for Incident Management
• OCC 2021-55: Bank Incident Notification Final Rule, issued 11/23/2021
• OCC 2022-8: Information technology Points of Contact for Bank’s Computer Security Incident Notifications, issued 3/29/2022

Key components of your third-party incident reporting should include:

• Customizable event and incident management questionnaires
• Real-time questionnaire completion progress tracking
• Defined risk owners with automated chasing reminders to keep surveys on schedule
• Proactive third-party reporting
• Consolidated views of risk ratings, counts, scores, and flagged responses for each third party
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
• Guidance from built-in remediation recommendations to reduce risk
• Built-in report templates
• Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data

n. Reliance on Subcontractors

“Evaluate the volume and types of subcontracted activities and consider any implications or risks associated with the subcontractors’ geographic locations. Evaluate the third party’s ability to identify, assess, monitor, and mitigate risks from its use of subcontractors and to provide that the same level of quality and controls exists no matter where the subcontractors’ operations reside. Evaluate whether additional risks may arise from the third party’s reliance on subcontractors and, as appropriate, conduct similar due diligence on the third party’s critical subcontractors, such as when additional risk may arise due to concentration-related risk, when the third party outsources significant activities, or when subcontracting poses other material risks.”

Identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk.

Third parties discovered through this process are continuously monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

This approach provides insights to address potential technology or geographic concentration risk.

3. Contract Negotiation

“[…] As part of sound risk management, a banking organization reviews existing contracts periodically, particularly those involving critical activities, to ensure they continue to address pertinent risk controls and legal protections. Where problems are identified, the banking organization should seek to renegotiate at the earliest opportunity. A material or significant contract with a third party typically prohibits assignment, transfer, or subcontracting by the third party of its obligations to another entity without the banking organization’s consent […]”

Centralize the distribution, discussion, retention, and review of third party contracts so that all applicable teams can participate in contract reviews to ensure the appropriate clauses are included and managed.

Key practices to consider in managing third party contracts include:

• Centralized storage of contracts
• Tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

4. Oversight and Accountability

“The banking organization’s board of directors (or a designated board committee) and management are responsible for overseeing the banking organization’s overall risk management processes. Banking organization management is responsible for implementing third-party risk management. An effective board oversees risk management implementation and holds management accountable. Effective management teams should establish responsibility and accountability for managing third parties commensurate with the level of risk and complexity of the relationship […]”

Start by determining the different between key performance indicators (KPIs) and key risk indicators (KRIs) and how they are related.

• Key Performance Indicators (KPIs) measure the effectiveness of functions and processes.
• Key Risk Indicators (KRIs) indicate how much risk the organization faces and which risk treatments to apply.
  When it comes to measuring KPIs and KRIs, categorize them like this:
• Risk measurements help to understand the risk of doing business with a third party, as well as associated mitigations
• Threat measurements overlap somewhat with risk and give a more complete and validated view risk
• Compliance measurements define whether third parties are compliant with your internal controls requirements
• Coverage measurements answer the question, “Do I have full coverage of my third party footprint and are they tiered and treated accordingly?”

Then, be sure to tie results back to contract provisions to provide complete governance over the process.
Finally, ensure your team is fluent in understanding what type of information the board should see. This approach should enable your team to:

• Present a consolidated view of current risk exposure to the organization from the supply chain
• Communicate current status of critical third parties supporting major company efforts
• Show inherent and residual risk from threat intelligence sources to demonstrate progress in reducing risk over time
• Identify where exec support is needed

5. Ongoing Monitoring

“[…] Effective monitoring activities enable banking organizations to confirm the quality and sustainability of the third party’s controls and ability to meet service-level agreements (for example, ongoing review of third-party performance metrics). Additionally, ongoing monitoring typically includes the regular testing of the banking organization’s controls to manage risks from third-party relationships, particularly when critical activities are involved […]”

Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources should include:

• Criminal forums; thousands of onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• Financial performance, including turnover, profit and loss, shareholder funds, etc.
• Global news sources
• Politically exposed person profiles
• Global sanctions lists

Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives.

6. Termination

“[…] When this occurs, it is important for management to terminate relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued. In the event of contract default or termination, a well-run banking organization should consider how to transition services in a timely manner to another third-party provider or bring the service in-house if there are no alternate third-party providers […]”

Automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

• Schedule tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status.
• Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.
• Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed.
• Take actionable steps to reduce third-party risk with built-in remediation recommendations and guidance.
• Visualize and address compliance requirements by automatically mapping assessment results to any regulation or framework.