ffiec guidance for managing third-party riskstuart weitzman returns

The scope of due diligence and the due diligence method should vary based on the level of risk of the third-party relationship. 14.

As with other third-party relationships, bank management should conduct due diligence to confirm that the third party can satisfactorily oversee and monitor the cloud service subcontractor.5 In many cases, independent reports, such as System and Organization Controls (SOC) reports, may be leveraged for this purpose.6. What collaboration opportunities exist to address cyber threats to banks as well as to their third-party relationships? Due diligence will include assessing a third party's ability to perform the activity as expected, adhere to a banking organization's policies, comply with all applicable laws, regulations, and requirements, and operate in a safe and sound manner. 14.

Confirming that risks related to third-party relationships are managed in a manner consistent with the banking organization's strategic goals and risk appetite; Approving the banking organization's policies that govern third-party risk management; Approving, or delegating to, an appropriate committee reporting to the board, approval of contracts with third parties that involve critical activities; Reviewing the results of management's ongoing monitoring of third-party relationships involving critical activities; Confirming that management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring; and.

Also consider reviewing the third party's service philosophies, quality initiatives, efficiency improvements, and employment policies and practices. For some third-party relationships, such as those with cloud providers that distribute data across several physical locations, on-site audits could be inefficient and costly. More specifically, management may consider the following: Whether the report, certificate, or scope of the audit is enough to determine if the third-party's control structure will meet the terms of the contract. Can a bank rely on reports, certificates of compliance, and independent audits provided by entities with which it has a third-party relationship? Document Drafting Handbook 23, a SOC 1, type 2, report may be particularly useful, as standards of the American Institute of Certified Public Accountants require the auditor to determine and report on the effectiveness of the client's internal controls over financial reporting and associated controls to monitor relevant subcontractors. The banking organization seeks to add provisions to satisfy its needs. Mere involvement in a critical activity does not necessarily make a third party a critical third party. are not part of the published document itself.

Consider whether a third party periodically conducts thorough background checks on its senior Start Printed Page 38190management and employees, as well as on subcontractors, who may have access to critical systems or confidential information. [12] conduct ongoing monitoring on third parties in a manner and with a frequency commensurate with the risk to the bank from the third-party relationship. Stipulate the frequency and type of reports needed. Federal Deposit Insurance Corporation. Consider the consistency of the third party's information security program with the banking organization's program, and whether there are gaps that present risk to the banking organization. 26. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure. What type of due diligence and ongoing monitoring should be applied to these companies? FDIC: You may submit comments, identified by FDIC RIN 3064-ZA26, by any of the following methods: OCC: Commenters are encouraged to submit comments through the Federal eRulemaking Portal. Some community banks have joined an alliance to create a standardized contract with their common third-party service providers and improve negotiating power. The OCC issued the 2020 FAQs to clarify the OCC's 2013 third-party risk management guidance and discuss evolving industry topics.

Proposed interagency guidance and request for comment. Any collaborative activities among banks must comply with antitrust laws. Contracts describe compensation, fees, and calculations for base services, as well as any fees based on volume of activity and for special requests. Generally, a third-party contract includes provisions for periodic, independent, internal, or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the banking organization's in-house functions to monitor performance with the contract. It is important that management responds promptly and thoroughly to significant issues or concerns identified and escalates them to the board if the risk posed is approaching the banking organization's risk appetite limits. A vendor is typically an individual or company offering something for sale, and banks may outsource a bank function or task to another company. Periodic board reporting is essential to ensure that board responsibilities are fulfilled. on ensure that contracts meet the bank's needs.

In meeting its due diligence and ongoing monitoring responsibilities, a bank may review a third party's SOC 1 report prepared in accordance with SSAE 18 to evaluate the third party's client(s)' internal controls over financial reporting, including policies, processes, and internal controls. Detail contractual obligations, such as reporting on the subcontractor's conformance with performance measures, periodic audit results, compliance with laws and regulations, and other contractual obligations. 1503 & 1507. The bank has a business arrangement with the party receiving the bank's referral. By differentiating its third-party service providers by category, risk profile, or criticality, the bank may be able to gain efficiencies in due diligence, contract negotiation, and ongoing monitoring. There is no such requirement or expectation in OCC Bulletin 2013-29. In what ways, if any, could the proposed guidance provide better clarity to banking organizations conducting due diligence, including working with utilities, consortiums, or standard-setting organizations?

What other practices or principles regarding subcontractors should be addressed in the proposed guidance? (Originally FAQ No. How should a bank handle third-party risk management when obtaining alternative data from a third party? The compensation may also be non-financial such as cross-marketing. Text of Proposed Guidance on Third-Party Relationships, 2. The Board, FDIC, and OCC each have issued guidance for their respective supervised banking organizations addressing third-party relationships and appropriate risk management practices: The Board's 2013 guidance,[3] To what extent does the discussion of business arrangement in the proposed guidance provide sufficient clarity to permit banking organizations to identify those arrangements for which the guidance is appropriate? Refer to OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing: Revised Guidelines on Internal Audit and its Outsourcing.. A bank's policies regarding the extent of due diligence, contract negotiation, and ongoing monitoring for third-party relationships should show differences that correspond to different levels of risk. To demonstrate its oversight of its subcontractors, a third party may provide a bank with independent reports or certifications. As the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs. As part of ongoing monitoring, bank management should periodically assess existing third-party relationships to determine whether the nature of the activity performed constitutes a critical activity. 2. 16. If available, consider reviewing System and Organization Control (SOC) reports and whether these reports contain sufficient information to assess the third party's risk or whether additional scrutiny is required through an assessment or audit by the banking organization or other third party at the banking organization's request. Does OCC Bulletin 2013-29 apply when a bank engages a third party to provide bank customers the ability to make mobile payments using their bank accounts, including debit and credit cards? 07/29/2022, 210 Include in contracts with foreign-based third parties choice-of-law provisions and jurisdictional provisions that provide for adjudication of all disputes between the parties under the laws of a single jurisdiction. risk management when using a third-party model or when using a third party to assist with model risk management. Federal savings associations are subject to similar requirements set forth in 12 U.S.C. Additional information is available in the Interagency Sound Practices to Strengthen Operational Resilience. The OCC issued Sound Practices as part of Bulletin 2020-94 on October 30, 2020; The Board issued Sound Practices with SR Letter 20-24 on November 2, 2020; and. See the definition of appropriate Federal banking agency in section 3(q) of the Federal Deposit Insurance Act for a list of banking organizations supervised by each agency. State whether and how the third party has the right to use the banking organization's information, technology, and intellectual property, such as the banking organization's name, logo, trademark, metadata, and copyrighted material. Assess the third party's change management processes, including to ensure that clear roles, responsibilities, and segregation of duties are in place. Evaluate whether the third party has fidelity bond coverage to insure against losses attributable to, at a minimum, dishonest acts, liability coverage for losses attributable to negligent acts, and hazard insurance covering fire, loss of data, and protection of documents. Some smaller and less complex banking organizations have expressed concern that they are expected to institute third-party risk management practices that they perceive to be more appropriate for larger and more complex banking organizations. Assess options to employ if a third party's ability to deliver operations is impaired. To what extent does the guidance provide sufficient utility, relevance, comprehensiveness, and clarity for banking organizations with different risk profiles and organizational structures? location of subcontractors and bank data. Ports, Packaging and Transportation of Radioactive Material, Rate Adjustments for Indian Irrigation Projects, Bolstering Efforts To Bring Hostages and Wrongfully Detained United States Nationals Home, Establishing an Emergency Board To Investigate Disputes Between Certain Railroads Represented by the National Carriers' Conference Committee of the National Railway Labor Conference and Their Employees Represented by Certain Labor Organizations, Office of the Comptroller of the Currency, C. Tailored Approach to Third-Party Risk Management, E. Due Diligence and Collaborative Arrangements, f. Qualifications and Backgrounds of Company Principals, k. Incident Reporting and Management Programs, p. Conflicting Contractual Arrangements With Other Parties, c. Responsibilities for Providing, Receiving, and Retaining Information, d. The Right To Audit and Require Remediation, e. Responsibility for Compliance With Applicable Laws and Regulations, i. [16] Banks may also outsource the process of engaging real estate appraisers to appraisal management companies.

16. could have significant bank customer impact. In what areas should the level of detail be increased or reduced? Effective Start Printed Page 38195monitoring activities enable banking organizations to confirm the quality and sustainability of the third party's controls and ability to meet service-level agreements (for example, ongoing review of third-party performance metrics). Address the powers of each party to change security and risk management procedures and requirements and resolve any confidentiality and integrity issues arising out of shared use of facilities owned by the third party. The President of the United States issues other types of documents, including but not limited to; memoranda, notices, determinations, letters, messages, and orders. The proposed guidance is intended to provide principles that are useful for a banking organization of any size or complexity and uses the concept of critical activities to help banking organizations scale the nature of their risk management activities. In these cases, the level of risk for banks is typically lower than with more traditional business arrangements. should verify the contents of the documents against a final, official Dated at Washington, DC, on July 12, 2021. These can be useful What additional information should the proposed guidance provide regarding a banking organization's assessment of a third party's information security and regarding information security risks involved with engaging a third party?

Could cause a banking organization to face significant risk if the third party fails to meet expectations; require significant investment in resources to implement the third-party relationship and manage the risk; or. The due diligence process also provides management with the information needed to determine whether a relationship mitigates identified risks or poses additional risk. More specifically, the agencies seek public comment on whether: (1) Any of those concepts should be incorporated into the final guidance; and (2) there are additional concepts that would be helpful to include. Interested parties are encouraged to submit written comments to any or all agencies listed below. Confirm that the contract sufficiently addresses: The contract often establishes the banking organization's right to audit, monitor performance, and provide for remediation when issues are identified. the Federal Register. This establishes a business arrangement between the bank and the individual appraiser. implementing information technology controls at the bank. on reliance on and use of third party-provided reports, certificates of compliance, and independent audits. Proper documentation and reporting facilitate the accountability, monitoring, and risk management associated with third parties, will vary among organizations depending on their size and complexity, and may include the following: Ongoing monitoring is an essential component of third-party risk management, occurring throughout the duration of a third-party relationship. A banking organization can be exposed to substantial financial loss if it fails to manage appropriately the risks associated with third-party relationships. This form of collaboration can help banks gain efficiencies in due diligence and ongoing monitoring. The proposed guidance is based on the OCC's existing third-party risk management guidance from 2013 and includes changes to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies. While every effort has been made to ensure that

For example, banking organizations may be able to collaborate when performing due diligence, negotiating contracts, and performing ongoing monitoring. For credit risk management, for example, banks should have adequate loan underwriting guidelines, and management should ensure that loans are underwritten to these guidelines. Collaboration may facilitate banking organizations' due diligence of particular third-party relationships by sharing expertise and resources. Capabilities, resources, and the time frame required to transition the activity while still managing legal, regulatory, customer, and other impacts that might arise; Potential third-party service providers to which the services could be transitioned; Risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party relationship; Handling of joint intellectual property developed during the course of the business arrangement; and. Register, and does not replace the official print version or the official

If a bank considers these activities to be low risk, management should refer to FAQ No. During due diligence and before signing a contract, bank management should assess the risks posed by the relationship and understand the third party's risk management and control environment.

For example, consider whether or not SOC reports from the third party include within their coverage the internal controls and operations of subcontractors of the third party that support the delivery of services to the banking organization. Bank management should determine the risks associated with each third-party relationship and then determine how to adjust risk management practices for each relationship.

If a banking organization uncovers information that warrants additional scrutiny, the banking organization should consider broadening the scope or assessment methods of the due diligence as needed. Is a fintech company arrangement considered a critical activity? better and aid in comparing the online edition to the print edition. Reviews include assessing the adequacy of the banking organization's process for: The results of independent reviews may be used to determine whether and how to adjust the banking organization's third-party risk management process, including policy, reporting, resources, expertise, and controls. A current inventory of all third-party relationships, which clearly identifies those relationships that involve critical activities and delineates the risks posed by those relationships across the banking organization; Approved plans for the use of third-party relationships; Due diligence results, findings, and recommendations; Analysis of costs associated with each activity or third-party relationship, including any indirect costs assumed by the banking organization; Regular risk management and performance reports required and received from the third party, which may include reports on service level reporting, internal control testing, cybersecurity risk and vulnerabilities metrics, results of independent reviews and other ongoing monitoring activities; and. 8 from OCC Bulletin 2017-21). make risk-based decisions that these critical third-party service providers are the best service providers available to the bank despite the fact that the bank cannot acquire all the information it wants. could have major impact on bank operations if the bank has to find an alternative third party or if the outsourced activities have to be brought in-house. 371c and 12 U.S.C. Use of such external services does not abrogate the responsibility of the board of directors to decide on matters related to third-party relationships involving critical activities or the responsibility of management to handle third-party relationships in a safe and sound manner and consistent with applicable laws and regulations.

A banking organization typically considers the following factors, among others, for ongoing monitoring of a third party: A banking organization may terminate a relationship for various reasons specified in the contract, such as expiration of or dissatisfaction with the contract, a desire to seek an alternate third party, a desire to bring the activity in-house or discontinue the activity, or a breach of contract. In particular, to what extent is the level of detail in the guidance's examples helpful for banking organizations as they design and evaluate their third-party risk-management practices? The proposed guidance provides examples of third-party relationships, including use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which a banking organization has an ongoing relationship or may have responsibility for the associated records. It is not an official legal edition of the Federal 25. the official SGML-based PDF version on govinfo.gov, those relying on it for Identifying and assessing the risks associated with the business arrangement and commensurate steps for appropriate risk management; Understanding the strategic purpose of the business arrangement and how the arrangement aligns with a banking organization's overall strategic goals, objectives, risk appetite, and broader corporate policies; Considering the complexity of the business arrangement, such as the volume of activity, potential for subcontractor(s), the technology needed, and the likely degree of foreign-based third-party activities; Evaluating whether the potential financial benefits outweigh the estimated costs (including estimated direct contractual costs as well as indirect costs to augment or alter banking organization processes, systems, or staffing to properly manage the third-party relationship or to adjust or terminate other existing contracts); Considering how the third-party relationship could affect other strategic banking organization initiatives, such as large technology projects, organizational changes, mergers, acquisitions, or divestitures; Evaluating how the third-party relationship could affect banking organization employees, including dual employees. Banks may engage with a number of information-sharing organizations to better understand cyber threats to their own institutions as well as to the third parties with whom they have relationships. 2 from OCC Bulletin 2017-21).

Screen-scraping can pose operational and reputation risks. In assessing the financial condition of a start-up or less established fintech company, the bank may consider a company's access to Start Printed Page 38201funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect the third party's overall financial stability. This guidance is relevant for all third-party relationships, including situations in which a supervised banking organization provides services to another supervised banking organization. by the Alcohol and Tobacco Tax and Trade Bureau Risks to the banking organization if the termination happens as a result of the third party's inability to meet expectations. Some fintech companies offer other ways for banks to partner with them. 11. 12. What would be the best way to incorporate the concepts?

The agencies seek public comment on the extent to which the concepts discussed in the OCC's 2020 FAQs should be incorporated into the final version of the guidance. documents in the last year, 1384 The agencies seek to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management. The President of the United States manages the operations of the Executive branch of Government through Executive orders.

Third-party relationships can include relationships with entities such as vendors, financial technology (fintech) companies, affiliates, and the banking organization's holding company. 1867(c), banks are required to notify the appropriate federal banking agency of the existence of a servicing relationship. Contracts often require the third party to provide the banking organization with operating procedures to be carried out in the event business continuity plans are implemented, including specific recovery time and recovery point objectives. 11. documents in the last year, 889 Additionally, ongoing monitoring typically includes the regular testing of the banking organization's controls to manage risks from third-party relationships, particularly when critical activities are involved. Specification of the type and frequency of management information reports to be received from the third party, where appropriate. Some banks assign a criticality or risk level to each third-party relationship, whereas others identify critical activities and those third parties associated with the critical activities. While third parties may initially offer a standard contract, banks may seek to request additional contract provisions or addendums upon request. The proposed supervisory guidance[1] Some individual bank-specific responsibilities include defining the requirements for planning and termination (e.g., plans to manage the third-party service provider relationship and development of contingency plans in response to termination of service), as well as. 9.

OCC Bulletin 2013-29 states that the OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities. or other activities that: Effective third-party risk management generally follows a continuous life cycle for all relationships and incorporates the following principles applicable to all stages of the life cycle: Before entering into a third-party relationship, banking organizations evaluate the types and nature of risks in the relationship and develop a plan to manage the relationship and its related risks. If the third party receives a banking organization's customers' personally identifiable information, the contract should ensure that the third party implements and maintains appropriate security measures to comply with privacy regulations and regulatory guidelines. In some instances, a banking organization may not be able to obtain the desired due diligence information from the third party. 3501-3521) (PRA) states that no agency may conduct or sponsor, nor is the respondent required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. Confirm that the contract gives the banking organization the right to monitor the third party's compliance with applicable laws, regulations, and policies, conduct periodic reviews to verify adherence to expectations, and require remediation if issues arise. Affiliate relationships are also subject to sections 23A and 23B of the Federal Reserve Act (12 U.S.C. whether subcontractors provide services for critical activities.