Latest Report: The Gartner® Market Guide for IT Vendor Risk Management Solutions
In July 2021, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) proposed uniform guidance on managing risks associated with third-party relationships in banking organizations.
The Proposed Guidance is based on the OCC’s 2013 guidance and 2020 FAQs, and will replace each agency’s existing guidance on third-party relationships and apply to all banking organizations supervised by the agencies. The goal of the proposed guidance is to bring uniformity and consistency to how banking organizations develop and enforce risk management principles as they relate to third-party relationships.
Develop a plan that outlines the organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the organization will identify, assess, select, and oversee the third party
Perform proper due diligence in selecting a third party
Negotiate written contracts that articulate the rights and responsibilities of all parties
Have the board of directors and management oversee the organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews
Conduct ongoing monitoring of the third party’s activities and performance
Develop contingency plans for terminating the relationship in an effective manner
Prepare Your TPRM Program for the Proposed Guidance
The U.S. Financial Interagency Guidance on Third-Party Relationships: Best Practices Guide examines the requirements that organizations should be prepared to address at each stage of a third-party relationship.
Meeting Proposed Interagency Guidance on Third-Party Relationships Requirements
Here's how Prevalent can help you address third-party risk management requirements in the Proposed Guidance:
Proposed Guidance | How We Help |
---|---|
1. Planning “Before entering into a third-party relationship, banking organizations evaluate the types and nature of risks in the relationship and develop a plan to manage the relationship and its related risks. Certain third parties, particularly those providing critical services, typically warrant significantly greater planning and consideration. For example, when critical activities are involved, such plans may be presented to and approved by a banking organization’s board of directors (or a designated board committee) […]” |
As part of the process to establish or refine your third-party risk management program, consider:
Each of these items is critical to building a comprehensive TPRM program plan. |
2. Due Diligence and Third-Party Selection “Conducting due diligence on third parties before selecting and entering into contracts or relationships is an important risk management activity. Relying solely on experience with or prior knowledge of a third party is not an adequate proxy for performing appropriate due diligence. “The degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship. Due diligence will include assessing a third party’s ability to perform the activity as expected, adhere to a banking organization’s policies, comply with all applicable laws, regulations, and requirements, and operate in a safe and sound manner […]” |
Assess and monitor third parties based on the extent of threats to information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:
From this inherent risk assessment, your team can automatically tier third parties; set appropriate levels of further diligence; and determine the scope of ongoing assessments. Rule-based tiering logic enables third-party categorization using a range of data interaction, financial, regulatory and reputational considerations. |
a. Strategies and Goals “Review the third party’s overall business strategy and goals to consider how the third party’s current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures, partnerships, joint ventures, or joint marketing initiatives) may affect the activity. Also consider reviewing the third party’s service philosophies, quality initiatives, efficiency improvements, and employment policies and practices. Consider whether the selection of a third party is consistent with a banking organization’s broader corporate policies and practices, including its diversity policies and practices […]” |
Continuously track and analyze external threats to third parties by monitoring public and private sources of reputational, sanctions and financial information. Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives. Monitoring sources should include:
|
b. Legal and Regulatory Compliance “Evaluate the third party’s ownership structure (including any beneficial ownership, whether public or private, foreign or domestic ownership) and its legal and regulatory compliance capabilities […] “Consider the third party’s response to existing or recent regulatory compliance issues and its compliance status with applicable supervisory agencies and self-regulatory organizations, as appropriate […]” |
As you evaluate a third party, build a centralized third-party profile that includes demographic information, beneficial ownership, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent regulatory findings and financial performance. Options can include analyzing the sources of this data separately, or integrating it into a single view that is extensible to multiple internal teams. |
c. Financial Condition “Assess the third party’s financial condition, including reviews of the third party’s audited financial statements, annual reports, filings with the U.S. Securities and Exchange Commission (SEC), and other available financial information […]” |
Leverage a global database of millions of businesses financial information, including organizational changes and financial performance, turnover, profit and loss, shareholder funds, etc. Your team can analyze the sources of this data separately by downloading financial statements, or integrate financial analysis into a broader risk assessment strategy. |
g. Risk Management "Evaluate the effectiveness of the third party’s own risk management, including policies, processes, and internal controls. Consider whether the third party’s risk management processes align with applicable banking organization policies and expectations surrounding the activity. Assess the third party’s change management processes, including to ensure that clear roles, responsibilities, and segregation of duties are in place […]” “If available, consider reviewing System and Organization Control (SOC) reports and whether these reports contain sufficient information to assess the third party’s risk or whether additional scrutiny is required through an assessment or audit by the banking organization or other third party at the banking organization’s request. For example, consider whether or not SOC reports from the third party include within their coverage the internal controls and operations of subcontractors of the third party that support the delivery of services to the banking organization. Consider any conformity assessment or certification by independent third parties related to relevant domestic or international standards (for example, those of the National Institute of Standards and Technology (NIST), Accredited Standards Committee X9, Inc. (X9), and the International Standards Organization (ISO)).” |
Automate risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.
Results of assessments and continuous monitoring should be collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks. For third parties that submit a SOC 2 report instead of a completed third-party risk assessment, map control gaps identified within the SOC 2 report, create risk items against the third party within a central assessment platform, and track and report against deficiencies along with other risks. |
h. Information Security “Assess the third party’s information security program. Consider the consistency of the third party’s information security program with the banking organization’s program, and whether there are gaps that present risk to the banking organization. Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. When technology supports service delivery, assess the third party’s data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests. Consider the extent to which the third party uses controls to limit access to the banking organization’s data and transactions, such as multifactor authentication, end-to-end encryption, and secured source code management. Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing.” |
Conduct third-party cybersecurity assessments at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Ensure that assessments are backed by workflow, task management and automated evidence review capabilities. Then, continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases. Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives. As noted in (g) above, you can then apply built-in workflow to triage and address risks through remediation recommendations. |
j. Operational Resilience “Assess the third party’s ability to deliver operations through a disruption from any hazard with effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions. Assess options to employ if a third party’s ability to deliver operations is impaired […]” |
Automate the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity using a comprehensive business resilience assessment based on the ISO 22301 standard. This approach will enable your team to:
This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements. |
k. Incident Reporting and Management Programs “Review and consider the third party’s incident reporting and management programs to ensure there are clearly documented processes, timelines, and accountability for identifying, reporting, investigating, and escalating incidents. Confirm that the third party’s escalation and notification processes meet the banking organization’s expectations and regulatory requirements.” |
Consider structuring and benchmarking your third-party incident management on one of the following industry standard frameworks:
Key components of your third-party incident reporting should include:
|
n. Reliance on Subcontractors “Evaluate the volume and types of subcontracted activities and consider any implications or risks associated with the subcontractors’ geographic locations. Evaluate the third party’s ability to identify, assess, monitor, and mitigate risks from its use of subcontractors and to provide that the same level of quality and controls exists no matter where the subcontractors’ operations reside. Evaluate whether additional risks may arise from the third party’s reliance on subcontractors and, as appropriate, conduct similar due diligence on the third party’s critical subcontractors, such as when additional risk may arise due to concentration-related risk, when the third party outsources significant activities, or when subcontracting poses other material risks.” |
Identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Third parties discovered through this process are continuously monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening. This approach provides insights to address potential technology or geographic concentration risk. |
3. Contract Negotiation “[…] As part of sound risk management, a banking organization reviews existing contracts periodically, particularly those involving critical activities, to ensure they continue to address pertinent risk controls and legal protections. Where problems are identified, the banking organization should seek to renegotiate at the earliest opportunity. A material or significant contract with a third party typically prohibits assignment, transfer, or subcontracting by the third party of its obligations to another entity without the banking organization’s consent […]” |
Centralize the distribution, discussion, retention, and review of third party contracts so that all applicable teams can participate in contract reviews to ensure the appropriate clauses are included and managed. Key practices to consider in managing third party contracts include:
|
4. Oversight and Accountability “The banking organization’s board of directors (or a designated board committee) and management are responsible for overseeing the banking organization’s overall risk management processes. Banking organization management is responsible for implementing third-party risk management. An effective board oversees risk management implementation and holds management accountable. Effective management teams should establish responsibility and accountability for managing third parties commensurate with the level of risk and complexity of the relationship […]” |
Start by determining the different between key performance indicators (KPIs) and key risk indicators (KRIs) and how they are related.
Then, be sure to tie results back to contract provisions to provide complete governance over the process.
|
5. Ongoing Monitoring “[…] Effective monitoring activities enable banking organizations to confirm the quality and sustainability of the third party’s controls and ability to meet service-level agreements (for example, ongoing review of third-party performance metrics). Additionally, ongoing monitoring typically includes the regular testing of the banking organization’s controls to manage risks from third-party relationships, particularly when critical activities are involved […]” |
Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Monitoring sources should include:
Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives. |
6. Termination “[…] When this occurs, it is important for management to terminate relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued. In the event of contract default or termination, a well-run banking organization should consider how to transition services in a timely manner to another third-party provider or bring the service in-house if there are no alternate third-party providers […]” |
Automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.
|
Here are best practices for aligning with proposed requirements from the U.S. Federal Reserve System, U.S...
NYDFS 23 NYCRR 500 is designed to protect the confidentiality, integrity and availability of financial services...
Use this guidance to address outsourcing requirements in the Bank of England's Prudential Regulation Authority (PRA)...