In June 2023, the Board of Governors of the Federal Reserve System (the Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued uniform guidance on managing risks associated with third-party relationships in banking organizations.
Interagency Guidance on Third-Party Relationships: Risk Management is based on the OCC’s 2013 guidance and 2020 FAQs. It replaces each agency’s existing guidance on third-party relationships and applies to all banking organizations supervised by the agencies. The goal of the guidance is to bring uniformity and consistency to how banking organizations develop and enforce risk management principles as they relate to third-party relationships.
Develop a plan that outlines the organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the organization will identify, assess, select, and oversee the third party
Perform proper due diligence in selecting a third party
Negotiate written contracts that articulate the rights and responsibilities of all parties
Have the board of directors and management oversee the organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews
Conduct ongoing monitoring of the third party’s activities and performance
Develop contingency plans for terminating the relationship in an effective manner
Align Your TPRM Program with Interagency Guidance
The Interagency Guidance on Third-Party Relationships: Best Practices Guide examines the requirements that organizations should address at each stage of a third-party relationship.
Meeting Interagency Guidance on Third-Party Relationships Requirements
Here's how Prevalent can help you address third-party risk management requirements in the Guidance:
Guidance | How We Help |
---|---|
C. Third-Party Relationship Lifecycle "Effective third-party risk management generally follows a continuous life cycle for third-party relationships ... The degree to which the examples of considerations discussed in this guidance are relevant to each banking organization is based on specific facts and circumstances and these examples may not apply to all of a banking organization’s third-party relationships ..." |
|
1. Planning “As part of sound risk management, effective planning allows a banking organization to evaluate and consider how to manage risks before entering into a third-party relationship. Certain third parties, such as those that support a banking organization’s higher-risk activities, including critical activities, typically warrant a greater degree of planning and consideration. For example, when critical activities are involved, plans may be presented to and approved by a banking organization’s board of directors (or a designated board committee) …” |
As part of the process to establish or refine your third-party risk management program, consider:
Each of these items is critical to building a comprehensive TPRM program plan. |
2. Due Diligence and Third-Party Selection “Conducting due diligence on third parties before selecting and entering into third-party relationships is an important part of sound risk management. It provides management with the information needed about potential third parties to determine if a relationship would help achieve a banking organization’s strategic and financial goals. The due diligence process also provides the banking organization with the information needed to evaluate whether it can appropriately identify, monitor, and control risks associated with the particular third-party relationship. Due diligence includes assessing the third party’s ability to: perform the activity as expected, adhere to a banking organization’s policies related to the activity, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner …” |
Assess and monitor third parties based on the extent of threats to information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:
From this inherent risk assessment, your team can automatically tier third parties; set appropriate levels of subsequent due diligence; and determine the scope of ongoing assessments. Rule-based tiering logic enables third-party categorization using a range of data interaction, financial, regulatory and reputational considerations. |
a. Strategies and Goals “Review the third party’s overall business strategy and goals to consider how the third party’s current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures, partnerships, joint ventures, or joint marketing initiatives) may affect the activity. Also consider reviewing the third party’s service philosophies, quality initiatives, efficiency improvements, and employment policies and practices. Consider whether the selection of a third party is consistent with a banking organization’s broader corporate policies and practices, including its diversity policies and practices […]” |
Continuously track and analyze external threats to third parties by monitoring public and private sources of reputational, sanctions and financial information. Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives. Monitoring sources should include:
|
b. Legal and Regulatory Compliance "A review of any legal and regulatory compliance considerations associated with engaging a third party allows a banking organization to evaluate whether it can appropriately mitigate risks associated with the third-party relationship ..." |
As you evaluate a third party, build a centralized third-party profile that includes demographic information, beneficial ownership, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent regulatory findings and financial performance. Options can include analyzing the sources of this data separately, or integrating it into a single view that is extensible to multiple internal teams. |
c. Financial Condition “An assessment of a third party’s financial condition through review of available financial information, including audited financial statements, annual reports, and filings with the U.S. Securities and Exchange Commission (SEC), among others, helps a banking organization evaluate whether the third party has the financial capability and stability to perform the activity …” |
Leverage a global database of millions of businesses financial information, including organizational changes and financial performance, turnover, profit and loss, shareholder funds, etc. Your team can analyze the sources of this data separately by downloading financial statements, or integrate financial analysis into a broader risk assessment strategy. |
f. Risk Management "Appropriate due diligence includes an evaluation of the effectiveness of a third party’s overall risk management, including policies, processes, and internal controls, and alignment with applicable policies and expectations of the banking organization surrounding the activity …” “When relevant and available, a banking organization may consider reviewing System and Organization Control (SOC) reports and any conformity assessment or certification by independent third parties related to relevant domestic or international standards.11 In such cases, the banking organization may also consider whether the scope and the results of the SOC reports, certifications, or assessments are relevant to the activity to be performed or suggest that additional scrutiny of the third party or any of its contractors may be appropriate." |
Automate risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.
Results of assessments and continuous monitoring should be collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks. For third parties that submit a SOC 2 report instead of a completed third-party risk assessment, map control gaps identified within the SOC 2 report, create risk items against the third party within a central assessment platform, and track and report against deficiencies along with other risks. |
g. Information Security “Understanding potential information security implications, including access to a banking organization’s systems and information, can help a banking organization decide whether or not to engage with a third party. Due diligence in this area typically involves assessing the third party’s information security program, including its consistency with the banking organization’s information security program, such as its approach to protecting the confidentiality, integrity, and availability of the banking organization’s data. It may also involve determining whether there are any gaps that present risk to the banking organization or its customers and considering the extent to which the third party applies controls to limit access to the banking organization’s data and transactions, such as multifactor authentication, end-to-end encryption, and secure source code management. It also aids a banking organization when determining whether the third party keeps informed of, and has sufficient experience in identifying, assessing, and mitigating, known and emerging threats and vulnerabilities. As applicable, assessing the third party’s data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests, can provide valuable information regarding information technology system vulnerabilities. Finally, due diligence can help a banking organization evaluate the third party’s implementation of effective and sustainable corrective actions to address any deficiencies discovered during testing.” |
Conduct third-party cybersecurity assessments at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Ensure that assessments are backed by workflow, task management and automated evidence review capabilities. Then, continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases. Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives. As noted in (g) above, you can then apply built-in workflow to triage and address risks through remediation recommendations. |
i. Operational Resilience “An assessment of a third party’s operational resilience practices supports a banking organization’s evaluation of a third party’s ability to effectively operate through and recover from any disruption or incidents, both internal and external. Such an assessment is particularly important where the impact of such disruption could have an adverse effect on the banking organization or its customers, including when the third party interacts with customers. It is important to assess options to employ if the third party’s ability to perform the activity is impaired and to determine whether the third party maintains appropriate operational resilience and cybersecurity practices, including disaster recovery and business continuity plans that specify the time frame to resume activities and recover data ...” |
Automate the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity using a comprehensive business resilience assessment based on the ISO 22301 standard. This approach will enable your team to:
This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements. |
j. Incident Reporting and Management Programs “Review and consideration of a third party’s incident reporting and management processes is helpful to determine whether there are clearly documented processes, timelines, and accountability for identifying, reporting, investigating, and escalating incidents. Such review assists in confirming that the third party’s escalation and notification processes meet the banking organization’s expectations and regulatory requirements.” |
Consider structuring and benchmarking your third-party incident management on one of the following industry standard frameworks:
Key components of your third-party incident reporting should include:
|
l. Reliance on Subcontractors “An evaluation of the volume and types of subcontracted activities and the degree to which the third party relies on subcontractors helps inform whether such subcontracting arrangements pose additional or heightened risk to a banking organization. This typically includes an assessment of the third party’s ability to identify, manage, and mitigate risks associated with subcontracting, including how the third party selects and oversees its subcontractors and ensures that its subcontractors implement effective controls. Other important considerations include whether additional risk is presented by the geographic location of a subcontractor or dependency on a single provider for multiple activities.” |
Identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Third parties discovered through this process are continuously monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening. This approach provides insights to address potential technology or geographic concentration risk. |
3. Contract Negotiation “When evaluating whether to enter into a relationship with a third party, a banking organization typically determines whether a written contract is needed, and if the proposed contract can meet the banking organization’s business goals and risk management needs. After such determination, a banking organization typically negotiates contract provisions that will facilitate effective risk management and oversight and that specify the expectations and obligations of both the banking organization and the third party. A banking organization may tailor the level of detail and comprehensiveness of such contract provisions based on the risk and complexity posed by the particular third-party relationship ...” |
Centralize the distribution, discussion, retention, and review of third party contracts so that all applicable teams can participate in contract reviews to ensure the appropriate clauses are included and managed. Key practices to consider in managing third party contracts include:
Ensuring sound contract lifecycle management will enable the organization to effectively:
|
b. Performance Measures or Benchmarks “For certain relationships, clearly defined performance measures can assist a banking organization in evaluating the performance of a third party. In particular, a service-level agreement between the banking organization and the third party can help specify the measures surrounding the expectations and responsibilities for both parties, including conformance with policies and procedures and compliance with applicable laws and regulations. Such measures can be used to monitor performance, penalize poor performance, or reward outstanding performance. It is important to negotiate performance measures that do not incentivize imprudent performance or behavior, such as encouraging processing volume or speed without regard for accuracy, compliance requirements, or adverse effects on the banking organization or customers.” |
During the contract negotiation phase of the third-party lifecycle, include enforceable service level agreements (SLAs), key performance indicators (KPIs) and key risk indicators (KRIs) Into third-party contracts, assign owners and continually track progress toward achieving those measures. It is important to determine the different between key performance indicators (KPIs) and key risk indicators (KRIs) and understand how they are related.
When it comes to measuring KPIs and KRIs, categorize them like this:
Then, be sure to tie results back to contract provisions to provide complete governance over the process. |
4. Ongoing Monitoring “Ongoing monitoring enables a banking organization to: (1) confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations; (2) escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and (3) respond to such significant issues or concerns when identified ... "Effective third-party risk management includes ongoing monitoring throughout the duration of a third-party relationship, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party ... "Ongoing monitoring may be conducted on a periodic or continuous basis, and more comprehensive or frequent monitoring is appropriate when a third-party relationship supports higher-risk activities, including critical activities. Because both the level and types of risks may change over the lifetime of third-party relationships, banking organizations may adapt their ongoing monitoring practices accordingly, including changes to the frequency or type of information used in monitoring ..." |
Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Monitoring sources should include:
Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives. |
5. Termination “A banking organization may terminate a relationship for various reasons, such as expiration or breach of the contract, the third party’s failure to comply with applicable laws or regulations, or a desire to seek an alternate third party, bring the activity in-house, or discontinue the activity. When this occurs, it is important for management to terminate relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued ...” |
Automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.
|
D. Governance "There are a variety of ways for banking organizations to structure their third-party risk management processes. Some banking organizations disperse accountability for their third-party risk management processes among their business lines. Other banking organizations may centralize the processes under their compliance, information security, procurement, or risk management functions. Regardless of how a banking organization structures its process, the following practices are typically considered throughout the third-party risk management life cycle, commensurate with risk and complexity." |
To address third-party risk management program governance requirements, look for a TPRM platform that automates workflows required to onboard third parties and identify, assess, manage, continuously monitor and remediate third-party security, privacy, compliance, operational, and procurement/supply chain-related risks across every stage of the vendor lifecycle. A comprehensive solution that unifies the management of multiple risk types for the benefit of cross-functional teams will reduce costs, enable easier compliance reporting, and reduce the risk of gaps in controls. |
Align Your TPRM Program with 13 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
Here are best practices for aligning with requirements from the U.S. Federal Reserve System, U.S. Federal...
Full compliance with the finalized Interagency Guidance is expected within the next 12 months and replaces...
Join Joseph Martinez as he examines how the finalized U.S. Financial Interagency Guidance can impact your...