Interagency Guidance on Third-Party Relationships Compliance

C. Third-Party Relationship Lifecycle

"Effective third-party risk management generally follows a continuous life cycle for third-party relationships ... The degree to which the examples of considerations discussed in this guidance are relevant to each banking organization is based on specific facts and circumstances and these examples may not apply to all of a banking organization’s third-party relationships ..."

1. Planning

“As part of sound risk management, effective planning allows a banking organization to evaluate and consider how to manage risks before entering into a third-party relationship. Certain third parties, such as those that support a banking organization’s higher-risk activities, including critical activities, typically warrant a greater degree of planning and consideration. For example, when critical activities are involved, plans may be presented to and approved by a banking organization’s board of directors (or a designated board committee) …”

As part of the process to establish or refine your third-party risk management program, consider:

• Governing policies, standards, systems and processes to protect systems and data
• Roles and responsibilities (e.g., RACI) of all team members involved
• Third-party inventories to understand the scale and scope of third-party involvement
• Third-party classification and categorization approaches
• Risk scoring and thresholds based on your organization’s risk tolerance
• Assessment and monitoring methodologies based on third-party criticality
• Fourth- and Nth-party involvement in delivering critical services
• Sources of continuous monitoring data (cyber, business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs) to measure your program and third parties
• Compliance and contractual reporting requirements
• Incident response processes
• Internal stakeholder reporting – for management and the Board
• Risk mitigation and remediation strategies

Each of these items is critical to building a comprehensive TPRM program plan.

2. Due Diligence and Third-Party Selection

“Conducting due diligence on third parties before selecting and entering into third-party relationships is an important part of sound risk management. It provides management with the information needed about potential third parties to determine if a relationship would help achieve a banking organization’s strategic and financial goals. The due diligence process also provides the banking organization with the information needed to evaluate whether it can appropriately identify, monitor, and control risks associated with the particular third-party relationship. Due diligence includes assessing the third party’s ability to: perform the activity as expected, adhere to a banking organization’s policies related to the activity, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner …”

Assess and monitor third parties based on the extent of threats to information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically tier third parties; set appropriate levels of subsequent due diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables third-party categorization using a range of data interaction, financial, regulatory and reputational considerations.

a. Strategies and Goals

“Review the third party’s overall business strategy and goals to consider how the third party’s current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures, partnerships, joint ventures, or joint marketing initiatives) may affect the activity. Also consider reviewing the third party’s service philosophies, quality initiatives, efficiency improvements, and employment policies and practices. Consider whether the selection of a third party is consistent with a banking organization’s broader corporate policies and practices, including its diversity policies and practices […]”

Continuously track and analyze external threats to third parties by monitoring public and private sources of reputational, sanctions and financial information.

Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives.

Monitoring sources should include:

• Public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• Environmental, social and governance (ESG) scores
• Global news sources
• Politically exposed person profiles
• Global sanctions lists
• Corruption Perception Index (CPI) scores
• Modern Slavery statements

b. Legal and Regulatory Compliance

"A review of any legal and regulatory compliance considerations associated with engaging a third party allows a banking organization to evaluate whether it can appropriately mitigate risks associated with the third-party relationship ..."

As you evaluate a third party, build a centralized third-party profile that includes demographic information, beneficial ownership, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent regulatory findings and financial performance.

Options can include analyzing the sources of this data separately, or integrating it into a single view that is extensible to multiple internal teams.

c. Financial Condition

“An assessment of a third party’s financial condition through review of available financial information, including audited financial statements, annual reports, and filings with the U.S. Securities and Exchange Commission (SEC), among others, helps a banking organization evaluate whether the third party has the financial capability and stability to perform the activity …”

Leverage a global database of millions of businesses financial information, including organizational changes and financial performance, turnover, profit and loss, shareholder funds, etc.

Your team can analyze the sources of this data separately by downloading financial statements, or integrate financial analysis into a broader risk assessment strategy.

f. Risk Management

"Appropriate due diligence includes an evaluation of the effectiveness of a third party’s overall risk management, including policies, processes, and internal controls, and alignment with applicable policies and expectations of the banking organization surrounding the activity …”

“When relevant and available, a banking organization may consider reviewing System and Organization Control (SOC) reports and any conformity assessment or certification by independent third parties related to relevant domestic or international standards.11 In such cases, the banking organization may also consider whether the scope and the results of the SOC reports, certifications, or assessments are relevant to the activity to be performed or suggest that additional scrutiny of the third party or any of its contractors may be appropriate."

Automate risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.
Ensure that your third-party assessment approach includes:

• A large library of standardized assessments (including those for NIST and ISO) and customization capabilities to assess third parties with flexibility
• Built-in workflow to automate the identification of risks (based on thresholds you set according to your organization’s risk tolerance) and their assignment to owners
• Built-in remediation recommendations to reduce residual risk
• Automated risk and compliance reporting

Results of assessments and continuous monitoring should be collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

For third parties that submit a SOC 2 report instead of a completed third-party risk assessment, map control gaps identified within the SOC 2 report, create risk items against the third party within a central assessment platform, and track and report against deficiencies along with other risks.

g. Information Security

“Understanding potential information security implications, including access to a banking organization’s systems and information, can help a banking organization decide whether or not to engage with a third party. Due diligence in this area typically involves assessing the third party’s information security program, including its consistency with the banking organization’s information security program, such as its approach to protecting the confidentiality, integrity, and availability of the banking organization’s data. It may also involve determining whether there are any gaps that present risk to the banking organization or its customers and considering the extent to which the third party applies controls to limit access to the banking organization’s data and transactions, such as multifactor authentication, end-to-end encryption, and secure source code management. It also aids a banking organization when determining whether the third party keeps informed of, and has sufficient experience in identifying, assessing, and mitigating, known and emerging threats and vulnerabilities. As applicable, assessing the third party’s data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests, can provide valuable information regarding information technology system vulnerabilities. Finally, due diligence can help a banking organization evaluate the third party’s implementation of effective and sustainable corrective actions to address any deficiencies discovered during testing.”

Conduct third-party cybersecurity assessments at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Ensure that assessments are backed by workflow, task management and automated evidence review capabilities.

Then, continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases.

Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives.

As noted in (g) above, you can then apply built-in workflow to triage and address risks through remediation recommendations.

i. Operational Resilience

“An assessment of a third party’s operational resilience practices supports a banking organization’s evaluation of a third party’s ability to effectively operate through and recover from any disruption or incidents, both internal and external. Such an assessment is particularly important where the impact of such disruption could have an adverse effect on the banking organization or its customers, including when the third party interacts with customers. It is important to assess options to employ if the third party’s ability to perform the activity is impaired and to determine whether the third party maintains appropriate operational resilience and cybersecurity practices, including disaster recovery and business continuity plans that specify the time frame to resume activities and recover data ...”

Automate the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity using a comprehensive business resilience assessment based on the ISO 22301 standard.

This approach will enable your team to:

• Categorize third parties according to their risk profile and criticality to the business
• Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
• Centralize system inventory, risk assessments, RACI charts, and third parties
• Ensure consistent communications with third parties during business disruptions
  To complement business resilience assessments and validate results:
• Automate continuous cyber monitoring that may predict possible third-party business impacts
• Access qualitative insights from public and private sources of reputational information that could signal instability
• Tap into financial information from a global network of businesses to identify third party financial health or operational concerns

This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements.

j. Incident Reporting and Management Programs

“Review and consideration of a third party’s incident reporting and management processes is helpful to determine whether there are clearly documented processes, timelines, and accountability for identifying, reporting, investigating, and escalating incidents. Such review assists in confirming that the third party’s escalation and notification processes meet the banking organization’s expectations and regulatory requirements.”

Consider structuring and benchmarking your third-party incident management on one of the following industry standard frameworks:

• NIST 800-61R2: Computer Security Incident Handling Guide
• ISO/IEC 27035-1: Information Security Incident Management part 1: Principles of Incident Management
• ISO/IEC 27035-2: Information Security Incident Management Part 2: Guidelines to Plan and Prepare for Incident Management
• OCC 2021-55: Bank Incident Notification Final Rule, issued 11/23/2021
• OCC 2022-8: Information technology Points of Contact for Bank’s Computer Security Incident Notifications, issued 3/29/2022

Key components of your third-party incident reporting should include:

• Customizable event and incident management questionnaires
• Real-time questionnaire completion progress tracking
• Defined risk owners with automated chasing reminders to keep surveys on schedule
• Proactive third-party reporting
• Consolidated views of risk ratings, counts, scores, and flagged responses for each third party
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
• Guidance from built-in remediation recommendations to reduce risk
• Built-in report templates
• Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data

l. Reliance on Subcontractors

“An evaluation of the volume and types of subcontracted activities and the degree to which the third party relies on subcontractors helps inform whether such subcontracting arrangements pose additional or heightened risk to a banking organization. This typically includes an assessment of the third party’s ability to identify, manage, and mitigate risks associated with subcontracting, including how the third party selects and oversees its subcontractors and ensures that its subcontractors implement effective controls. Other important considerations include whether additional risk is presented by the geographic location of a subcontractor or dependency on a single provider for multiple activities.”

Identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk.

Third parties discovered through this process are continuously monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

This approach provides insights to address potential technology or geographic concentration risk.

3. Contract Negotiation

“When evaluating whether to enter into a relationship with a third party, a banking organization typically determines whether a written contract is needed, and if the proposed contract can meet the banking organization’s business goals and risk management needs. After such determination, a banking organization typically negotiates contract provisions that will facilitate effective risk management and oversight and that specify the expectations and obligations of both the banking organization and the third party. A banking organization may tailor the level of detail and comprehensiveness of such contract provisions based on the risk and complexity posed by the particular third-party relationship ...”

Centralize the distribution, discussion, retention, and review of third party contracts so that all applicable teams can participate in contract reviews to ensure the appropriate clauses are included and managed.

Key practices to consider in managing third party contracts include:

• Centralized storage of contracts
• Tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

Ensuring sound contract lifecycle management will enable the organization to effectively:

• Manage agreements and performance
• Enforce information retention, right-to-audit clauses and remediation measures
• Obtain compliance reporting
• Require business resilience and continuity
• Bring visibility into subcontracting and foreign-based third parties

b. Performance Measures or Benchmarks

“For certain relationships, clearly defined performance measures can assist a banking organization in evaluating the performance of a third party. In particular, a service-level agreement between the banking organization and the third party can help specify the measures surrounding the expectations and responsibilities for both parties, including conformance with policies and procedures and compliance with applicable laws and regulations. Such measures can be used to monitor performance, penalize poor performance, or reward outstanding performance. It is important to negotiate performance measures that do not incentivize imprudent performance or behavior, such as encouraging processing volume or speed without regard for accuracy, compliance requirements, or adverse effects on the banking organization or customers.”

During the contract negotiation phase of the third-party lifecycle, include enforceable service level agreements (SLAs), key performance indicators (KPIs) and key risk indicators (KRIs) Into third-party contracts, assign owners and continually track progress toward achieving those measures.

It is important to determine the different between key performance indicators (KPIs) and key risk indicators (KRIs) and understand how they are related.

• Key Performance Indicators (KPIs) measure the effectiveness of functions and processes.
• Key Risk Indicators (KRIs) indicate how much risk the organization faces and which risk treatments to apply.

When it comes to measuring KPIs and KRIs, categorize them like this:

• Risk measurements help to understand the risk of doing business with a third party, as well as associated mitigations
• Threat measurements overlap somewhat with risk and give a more complete and validated view risk
• Compliance measurements define whether third parties are compliant with your internal controls requirements
• Coverage measurements answer the question, “Do I have full coverage of my third party footprint and are they tiered and treated accordingly?”

Then, be sure to tie results back to contract provisions to provide complete governance over the process.

4. Ongoing Monitoring

“Ongoing monitoring enables a banking organization to: (1) confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations; (2) escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and (3) respond to such significant issues or concerns when identified ...

"Effective third-party risk management includes ongoing monitoring throughout the duration of a third-party relationship, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party ...

"Ongoing monitoring may be conducted on a periodic or continuous basis, and more comprehensive or frequent monitoring is appropriate when a third-party relationship supports higher-risk activities, including critical activities. Because both the level and types of risks may change over the lifetime of third-party relationships, banking organizations may adapt their ongoing monitoring practices accordingly, including changes to the frequency or type of information used in monitoring ..."

Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources should include:

• Criminal forums; thousands of onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• Financial performance, including turnover, profit and loss, shareholder funds, etc.
• Global news sources
• Politically exposed person profiles
• Global sanctions lists

Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives.

5. Termination

“A banking organization may terminate a relationship for various reasons, such as expiration or breach of the contract, the third party’s failure to comply with applicable laws or regulations, or a desire to seek an alternate third party, bring the activity in-house, or discontinue the activity. When this occurs, it is important for management to terminate relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued ...”

Automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

• Schedule tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status.
• Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.
• Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed.
• Take actionable steps to reduce third-party risk with built-in remediation recommendations and guidance.
• Visualize and address compliance requirements by automatically mapping assessment results to any regulation or framework.

D. Governance

"There are a variety of ways for banking organizations to structure their third-party risk management processes. Some banking organizations disperse accountability for their third-party risk management processes among their business lines. Other banking organizations may centralize the processes under their compliance, information security, procurement, or risk management functions. Regardless of how a banking organization structures its process, the following practices are typically considered throughout the third-party risk management life cycle, commensurate with risk and complexity."

To address third-party risk management program governance requirements, look for a TPRM platform that automates workflows required to onboard third parties and identify, assess, manage, continuously monitor and remediate third-party security, privacy, compliance, operational, and procurement/supply chain-related risks across every stage of the vendor lifecycle. A comprehensive solution that unifies the management of multiple risk types for the benefit of cross-functional teams will reduce costs, enable easier compliance reporting, and reduce the risk of gaps in controls.