FoxPointe Security Hub

Proposed Risk Management Guidance for Third-Party Relationships

data security laptop

Risk Management Guidance

On July 13, 2021, the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC, and together with the Federal Reserve and the FDIC, the Agencies), requested comments on proposed interagency guidance on how banking organizations should manage the risk associated with their third-party relationships (the Proposed Guidance).  Comments on the Proposed Guidance are due by October 17, 2021.

As a result, the Proposed Guidance would harmonize the third-party risk management expectations for banking organizations supervised by the FDIC, Federal Reserve and OCC.  The Proposed Guidance represents a joint effort by the Agencies to respond to the continued and growing prevalence of relationships between banking organizations and third parties, including both traditional outsourcing relationships with service providers and partnership arrangements with financial technology (fintech) companies.

The proposed guidance indicates that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each banking organization. The proposed guidance is intended for all third-party relationships and is especially important for relationships that a banking organization relies on to a significant extent, relationships that entail greater risk and complexity, and relationships that involve critical activities as described in the proposed guidance.

The proposed guidance describes the third-party risk management life cycle and identifies principles applicable to each stage of the life cycle, including:

(1) Developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party;

(2) Performing proper due diligence in selecting a third party. Some important factors to consider and assess when performing due diligence include but are not limited to:

– The third party’s financial condition

– The third party’s information security posture

– The third party’s ability to comply with applicable legal and regulatory requirements

– The third party’s disaster resilience and incident monitoring practices

(3) Negotiating written contracts that articulate the rights and responsibilities of all parties. Some important factors to consider when negotiating contracts include but are not limited to:

– The nature and scope of the arrangement with details of the services to be provided

– The right to audit

– Limitations of liability

– Requirement for compliance with laws and regulations

(4) Having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews;

(5) Conducting ongoing monitoring of the third party’s activities and performance; and

(6) Developing contingency plans for terminating the relationship in an effective manner.

We will continue to monitor this new proposal and how it may have an impact on existing and potential third-party relationships, as well as the future of regulatory examinations. FoxPointe Solutions, which is a division of The Bonadio Group, is equipped and prepared to help your organization prepare for these requirements.  We would be happy to answer any questions you may have or provide you with additional information.