ffiec guidance for managing third-party risk


with third parties, including technology companies, to serve a range of purposes. As with other third-party relationships, bank management should conduct due diligence to confirm that the third party can satisfactorily oversee and monitor the cloud service subcontractor.5 In many cases, independent reports, such as System and Organization Controls (SOC) reports, may be leveraged for this purpose.6. Screen-scraping can pose operational and reputation risks. Consider whether the third party has identified, and articulated a process to mitigate, areas of potential consumer harm, particularly in which the third party will have direct contact with the bank's customers, develop customer-facing documents, or provide new, complex, or unique products. Banks may outsource some or all aspects of their compliance management systems to third parties, so long as banks monitor and ensure that third parties comply with current and subsequent changes to consumer laws and regulations. establishing the XML-based Federal Register as an ACFR-sanctioned (Originally FAQ No. 12 from OCC Bulletin 2017-21). Contracts can protect the ability of the banking organization to change providers when appropriate without undue restrictions, limitations, or cost. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure. Many bank customers expect to use transaction accounts and credit, debit, or prepaid cards issued by their banks in mobile payment environments. OCC Bulletin 2013-29 includes information about the types of activities bank management should conduct regarding how the bank's third parties oversee and monitor subcontractors. Other banking organizations have relationships with third parties to enhance their operational and compliance infrastructure, including for areas such as fraud detection, anti-money laundering, and customer service. 07/29/2022, 210 Validation reports should not be taken at face value. The principles in OCC Bulletin 2013-29 are relevant when a bank uses a third-party model or uses a third party to assist with model risk management, as are the principles in OCC Bulletin 2011-12, Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management. Accordingly, third-party models should be incorporated into the bank's third-party risk management and model risk management processes. When banks enter into marketplace lending or servicing arrangements, the banks' customers may associate the marketplace lenders' products with those of the banks, thereby introducing reputation risk if the products underperform or harm customers. The goal is for the bank's risk management practices for each relationship to be commensurate with the level of risk and complexity of the third-party relationship. Clearly assigns all costs and obligations associated with transition and termination. When collaborating to meet responsibilities for managing a relationship with a common third-party service provider, what are some of the responsibilities that each bank still needs to undertake individually to meet the expectations in OCC Bulletin 2013-29? 16. Obtain information regarding legally binding arrangements with subcontractors or other parties to determine whether the third party has indemnified itself, as such arrangements may transfer risks to the banking organization. The board should receive sufficient information to understand the bank's strategy for use of third parties to support products, services, and operations and understand key dependencies, costs, and limitations that the bank has with these third parties. Consider including indemnification clauses that specify the extent to which the banking organization will be held liable for claims that cite failure of the third party to perform, including failure of the third party to obtain any necessary intellectual property licenses. Gain a clear understanding of the third party's business processes and technology that will be used to support the activity. The agencies request comment on the conclusion that the proposed guidance does not create a new or revise and existing information collections.

The proposed guidance is based on the OCC's existing third-party risk management guidance from 2013 and includes changes to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies. For the hearing impaired only, Telecommunications Device for the Deaf (TDD) users may contact (202) 263-4869.

Conducting due diligence on third parties before selecting and entering into contracts or relationships is an important risk management activity. Understand that such contracts and covenants may be subject, however, to the interpretation of foreign courts relying on local laws. Regardless of the division of control responsibilities between the cloud service provider and the bank, the bank is ultimately responsible for the effectiveness of the control environment. (Originally FAQ No. The agencies seek public comment on the extent to which the concepts discussed in the OCC's 2020 FAQs should be incorporated into the final version of the guidance. Banks may also outsource the process of engaging real estate appraisers to appraisal management companies. Agreements for banks' use of data aggregation services:8 A business arrangement exists when a bank contracts or partners with a data aggregator to use the data aggregator's services to offer or enhance a bank product or service. 10 from OCC Bulletin 2017-21), 20. whether subcontractors have access to sensitive customer information. Any collaborative activities among banks must comply with antitrust laws. Understand the third party's metrics for its information systems and confirm that they meet the banking organization's expectations. Similarly, several sections of the proposed guidance provide information on possible procedures for addressing the treatment of subcontractors in contract negotiation, including the sections on Responsibilities for Providing, Receiving, and Retaining Information, Confidentiality and Integrity, and Subcontracting.. The agencies have each adopted regulations setting forth Statements Clarifying the Role of Supervisory Guidance as guidance. The appropriate degree of ongoing monitoring is commensurate with the level of risk and complexity of the third-party relationship. Consider whether the contract should establish a dispute resolution process (arbitration, mediation, or other means) to resolve problems between the banking organization and the third party in an expeditious manner, and whether the third party should continue to provide activities to the banking organization during the dispute resolution period. A contract may limit the third party's liability, in which case the banking organization may consider whether the proposed limit is in proportion to the amount of loss the banking organization might experience because of the third party's failure to perform or to comply with applicable laws, and whether the contract would subject the banking organization to undue risk of litigation. Some banking organizations have business arrangements with third parties to offer competitive and innovative financial products and services that otherwise would be difficult, cost-prohibitive, or time-consuming to develop in-house. The proposed guidance describes third-party relationships as business arrangements between a banking organization and another entity, by contract or otherwise. documents in the last year, by the Nuclear Regulatory Commission The data aggregator typically uses automated scripts to capture various data, which is then provided to the customer or a financial technology (fintech) application that serves the customer or some other business. on Some companies do not allow banks to negotiate changes to their standard contract, do not share their business resumption and disaster recovery plans, do not allow site visits, or do not respond to a bank's due diligence questionnaire. TSP reports of examination are provided on a request basis. Banks can also rely on pooled audit reports, which are audits paid for by a group of banks that use the same company for similar products or services. This document has been published in the Federal Register. Effective risk management processes include assessing the risks of outsourcing due diligence when relying on the services of other banking organizations, utilities, consortiums, or other similar arrangements and assessment standards. A bank's customization choices should be documented and justified as part of the validation. When technology supports service delivery, assess the third party's data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests. whether subcontractors provide services for critical activities. on Banking organization management is responsible for implementing third-party risk management.

Banking organizations are engaging in different types of relationships[6] 4. Many third parties provide banks with reports of independent certifications or validations of the third-party model. Assess the banking organization's ability to oversee and manage its relationships; Highlight and discuss material risks and any deficiencies in the banking organization's risk management process with the board of directors and senior management; Carefully review the banking organization's plans for appropriate and sustainable remediation of such deficiencies, particularly those associated with the oversight of third parties that involve critical activities; Identify and report deficiencies in supervisory findings and reports of examination and recommend appropriate supervisory actions. What change or additional clarification, if any, would be helpful? It is important that management responds promptly and thoroughly to significant issues or concerns identified and escalates them to the board if the risk posed is approaching the banking organization's risk appetite limits. 14. or engage in joint efforts for performing due diligence to meet its established assessment criteria. Does a company that provides a bank with cloud computing have a third-party relationship with the bank? Review the third party's processes for maintaining timely and accurate inventories of its technology and its subcontractor(s). Certain third parties, particularly those providing critical services, typically warrant significantly greater planning and consideration.

The banking organization's board of directors (or a designated board committee) and management are responsible for overseeing the banking organization's overall risk management processes. The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships. Evaluate the third party's fee structure and incentives to determine if the fee structure and incentives would create burdensome upfront or termination fees or result in inappropriate risk taking by the third party or the banking organization. Evaluate the third party's ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing. 15. Determine whether the third party maintains an appropriate business continuity management program, including disaster recovery and business continuity plans that specify the time frame to resume activities and recover data. Bank employees who directly manage third-party relationships escalate to senior management significant issues or concerns arising from ongoing monitoring, such as an increase in risk, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, service or system interruptions, or compliance lapses. Banks have collaborated with fintech companies in several ways to help meet the banking needs of underbanked or underserved consumers. could have significant customer impacts. In these situations, bank management is limited in its ability to conduct the type of due diligence, contract negotiation, and ongoing monitoring that it normally would, even if the third-party relationship involves or supports a bank's critical activities. Ongoing monitoring occurs after the third-party relationship is established and often leverages processes similar to due diligence. Reflect the associated risks in the overall assessment of the banking organization's risk profile. The contract addresses the submission of sufficient, timely, and usable information to enable the banking organization to analyze customer complaint activity and trends for risk management purposes. Where problems are identified, the banking organization should seek to renegotiate at the earliest opportunity. Federal Register issue. Some banks categorize their third-party relationships by similar risk characteristics and criticality (e.g., information technology service providers; portfolio managers; catering, maintenance, and groundkeeper providers; and security providers). More specifically, management may consider the following: Whether the report, certificate, or scope of the audit is enough to determine if the third-party's control structure will meet the terms of the contract. The proposed guidance stresses the importance of a banking organization appropriately managing and evaluating the risks associated with each third-party relationship. Banks typically allow for the sharing of customer information, as authorized by the customer, with data aggregators to support customers' choice of financial services. 5. See 12 CFR part 4, Appendix A to Subpart F (OCC); 12 CFR part 262, Appendix A (Board); 12 CFR part 302, Appendix A (FDIC). Where sensitive banking organization data may be accessible, review employee on- and off-boarding procedures to ensure physical access rights are managed appropriately. Performance and risk measures can be used to motivate the third party's performance, penalize poor performance, or reward outstanding performance. How can a bank reduce its oversight costs for lower-risk relationships?

When available, these reports can provide valuable information to the bank. OCC Bulletin 2013-29 states that a third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise. The Principles for Financial Market Infrastructures are international standards for payment systems, central securities depositories, securities settlement systems, central counterparties, and trade repositories. 14 from OCC Bulletin 2017-21). The agencies are seeking comment on the extent to which the concepts included in the OCC's 2020 FAQs should be incorporated into the final version of the guidance. 07/29/2022, 841 provide legal notice to the public or judicial notice to the courts. Competition, advances in technology, and innovation in the banking industry contribute to banking organizations' increasing use of third parties to perform business functions, deliver support services, facilitate providing new products and services, or facilitate providing existing products and services in new ways. If it is the third party's responsibility, include provisions in the contract that provide for the third party to receive and respond in a timely manner to customer complaints, and forward a copy of each complaint and response to the banking organization. 23. Assessing changes to the financial condition of third parties is an expectation of the ongoing monitoring stage of the life cycle. There is no one way for banks to structure their third-party risk management process. 24. integrating the use of product and delivery channels into the bank's strategic planning process and ensuring consistency with the bank's internal controls, corporate governance, business plan, and risk appetite. are not part of the published document itself. ensure that contracts meet the bank's needs. See the definition of appropriate Federal banking agency in section 3(q) of the Federal Deposit Insurance Act for a list of banking organizations supervised by each agency. 17. The proposed guidance provides that a banking organization should, commensurate with its risk profile and consistent with safety and soundness principles and applicable laws and regulations, assess the information security program of third parties, including identifying, assessing, and mitigating known and emerging threats and vulnerabilities. Third-party relationships include activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where a banking organization has an ongoing relationship or may have responsibility for the associated records. The proposed supervisory guidance[1] Outlining the banking organization's contingency plans in the event the banking organization needs to transition the activity to another third party or bring it in-house. the terms third-party relationship and business arrangement.. In what ways, if any, could the proposed guidance further address due diligence options, including those that may be more cost effective? Determine whether the contract: Additionally, effective contracts enable the banking organization to terminate the relationship upon reasonable notice and without penalty in the event that the banking organization's primary federal banking regulator formally directs the banking organization to terminate the relationship. Assess the third party's financial condition, including reviews of the third party's audited financial statements, annual reports, filings with the U.S. Securities and Exchange Commission (SEC), and other available financial information. 23, a SOC 1, type 2, report may be particularly useful, as standards of the American Institute of Certified Public Accountants require the auditor to determine and report on the effectiveness of the client's internal controls over financial reporting and associated controls to monitor relevant subcontractors.

15. Bank management typically designates an internal party to. informational resource until the Administrative Committee of the Federal To the extent the activities performed by the third party are subject to specific laws and regulations (e.g., privacy, information security, Bank Secrecy Act/anti-money laundering (BSA/AML), or fiduciary requirements). 11 in this bulletin for more information about a third party's subcontractors. the current document as it appeared on Public Inspection on In order to assess the scope of operational resilience capabilities, banks may review the third party's telecommunications redundancy and resilience plans and preparations for known and emerging threats and vulnerabilities, such as wide-scale natural disasters, pandemics, distributed denial of service attacks, or other intentional or unintentional events. For example, as explained in FAQ No. In what ways, if any, could the discussion of shared due diligence in the proposed guidance provide better clarity to banking organizations regarding third-party due diligence activities? Confirm that third parties have policies and procedures in place for identifying and removing employees who do not meet minimum background check requirements or are otherwise barred from working in the financial services sector. When using cloud computing services, bank management should have a clear understanding of, and should document in the contract, the controls that the cloud service provider is responsible for managing and those controls that the bank is responsible for configuring and managing. Board: Nida Davis, Associate Director, (202) 872-4981; Timothy Geishecker, Lead Financial Institution and Policy Analyst, (202) 475-6353, Division of Supervision and Regulation; Jeremy Hochberg, Managing Counsel, (202) 452-6496; Matthew Dukes, Counsel, (202) 973-5096, Division of Consumer and Community Affairs; Claudia Von Pervieux, Senior Counsel, (202) 452-2552; Evans Muzere, Counsel, (202) 452-2621; Alyssa O'Connor, Senior Attorney, (202) 452-3886, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551. The term business arrangement is meant to be interpreted broadly and is synonymous with the term third-party relationship. What additional factors are relevant when the relationship involves a critical activity? An effective board oversees risk management implementation and holds management accountable. To what extent does the discussion of business arrangement in the proposed guidance provide sufficient clarity to permit banking organizations to identify those arrangements for which the guidance is appropriate? This is particularly important for a bank's third-party relationships that support the bank's critical activities or for higher-risk third parties. has no substantive legal effect. The OCC issued the 2020 FAQs to clarify the OCC's 2013 third-party risk management guidance. Consider whether the third party's risk management processes align with applicable banking organization policies and expectations surrounding the activity. Include in contracts with foreign-based third parties choice-of-law provisions and jurisdictional provisions that provide for adjudication of all disputes between the parties under the laws of a single jurisdiction. Because almost all banks issue debit cards and offer transaction accounts, banks frequently participate in mobile payment environments even if they do not issue credit cards. being prepared to address interruptions in delivery (e.g., use multiple payment systems, generators for power, and multiple telecom lines in and out of critical sites). Refer to OCC Bulletin 2001-12, Bank-Provided Account Aggregation Services: Guidance to Banks (national banks) for more information on direct relationships. The bank has a business arrangement with the party receiving the bank's referral. The proposed guidance would offer a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship. If the contract would not satisfy the banking organization's needs or would result in an unacceptable increase in risk, the banking organization may wish to consider other third parties for the service.