Skip to main content
FoxPointe FoxPointe
  • Services
    • Cyber Risk, Assurance and Compliance
    • IT Audit
    • Penetration Testing
    • General Consulting
    • Virtual Chief Information Security Officer (vCISO)
  • About Us
    • Management Team
    • Credentials
    • Careers
  • Resources
    • Events
    • News
    • Videos
    • Whitepapers
  • Blog
  • Contact Us
FoxPointe
  • Services
    • Cyber Risk, Assurance and Compliance
    • IT Audit
    • Penetration Testing
    • General Consulting
    • Virtual Chief Information Security Officer (vCISO)
  • About Us
    • Management Team
    • Credentials
    • Careers
  • Resources
    • Events
    • News
    • Videos
    • Whitepapers
  • Blog

Enter Keywords

  1. Home
  2. Blog

FoxPointe Security Hub

Proposed Risk Management Guidance for Third-Party Relationships

November 22, 2021

On July 13, 2021, the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC, and together with the Federal Reserve and the FDIC, the Agencies), requested comments on proposed interagency guidance on how banking organizations should manage the risk associated with their third-party relationships (the Proposed Guidance).  Comments on the Proposed Guidance are due by October 17, 2021. 

As a result, the Proposed Guidance would harmonize the third-party risk management expectations for banking organizations supervised by the FDIC, Federal Reserve and OCC.  The Proposed Guidance represents a joint effort by the Agencies to respond to the continued and growing prevalence of relationships between banking organizations and third parties, including both traditional outsourcing relationships with service providers and partnership arrangements with financial technology (fintech) companies.

The proposed guidance indicates that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each banking organization. The proposed guidance is intended for all third-party relationships and is especially important for relationships that a banking organization relies on to a significant extent, relationships that entail greater risk and complexity, and relationships that involve critical activities as described in the proposed guidance.

The proposed guidance describes the third-party risk management life cycle and identifies principles applicable to each stage of the life cycle, including:

(1) Developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party;

(2) Performing proper due diligence in selecting a third party. Some important factors to consider and assess when performing due diligence include but are not limited to:

                - The third party’s financial condition

                - The third party’s information security posture

                - The third party’s ability to comply with applicable legal and regulatory requirements

                - The third party’s disaster resilience and incident monitoring practices

(3) Negotiating written contracts that articulate the rights and responsibilities of all parties. Some important factors to consider when negotiating contracts include but are not limited to:

                - The nature and scope of the arrangement with details of the services to be provided

                - The right to audit

                - Limitations of liability

                - Requirement for compliance with laws and regulations

(4) Having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews;

(5) Conducting ongoing monitoring of the third party’s activities and performance; and

(6) Developing contingency plans for terminating the relationship in an effective manner.

We will continue to monitor this new proposal and how it may have an impact on existing and potential third-party relationships, as well as the future of regulatory examinations. FoxPointe Solutions, which is a division of The Bonadio Group, is equipped and prepared to help your organization prepare for these requirements.  We would be happy to answer any questions you may have or provide you with additional information.

Share
Twitter Facebook LinkedIn
  • Topics
  • Authors
  • Data Security (12)
  • Data Privacy (15)
  • Compliance (4)
  • Risk Management (7)
  • Cybersecurity Alert (7)
  • Cybersecurity (25)
  • Archive (34)
  • Charlie Wood | PCI QSA, CISA, CRISC, CISM
  • Carl Cadregari | CISA, CCSFP, CTPRP
  • Allison Hall | PCIP, CCSFP
  • Courtney Caryl | CCSFP, CHQP
  • Andrew Parks | PCI QSA
Let us show you how we can help
Request Quote
FoxPointe

171 Sully's Trail
Pittsford, NY 14534

Call 844-726-8869
or Contact Us

Subscribe to the Blog

Services
Cyber Risk, Assurance and ComplianceIT AuditPenetration TestingGeneral ConsultingVirtual Chief Information Security Officer (vCISO)
Company
Management TeamAbout UsBlogCareersPrivacy Policy
©2023 FoxPointe
Website by Corporate Communications, Inc.
We use cookies and other technologies to optimize site functionally, analyze website traffic, and share information with our service and analytics partners. To view our Privacy Policy, which discusses cookies, click here. By continuing to use & browse our services, you agree to our Privacy Policy, our use of cookies, and the Terms and Conditions.