ffiec guidance for managing third-party risk

Not every relationship involving critical activities is necessarily a critical third-party relationship. Some banks categorize their third-party relationships by similar risk characteristics and criticality (e.g., information technology service providers; portfolio managers; catering, maintenance, and groundkeeper providers; and security providers). on FederalRegister.gov When identified, banks should take appropriate steps to identify the source of these activities and conduct appropriate due diligence to gain reasonable assurance of controls for managing this process. For more information on types of audits and control reviews, refer to appendix B of the Internal and External Audits booklet of the Comptroller's Handbook. documents in the last year, 22 Other banks have centralized the management of the process under their compliance, information security, procurement, or risk management functions. These third-party service providers also provide assistance to the banks and the banks' customers (for example, payment authentication, delivering payment account information to customers' mobile devices, assisting card networks in processing payment transactions, developing or managing mobile software (apps) or hardware, managing back-end servers, or deactivating stolen mobile phones). Evaluate whether the third party has insurance coverage for areas that may not be covered under a general commercial policy, such as its intellectual property rights and cybersecurity. These may include, among others: The Gramm-Leach-Bliley Act (including privacy and safeguarding of customer information); the Bank Secrecy Act and Anti-Money Laundering (BSA/AML) laws; the Office of Foreign Assets Control (OFAC) regulations; and consumer protection laws and regulations, including with respect to fair lending and unfair, deceptive or abusive acts or practices. A bank may have a third-party relationship with a third party that has subcontracted with a cloud service provider to house systems that support the third-party service provider. Maintaining appropriate documentation throughout the life cycle. Can a bank rely on a third party's Service Organization Control (SOC) report, prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. More information and documentation can be found in our The agencies recognize the prevalence of the range of relationships between banking organizations and third parties. In meeting its due diligence and ongoing monitoring responsibilities, a bank may review a third party's SOC 1 report prepared in accordance with SSAE 18 to evaluate the third party's client(s)' internal controls over financial reporting, including policies, processes, and internal controls. As with any third-party relationship, management at banks involved with marketplace lenders should ensure the risk exposure is consistent with their boards' strategic goals, risk appetite, and safety and soundness objectives. Types of insurance coverage may include fidelity bond; cybersecurity; liability; property hazard and casualty; and intellectual property. Evaluate whether additional risks may arise from the third party's reliance on subcontractors and, as appropriate, conduct similar due diligence on the third party's critical subcontractors, such as when additional risk may arise due to concentration-related risk, when the third party outsources significant activities, or when subcontracting poses other material risks. Financial market utilities typically provide disclosures to explain how their businesses and operations reflect each of the applicable Principles for Financial Market Infrastructures. Banks typically allow for the sharing of customer information, as authorized by the customer, with data aggregators to support customers' choice of financial services. Banks still have a responsibility, however, to manage these relationships in a safe and sound manner with consumer protections. Some fintech companies offer other ways for banks to partner with them. For complete information about, and access to, our official publications More comprehensive monitoring is typically necessary when the third-party relationship is higher risk (for example, involving critical activities). To address these risks, banks' due diligence of marketplace lenders should include consulting with the banks' appropriate business units, such as credit, compliance, finance, audit, operations, accounting, legal, and information technology. documents in the last year, 498 The Office of the Comptroller of the Currency (OCC) issued frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance. These FAQs were intended to clarify the OCC's existing guidance and reflect evolving industry trends. Third-party relationships can include relationships with entities such as vendors, financial technology (fintech) companies, affiliates, and the banking organization's holding company. This risk assessment should be periodically updated throughout the relationship. For example, when critical activities are involved, such plans may be presented to and approved by a banking organization's board of directors (or a designated board committee). 14 in this bulletin for more information on bank reliance on reports, certificates of compliance, and independent audits provided by entities with which the bank has a third-party relationship. Robust compliance management includes appropriate testing, monitoring, and controls to ensure that compliance risks are understood and addressed. Assess the third party's financial condition, including reviews of the third party's audited financial statements, annual reports, filings with the U.S. Securities and Exchange Commission (SEC), and other available financial information. In some instances, a banking organization may not be able to obtain the desired due diligence information from the third party. Subsequent significant contractual changes should prompt reevaluation of bank policies, processes, and risk management practices.Start Printed Page 38202. As part of sound risk management, banking organizations engage in more comprehensive and rigorous oversight and management of third-party relationships that support critical activities. Critical activities are significant bank functions[13] OCC: Kevin Greenfield, Deputy Comptroller for Operational Risk Division, Lazaro Barreiro, Director for Governance and Operational Risk Policy, Emily Doran, Governance and Operational Risk Policy Analyst, Stuart Hoffman, Governance and Operational Risk Policy Analyst, Operational Risk Policy Division, (202) 649-6550; or Tad Thompson, Counsel or Eden Gray, Assistant Director, Chief Counsel's Office, (202) 649-5490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219. The use of third parties can offer banking organizations significant advantages, such as quicker and more efficient access to new technologies, human capital, delivery channels, products, services, and markets. Consider whether to allow the third party to use a subcontractor, and if so, address when and how the third party should notify or seek approval from the banking organization of its intent to use a subcontractor (for example, for certain activities or in certain locations) or whether specific subcontractors are prohibited by the banking organization. The bank has a business arrangement with the party receiving the bank's referral. The degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship. (Originally FAQ No. 2. What would be the best way to incorporate the concepts? The agencies seek public comment on the extent to which the concepts discussed in the OCC's 2020 FAQs should be incorporated into the final version of the guidance. ensure that contracts meet the bank's needs. To what extent does the discussion of business arrangement in the proposed guidance provide sufficient clarity to permit banking organizations to identify those arrangements for which the guidance is appropriate? A bank's customization choices should be documented and justified as part of the validation. 2 from OCC Bulletin 2017-21). Depending on the significance of the third-party relationship or whether the banking organization has a financial exposure to the third party, the banking organization's analysis may be as comprehensive as if it were extending credit to the third party. Overview of Proposed Guidance on Third-Party Relationships, IV. could cause a bank to face significant risk if the third party fails to meet expectations. Under Section 7(c) of the Bank Service Company Act, 12 U.S.C. How can a bank offer products or services to underbanked or underserved segments of the population through a third-party relationship with a fintech company? Whether activities are performed internally or outsourced to a third party, a banking organization is responsible for ensuring that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations. A contract may limit the third party's liability, in which case the banking organization may consider whether the proposed limit is in proportion to the amount of loss the banking organization might experience because of the third party's failure to perform or to comply with applicable laws, and whether the contract would subject the banking organization to undue risk of litigation. documents in the last year, 913 When technology is a major component of the third-party relationship, review both the banking organization's and the third party's information systems to identify gaps in service-level expectations, technology, business process and management, or interoperability issues. 9. whether subcontractors provide services for critical activities. 9. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day. Outlining the banking organization's contingency plans in the event the banking organization needs to transition the activity to another third party or bring it in-house. 8. The bank may consider a company's access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect the third party's overall financial stability. 4. Some community banks have joined an alliance to create a standardized contract with their common third-party service providers and improve negotiating power. 2021-15308 Filed 7-16-21; 8:45 am], updated on 11:15 AM on Friday, July 29, 2022, updated on 8:45 AM on Friday, July 29, 2022. use of third-party assessment services in managing third-party relationship risks. How should banks structure their third-party risk management process? make sure completed work is incorporated into the bank's model risk management and third-party risk management processes. As with other business arrangements, however, banks should gain a level of assurance that the data aggregator is managing sensitive bank customer information appropriately given the potential risk. The agencies are including the OCC's 2020 FAQs, released in March 2020, as an exhibit, separate from the proposed guidance. Consider whether the contract should establish a dispute resolution process (arbitration, mediation, or other means) to resolve problems between the banking organization and the third party in an expeditious manner, and whether the third party should continue to provide activities to the banking organization during the dispute resolution period. Confirm that the contract stipulates what constitutes default; identifies remedies and allows opportunities to cure defaults; and stipulates the circumstances and responsibilities for termination. The agencies seek to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management. Refer to the Federal Trade Commission and U.S. Department of Justice's Antitrust Guidelines for Collaborations Among Competitors.. 07/29/2022, 328 Review the third party's websites and other marketing materials related to the banking products or services to ensure that statements and assertions align with the banking organization's expectations and accurately represent the activities and capabilities of the third party. Banks should have the appropriate personnel, processes, and systems so that they can effectively monitor and control the risks inherent within the marketplace lending relationship. Is a fintech company arrangement considered a critical activity? Data aggregators are entities that access, aggregate, share, or store consumer financial account and transaction data that they acquire through connections to financial services companies. Third-party business arrangements may involve subcontracting arrangements, which can create a chain of service providers for a banking organization. As used in this bulletin, banks refers collectively to national banks, federal savings associations, and federal branches and agencies of foreign banking organizations. Bank management should determine the risks associated with each third-party relationship or category of relationship. When a bank can only obtain limited financial information, the bank should have contingency plans in case this third party experiences a business interruption, fails, or declares bankruptcy and is unable to perform the agreed-upon activities or services. Consider outlining cost and responsibility for purchasing and maintaining hardware and software and specifying the conditions under which the cost structure may be changed, including limits on any cost increases. 3. 12 from OCC Bulletin 2017-21). This feature is not available for this document. Also consider reviewing the third party's service philosophies, quality initiatives, efficiency improvements, and employment policies and practices. Banks that have third-party relationships with financial market utilities can rely on these disclosures. To address these developments, many banking organizations, including smaller and less complex banking organizations, have adopted risk management practices commensurate with the level of risk and complexity of their third-party relationships. 8. Consider whether the third party maintains adequate types and amounts of insurance (including, if appropriate, naming the banking organization as insured or additional insured), notifies the banking organization of material changes to coverage, and provides evidence of coverage where appropriate. This establishes a business arrangement between the bank and the individual appraiser. In situations where it is difficult for a banking organization to negotiate contract terms, it is important for the banking organization to understand any resulting limitations, determine whether the contract can still meet the banking organization's needs, and determine whether the contract would result in increased risk to the banking organization. This PDF is The Board, FDIC, and OCC (together, the agencies) invite comment on proposed guidance on managing risks associated with third-party relationships. Neither a written contract nor a monetary exchange is necessary to establish a business arrangement; all that is necessary is an agreement between the bank and the third party. Bank management should determine the risks associated with each third-party relationship and then determine how to adjust risk management practices for each relationship. 15. It is important that banking organization management properly document and report on its third-party risk management process and specific business arrangements throughout their life cycle. Stipulate whether and how often the banking organization and the third party will jointly test business continuity plans. 10 from OCC Bulletin 2017-21), 20. 12 U.S.C. When using third-party service providers in mobile payment environments, banks are expected to act in a manner consistent with OCC Bulletin 2013-29. Conducting due diligence on third parties before selecting and entering into contracts or relationships is an important risk management activity. Many third-party models can be customized by a bank to meet its needs. Not all third-party relationships present the same level of risk. Assessing changes to the financial condition of third parties is an expectation of the ongoing monitoring stage of the life cycle. To the extent the activities performed by the third party are subject to specific laws and regulations (e.g., privacy, information security, Bank Secrecy Act/anti-money laundering (BSA/AML), or fiduciary requirements). evaluate and track identified issues and ensure they are addressed. Significant bank functions include any business line of a banking organization, including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value. Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. developer tools pages. In particular, it is important for the contract to contain service level agreements and related services that can support the needs of the banking organization. This form of collaboration can help banks gain efficiencies in due diligence and ongoing monitoring. In this Issue, Documents Appraisers and appraisal management companies: Some banks maintain an approved panel or list of individual appraisers. These markup elements allow the user to see how the document follows the A material or significant contract with a third party typically prohibits assignment, transfer, or subcontracting by the third party of its obligations to another entity without the banking organization's consent. In these examples, the fintech company is considered to have a third-party relationship with the bank that falls under the scope of OCC Bulletin 2013-29. These efforts may include research to confirm ownership and understand business practices of the firms; direct communication to learn security and governance practices; review of independent audit reports and assessments; and ongoing monitoring of data-sharing activities. The OCC expects all banks to develop and maintain an effective compliance management system and provide fair access to financial services, ensure fair treatment of customers, and comply with consumer protection laws and regulations. Banks may take advantage of various tools designed to help them evaluate the controls of third-party service providers. What type of due diligence and ongoing monitoring should be applied to these companies? As part of due diligence and ongoing monitoring, bank management should determine whether a third party appropriately oversees and monitors its subcontractors. OCC Bulletin 2013-29 includes information about the types of activities bank management should conduct regarding how the bank's third parties oversee and monitor subcontractors. 18 (SSAE 18)? Conformity assessment with domestic or international standards can be considered with respect to the other areas of consideration during due diligence mentioned above. Consider whether any fees or incentives are subject to, and comply with, applicable law. 23. OCC Bulletin 2013-29 states that banks should consider the financial condition of their third parties during the due diligence stage of the life cycle before the banks have selected or entered into contracts or relationships with third parties. that agencies use to create their documents. 8 from OCC Bulletin 2017-21). Because both the level and types of risks may change over the lifetime of third-party relationships, banking organizations adapt their ongoing monitoring practices accordingly. could have a major impact on bank operations if the banking organization has to find an alternate third party or if the outsourced activity has to be brought in-house. Third-party risk management for cloud computing services is fundamentally the same as for other third-party relationships. An effective contract provision includes the types and frequency of audit reports the banking organization is entitled to receive from the third party (for example, SOC reports, Payment Card Industry (PCI) compliance reports, and other financial and operational reviews). 7. What change or additional clarification, if any, would be helpful? How could the proposed guidance be enhanced to provide more clarity on conducting due diligence for subcontractor relationships? Open for Comment, Proposed Addition of American Single Malt Whisky to the Standards of Identity for Distilled Spirits, Economic Sanctions & Foreign Assets Control, Vessel Repair Duties for Vessels Entering U.S. Evaluate whether the third party has sufficient physical and environmental controls to protect the safety and security of its facilities, technology systems, data, and employees. 14. Such examinations may evaluate safety and soundness risks, the financial and operational viability of the third party, the third party's ability to fulfill its contractual obligations and comply with applicable laws and regulations, including those related to consumer protection (including with respect to fair lending and unfair or deceptive acts or practices), and BSA/AML and OFAC laws and regulations. What type of due diligence and ongoing monitoring should be conducted when a bank enters into a contractual arrangement in which the bank has limited negotiating power? The absence of a direct relationship with a subcontractor can affect the banking organization's ability to assess and control risks inherent in parts of the supply chain. While every effort has been made to ensure that Bank management should understand and evaluate the results of validation and risk control activities that are conducted by third parties. the Federal Register. Until the ACFR grants it official status, the XML Reserve the right to terminate the contract with the third party without penalty if the third party's subcontracting arrangements do not comply with the terms of the contract. 5. When a bank uses a third-party utility, it has a business arrangement with the utility, and the utility should be incorporated into the bank's third-party risk management process. Collaboration can result in increased negotiating power and lower costs to banks during the contract negotiation phase of the risk management life cycle. provide legal notice to the public or judicial notice to the courts. Third-party relationships include activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where a banking organization has an ongoing relationship or may have responsibility for the associated records. Determine whether the third party has the necessary licenses to operate and the expertise, processes, and controls to enable the banking organization to remain compliant with domestic and international laws and regulations. Like products and services may, however, present a different level of risk to each bank that uses those products or services, making collaboration a useful tool but insufficient to fully meet the bank's responsibilities under OCC Bulletin 2013-29. The scope of due diligence and the due diligence method should vary based on the level of risk of the third-party relationship. In other words, the SOC 1 type 2 report will address the question as to whether the third party has effective oversight of its subcontractors. Bank management should periodically conduct an outcomes analysis of the third-party model's performance using the bank's own outcomes. The use of third parties can offer banking organizations significant advantages, such as quicker and more efficient access to new technologies, human capital, delivery channels, products, services, and markets. Use of such external services does not abrogate the responsibility of the board of directors to decide on matters related to third-party relationships involving critical activities or the responsibility of management to handle third-party relationships in a safe and sound manner and consistent with applicable laws and regulations. Banks can request TSP reports of examination through the banks' respective OCC supervisory office. corresponding official PDF file on govinfo.gov. 3 in OCC Bulletin 2017-21), 7. Legal counsel review may be necessary for significant contracts prior to finalization. 07/29/2022, 168 Gain a clear understanding of the third party's business processes and technology that will be used to support the activity. OCC Bulletin 2013-29 states that banks should consider the financial condition of their third parties during due diligence and ongoing monitoring. It was viewed 57 times while on Public Inspection. Seek legal advice to confirm the enforceability of all aspects of a proposed contract with a foreign-based third party and other legal ramifications of each such business arrangement, including privacy laws and cross-border flow of information. Evaluate the third party's ownership structure (including any beneficial ownership, whether public or private, foreign or domestic ownership) and its legal and regulatory compliance capabilities. In conducting due diligence and ongoing monitoring, bank management may obtain and review various reports (e.g., reports of compliance with service-level agreements, reports of independent reviewers, certificates of compliance with International Organization for Standardization (ISO) standards,12 or SOC reports).13 The person reviewing the report, certificate, or audit should have enough experience and expertise to determine whether it sufficiently addresses the risks associated with the third-party relationship. The agencies generally have the authority to examine and to regulate banking-related functions or operations performed by third parties for a banking organization to the same extent as if they were performed by the banking organization itself. Bank management then applies different standards for due diligence, contract negotiation, and ongoing monitoring based on the risk profile of the category. A prudent banking organization appropriately manages its third-party relationships, including addressing consumer protection, information security, and other operational risks. Information about this document as published in the Federal Register. Third parties can fail to manage their subcontractors with the same rigor that the bank would have applied if it had engaged the subcontractor directly. 15. How can a bank reduce its oversight costs for lower-risk relationships? Prohibit the use and disclosure of the banking organization's information by a third party and its subcontractors, except as necessary to provide the contracted activities or comply with legal requirements. The level of due diligence and ongoing monitoring, however, may differ for, and should be specific to, each third-party relationship. This table of contents is a navigational tool, processed from the Bank management should determine the third party's ability to identify and control risks from its use of subcontractors and to determine if the subcontractor's quality of operations is satisfactory and if the subcontractor has sufficient controls no matter where the subcontractor's operations reside. If third parties provide input data or assumptions, the relevance and appropriateness of the data or assumptions should be validated. 12. whether subcontractors have access to sensitive customer information. documents in the last year, 19 on of the issuing agency. Confirm that the third party regularly tests its operational resilience in an appropriate format and frequency. Assess the third party's information security program. 07/29/2022, 841 Banks should expect the third party to conduct ongoing performance monitoring and outcomes analysis of the model, disclose results to the bank, and make appropriate modifications and updates to the model over time, if applicable. https://www.federalregister.gov/d/2021-15308, MODS: Government Publishing Office metadata, http://www.federalreserve.gov/generalinfo/foia/RevisedRegs.cfm, https://www.fdic.gov/resources/regulations/federal-register-publications/, https://www.ftc.gov/sites/default/files/documents/public_events/joint-venture-hearings-antitrust-guidelines-collaboration-among-competitors/ftcdojguidelines-2.pdf. Banking organization management is responsible for implementing third-party risk management. Key areas of consideration for ongoing monitoring may include. rendition of the daily Federal Register on FederalRegister.gov does not To what extent would changing the terms used in explaining matters involving subcontractors (for example, fourth parties) enhance the understandability and effectiveness of this proposed guidance? The American Institute of Certified Public Accountants has developed cloud-specific SOC reports based on the framework advanced by the Cloud Security Alliance. Assess the third party's change management processes, including to ensure that clear roles, responsibilities, and segregation of duties are in place. As with other third-party relationships, bank management should conduct due diligence to confirm that the third party can satisfactorily oversee and monitor the cloud service subcontractor.5 In many cases, independent reports, such as System and Organization Controls (SOC) reports, may be leveraged for this purpose.6.

Sitemap 3