ffiec guidance for managing third-party risk

In addition, many banks that use like products and services from technology or other service providers may become members of user groups. Assess the third party's financial condition, including reviews of the third party's audited financial statements, annual reports, filings with the U.S. Securities and Exchange Commission (SEC), and other available financial information. What factors should a banking organization consider in determining the types of subcontracting it is comfortable accepting in a third-party relationship? informational resource until the Administrative Committee of the Federal Maintaining appropriate documentation throughout the life cycle.

Evaluate the third party's ability to identify, assess, monitor, and mitigate risks from its use of subcontractors and to provide that the same level of quality and controls exists no matter where the subcontractors' operations reside. The OCC expects banks to perform due diligence and ongoing monitoring for all third-party relationships. You may submit comments by any of the following methods: Instructions: You must include OCC as the agency name and Docket ID OCC-2021-0011 in your comment.

The board (or committees thereof) should approve the policies and procedures that address how critical activities are identified. During due diligence and before signing a contract, bank management should assess the risks posed by the relationship and understand the third party's risk management and control environment.

The OCC issued the 2020 FAQs to clarify the OCC's 2013 third-party risk management guidance.

This document has been published in the Federal Register. 25. performing sound analysis to support the decision that the specific third party is the most appropriate third party available to the bank. The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC). A third-party relationship is any business arrangement between a banking organization and another entity, by contract or otherwise. Conduct due diligence on third parties before selecting and entering into contracts. 9 from OCC Bulletin 2017-21), 19. For example, more complex relationships could include foreign-based third parties and the use of subcontractors. Bank management should keep in mind that specific technical controls in cloud computing may operate differently than in more traditional network environments. Reflect the associated risks in the overall assessment of the banking organization's risk profile. Third-party risk management for cloud computing services is fundamentally the same as for other third-party relationships. OCC Bulletin 2013-29 defines a third-party relationship as any business arrangement between the bank and another entity, by contract or otherwise. When an appraisal is requested, the bank enters into an agreement with an individual appraiser. Confirm that the contract includes provisions that the third party provides and retains timely, accurate, and comprehensive information, such as records and reports, that allow banking organization management to monitor performance, service levels, and risks. Refer to OCC News Release 2015-1, Collaboration Can Facilitate Community Bank Competitiveness, OCC Says, January 13, 2015. has no substantive legal effect. For credit risk management, for example, banks should have adequate loan underwriting guidelines, and management should ensure that loans are underwritten to these guidelines. The degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship. Refer to ISO 22301:2012, Societal SecurityBusiness Continuity Management SystemsRequirements, for more information regarding the ISO's standards for business continuity management. [12] Banks still have a responsibility, however, to manage these relationships in a safe and sound manner with consumer protections. In what ways, if any, could the proposed guidance be revised to better address challenges a banking organization may face in negotiating some third-party contracts? What additional information should the proposed guidance provide regarding a banking organization's assessment of a third party's information security and regarding information security risks involved with engaging a third party? OCC Bulletin 2013-29 notes that the OCC expects banks to adopt an effective third-party risk management process commensurate with the level of risk and complexity of their third-party relationships.

The OCC conducts examinations of services provided by significant TSPs based on authorities granted by the Bank Service Company Act, 12 U.S.C. Some banking organizations have business arrangements with third parties to offer competitive and innovative financial products and services that otherwise would be difficult, cost-prohibitive, or time-consuming to develop in-house. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. The bank may consider a company's access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect the third party's overall financial stability. Appraisers and appraisal management companies: Some banks maintain an approved panel or list of individual appraisers. For example, when critical activities are involved, such plans may be presented to and approved by a banking organization's board of directors (or a designated board committee). Generally, a third-party contract includes provisions for periodic, independent, internal, or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the banking organization's in-house functions to monitor performance with the contract. As with any third-party relationship, management at banks involved with marketplace lenders should ensure the risk exposure is consistent with their boards' strategic goals, risk appetite, and safety and soundness objectives. Refer to OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing: Revised Guidelines on Internal Audit and its Outsourcing.. OCC Bulletin 2013-29 recognizes that not all third-party relationships present the same level of risk or criticality to a bank's operations. Effective Start Printed Page 38195monitoring activities enable banking organizations to confirm the quality and sustainability of the third party's controls and ability to meet service-level agreements (for example, ongoing review of third-party performance metrics). Evaluate whether the third party has sufficient physical and environmental controls to protect the safety and security of its facilities, technology systems, data, and employees.

It should not be a one-time assessment conducted at the beginning of the relationship. (Originally FAQ No. 14.

OCC Bulletin 2013-29 states that depending on the significance of the third-party relationship, a bank's analysis of a third party's financial condition may be as comprehensive as if the bank were extending credit to the third-party service provider. Understand the third party's metrics for its information systems and confirm that they meet the banking organization's expectations. Similarly, several sections of the proposed guidance provide information on possible procedures for addressing the treatment of subcontractors in contract negotiation, including the sections on Responsibilities for Providing, Receiving, and Retaining Information, Confidentiality and Integrity, and Subcontracting.. There is no one way for banks to structure their third-party risk management process. Evaluate the third party's ownership structure (including any beneficial ownership, whether public or private, foreign or domestic ownership) and its legal and regulatory compliance capabilities.

15. An effective board oversees risk management implementation and holds management accountable. If a third party uses subcontractors (also referred to as fourth parties), a bank may find the third party's SOC 1 type 2 report particularly useful, as SSAE 18 requires the auditor to determine and report on the effectiveness of controls the third party has implemented to monitor the controls of the subcontractor.

Bank management should have as much knowledge in-house as possible, in case the third party or the bank terminates the contract, or if the third party is no longer in business. Information security and the safeguarding of sensitive customer data should be a key focus for a bank's third-party risk management when a bank is contemplating or has a business arrangement with a data aggregator. Developing and implementing the banking organization's third-party risk management process; Confirming that appropriate due diligence and ongoing monitoring is conducted on third parties and presenting results to the board when making recommendations to use third parties that involve critical activities; Reviewing and approving contracts with third parties; Providing appropriate organizational structures, management and staffing (level and expertise); Confirming that third parties comply with the banking organization's policies and reporting requirements; Providing that third parties be notified of significant operational issues at the banking organization that may affect the third party; Confirming that the banking organization has an appropriate system of internal controls and regularly tests the controls to manage risks associated with third-party relationships; Confirming that the banking organization's compliance management system is appropriate to the nature, size, complexity, and scope of its third-party business arrangements; Providing that third parties regularly test and implement agreed-upon remediation when issues arise; Escalating significant issues to the board; Terminating business arrangements with third parties that do not meet expectations or no longer align with the banking organization's strategic goals, objectives, or risk appetite; and. 15. OCC Bulletin 2013-29 states that a third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise. The bank has a business arrangement with each of these types of companies.4. 2 from OCC Bulletin 2017-21). [8] 24. How does a bank's board of directors approve contracts with third parties that involve critical activities? While a Start Printed Page 38187determination of whether a banking organization's relationship constitutes a business arrangement may vary depending on the facts and circumstances, third-party business arrangements generally exclude a bank's customer relationships. An effective contract provision includes the types and frequency of audit reports the banking organization is entitled to receive from the third party (for example, SOC reports, Payment Card Industry (PCI) compliance reports, and other financial and operational reviews). Consider the third party's response to existing or recent regulatory compliance issues and its compliance status with applicable supervisory agencies and self-regulatory organizations, as appropriate. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day. could cause a bank to face significant risk if the third party fails to meet expectations.

Strong compliance management systems include appropriate policies, procedures, practices, training, internal controls, and audit systems to manage and monitor compliance processes as well as a commitment of appropriate compliance resources. Due Diligence and Third-Party Selection, V. OCC's 2020 Frequently Asked Questions (FAQs) on Third-Party Relationships. When technology supports service delivery, assess the third party's data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests. 23, a SOC 1, type 2, report may be particularly useful, as standards of the American Institute of Certified Public Accountants require the auditor to determine and report on the effectiveness of the client's internal controls over financial reporting and associated controls to monitor relevant subcontractors. Neither a written contract nor a monetary exchange is necessary to establish a business arrangement.

Consider whether any fees or incentives are subject to, and comply with, applicable law. Frequently, these user groups create the opportunity for banks, particularly community banks, to collaborate with their peers on innovative product ideas, enhancements to existing products or services, and customer service and relationship management issues with the service providers. What third-party relationships involve critical activities? Confirm that the contracts do not include burdensome upfront fees or incentives that could result in inappropriate risk taking by the banking organization or third party. Refer to the Federal Trade Commission and U.S. Department of Justice's Antitrust Guidelines for Collaborations Among Competitors.. Assess the third party's degree of and its history of managing customer complaints or litigation. The term business arrangement is meant to be interpreted broadly and is synonymous with the term third-party relationship.

In other instances, a banking organization may make its banking services available to customers through the third party's platform. (Originally FAQ No. determining appropriate alternative methods to analyze these critical third parties (e.g., use information posted on the third party's website). This is particularly important for a bank's third-party relationships that support the bank's critical activities or for higher-risk third parties. What other aspects of third-party relationships, if any, should the guidance consider?

Include provisions for transferring the banking organization's accounts, data, or activities to another third party without penalty in the event of the third party's bankruptcy, business failure, or business interruption. Confirm that the contract sufficiently addresses: The contract often establishes the banking organization's right to audit, monitor performance, and provide for remediation when issues are identified. What type of due diligence and ongoing monitoring should be conducted when a bank enters into a contractual arrangement in which the bank has limited negotiating power? An example would be the Financial Data Exchange's FDX API Standard.. Effective validation reports include clear executive summaries, with a statement of model purpose and a synopsis of model validation results, including major limitations and key assumptions. While determinations of business arrangements may vary depending on the facts and circumstances, third-party business arrangements generally exclude a banking organization's customers. Regardless of a bank's approach, the bank should have a sound methodology for designating which third-party relationships receive more comprehensive and rigorous oversight and risk management. This guidance offers a framework based on sound risk management principles that banking organizations may use in developing practices appropriate for all stages in the risk management life cycle of a third-party relationship based on the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship. Interested parties are encouraged to submit written comments to any or all agencies listed below. Secretary of the Board. critical activities and how a bank can determine the risks associated with third-party relationships. Appropriate data controls include rigorous assessment of the quality and suitability of data to support prudent banking operations. 17. Dual employees are employed by both the banking organization and the third party. 26. 7 in this bulletin for more information about the extent of due diligence, contract negotiation, and ongoing monitoring that should be conducted for third-party relationships that support or involve low-risk bank activities. The level of due diligence and ongoing monitoring, however, may differ for, and should be specific to, each third-party relationship. Third parties often enlist the help of suppliers, service providers, or other organizations. When a bank uses a third-party utility, it has a business arrangement with the utility, and the utility should be incorporated into the bank's third-party risk management process. The President of the United States communicates information on holidays, commemorations, special observances, trade, and policy through Proclamations. Third-party assessment service companies have been formed to help banking organizations with third-party risk management, including due diligence. Consider whether the contract should establish a dispute resolution process (arbitration, mediation, or other means) to resolve problems between the banking organization and the third party in an expeditious manner, and whether the third party should continue to provide activities to the banking organization during the dispute resolution period. make risk-based decisions that these critical third-party service providers are the best service providers available to the bank despite the fact that the bank cannot acquire all the information it wants. 11 from OCC Bulletin 2017-21), 21. The data aggregator typically uses automated scripts to capture various data, which is then provided to the customer or a financial technology (fintech) application that serves the customer or some other business. (Originally FAQ No. To the extent the activities performed by the third party are subject to specific laws and regulations (e.g., privacy, information security, Bank Secrecy Act/anti-money laundering (BSA/AML), or fiduciary requirements). Some banks categorize their third-party relationships by similar risk characteristics and criticality (e.g., information technology service providers; portfolio managers; catering, maintenance, and groundkeeper providers; and security providers).

Third parties can fail to manage their subcontractors with the same rigor that the bank would have applied if it had engaged the subcontractor directly. The proposed guidance provides examples of third-party relationships, including use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which a banking organization has an ongoing relationship or may have responsibility for the associated records. It is up to each bank's board and management to identify the critical activities of the bank and the third-party relationships related to these critical activities. 07/29/2022, 328 5. Consider outlining cost and responsibility for purchasing and maintaining hardware and software and specifying the conditions under which the cost structure may be changed, including limits on any cost increases.

Robust compliance management includes appropriate testing, monitoring, and controls to ensure that compliance risks are understood and addressed. Validation reports provided by a third-party model provider should identify model aspects that were reviewed, highlighting potential deficiencies over a range of financial and economic conditions (as applicable), and determining whether adjustments or other compensating controls are warranted. https://www.federalregister.gov/d/2021-15308, MODS: Government Publishing Office metadata, http://www.federalreserve.gov/generalinfo/foia/RevisedRegs.cfm, https://www.fdic.gov/resources/regulations/federal-register-publications/, https://www.ftc.gov/sites/default/files/documents/public_events/joint-venture-hearings-antitrust-guidelines-collaboration-among-competitors/ftcdojguidelines-2.pdf. 07/29/2022, 210 Federal Register issue. Evaluate whether the third party has insurance coverage for areas that may not be covered under a general commercial policy, such as its intellectual property rights and cybersecurity. Confirming that conflicts of interest or appearances of conflicts of interest do not exist when selecting or overseeing third parties. 20. A bank that has a business arrangement with a data aggregator has a third-party relationship, consistent with the existing guidance in OCC Bulletin 2013-29. Because almost all banks issue debit cards and offer transaction accounts, banks frequently participate in mobile payment environments even if they do not issue credit cards. In what areas should the level of detail be increased or reduced? [7] Some individual bank-specific responsibilities include defining the requirements for planning and termination (e.g., plans to manage the third-party service provider relationship and development of contingency plans in response to termination of service), as well as. Such examinations may evaluate safety and soundness risks, the financial and operational viability of the third party, the third party's ability to fulfill its contractual obligations and comply with applicable laws and regulations, including those related to consumer protection (including with respect to fair lending and unfair or deceptive acts or practices), and BSA/AML and OFAC laws and regulations. Bank management should perform due diligence to evaluate the business experience and reputation of the data aggregator to gain assurance that the data aggregator maintains controls to safeguard sensitive customer data. 2021-15308 Filed 7-16-21; 8:45 am], updated on 11:15 AM on Friday, July 29, 2022, updated on 8:45 AM on Friday, July 29, 2022. Consider whether the third party maintains adequate types and amounts of insurance (including, if appropriate, naming the banking organization as insured or additional insured), notifies the banking organization of material changes to coverage, and provides evidence of coverage where appropriate. 17. Each document posted on the site includes a link to the When engaging in marketplace lending activities, a bank's board and management should understand the relationships among the bank, the marketplace lender, and the borrowers; fully understand the legal, strategic, reputation, operational, and other risks that these arrangements pose; and evaluate the marketplace lender's practices for compliance with applicable laws and regulations. When collaborating to meet responsibilities for managing a relationship with a common third-party service provider, what are some of the responsibilities that each bank still needs to undertake individually to meet the expectations in OCC Bulletin 2013-29? The due diligence process also provides management with the information needed to determine whether a relationship mitigates identified risks or poses additional risk.

For relevant third-party relationships, stipulate that the performance of activities by external parties for the banking organization is subject to regulatory examination oversight, including access to all work papers, drafts, and other materials.[19].

Sitemap 17

ffiec guidance for managing third-party risk