ffiec guidance for managing third-party risk

A prudent banking organization appropriately manages its third-party relationships, including addressing consumer protection, information security, and other operational risks. determining appropriate alternative methods to analyze these critical third parties (e.g., use information posted on the third party's website). critical activities and how a bank can determine the risks associated with third-party relationships. The same relationship may present varying levels of risk across banks. Overview of Proposed Guidance on Third-Party Relationships, IV. State the third party's liability for activities or actions by its subcontractors and which party is responsible for the costs and resources required for any additional monitoring and management of the subcontractors. Accordingly, the agencies are jointly seeking comment on the proposed guidance. The Office of the Comptroller of the Currency (OCC) issued frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance. These FAQs were intended to clarify the OCC's existing guidance and reflect evolving industry trends. Although a bank may not share a TSP report of examination or the contents therein with other banks, a bank that has not contracted with a particular TSP may seek information from other banks with information or experience with a particular TSP as well as information from the TSP to meet the bank's due diligence responsibilities. In what ways, if any, could the proposed guidance be revised to better address challenges a banking organization may face in negotiating some third-party contracts? Stipulate whether and how often the banking organization and the third party will jointly test business continuity plans. Banks should work with mobile payment providers to establish processes for authenticating enrollment of customers' account information that the customers provide to the mobile payment providers. 5. A banking organization may involve experts across disciplines, such as compliance, risk, or technology officers, legal counsel, and external support where helpful to supplement the qualifications and technical expertise of in-house staff.Start Printed Page 38189. Third-party relationships include activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where a banking organization has an ongoing relationship or may have responsibility for the associated records. What additional information should the proposed guidance provide regarding a banking organization's assessment of a third party's information security and regarding information security risks involved with engaging a third party? Banks may be using or contemplating using a broad range of alternative data in credit underwriting, fraud detection, marketing, pricing, servicing, and account management.15 For the purpose of this FAQ, alternative data mean information not typically found in the consumer's credit files at the nationwide consumer reporting agencies or customarily provided by consumers as part of applications for credit.16, When contemplating a third-party relationship that may involve the use of alternative data by or on behalf of the bank, bank management should:[17], By order of the Board of Governors of the Federal Reserve System. Evaluate the qualifications and experience of the company's principals related to the services provided by the third party. Refer to FAQ No. If the third party receives a banking organization's customers' personally identifiable information, the contract should ensure that the third party implements and maintains appropriate security measures to comply with privacy regulations and regulatory guidelines.

The compensation may also be non-financial such as cross-marketing. This allows the board to understand the benefits and risks associated with engaging third parties for critical services and knowingly approve the bank's contracts. Collaboration can also result in increased negotiating power and lower costs to banking organizations not only during contract negotiations but also for ongoing monitoring. documents in the last year. Consider whether the third party's risk management processes align with applicable banking organization policies and expectations surrounding the activity. This prototype edition of the 26. Confirming third-party relationships align with the banking organization's business strategy; Identifying, measuring, monitoring, and controlling risks of third-party relationships; Understanding and monitoring concentration risks that may arise from relying on a single third party for multiple activities or from geographic concentrations of business; Responding to material breaches, service disruptions, or other material issues; Involving multiple disciplines across the banking organization as appropriate during each phase of the third-party risk management life cycle; Confirming appropriate staffing and expertise to perform risk assessment, due diligence, contract negotiation, and ongoing monitoring and management of third parties; Confirming oversight and accountability for managing third-party relationships (for example, whether roles and responsibilities are clearly defined and assigned and whether the individuals possess the requisite expertise, resources, and authority); and. Use of such external services does not abrogate the responsibility of the board of directors to decide on matters related to third-party relationships involving critical activities or the responsibility of management to handle third-party relationships in a safe and sound manner and consistent with applicable laws and regulations. The ability of the institution to have unrestricted access to its data whether or not in the possession of the third party; The responsibilities and methods to address failures to adhere to the agreement including the ability of all parties to the agreement to exit the relationship; The banking organization's materiality thresholds and the third party's procedures for immediately notifying the banking organization whenever service disruptions, security breaches, compliance lapses, enforcement actions, regulatory proceedings, or other events pose a significant risk to the banking organization (for example, financial difficulty, catastrophic events, and significant incidents); Notification to the banking organization before making significant changes to the contracted activities, including acquisition, subcontracting, offshoring, management, or key personnel changes, or implementing new or revised policies, processes, and information technology; Notification to the banking organization of significant strategic business changes, such as mergers, acquisitions, joint ventures, divestitures, or other business activities that could affect the activities involved; The ability for the banking organization to access native data and to authorize and allow other third parties to access its data during the term of the contract; The ability of the third party to resell, assign, or permit access to the, Expectations for the third party to notify the banking organization of significant operational changes or when the third party experiences significant incidents; and. Regardless of a bank's approach, the bank should have a sound methodology for designating which third-party relationships receive more comprehensive and rigorous oversight and risk management. When using cloud computing services, bank management should have a clear understanding of, and should document in the contract, the controls that the cloud service provider is responsible for managing and those controls that the bank is responsible for configuring and managing. As noted above, a third-party relationship is any business arrangement between a banking organization and another entity, by contract or otherwise. The term business arrangement is meant to be interpreted broadly to enable banking organizations to identify all third-party relationships for which the proposed guidance is relevant. These tools are designed to help you understand the official document Banks that use a customized product or service may not, however, be able to use collaboration to fully meet their due diligence, contract negotiation, or ongoing responsibilities. A contract may limit the third party's liability, in which case the banking organization may consider whether the proposed limit is in proportion to the amount of loss the banking organization might experience because of the third party's failure to perform or to comply with applicable laws, and whether the contract would subject the banking organization to undue risk of litigation. use of third-party assessment services in managing third-party relationship risks. The Public Inspection page may also Open for Comment, Proposed Addition of American Single Malt Whisky to the Standards of Identity for Distilled Spirits, Economic Sanctions & Foreign Assets Control, Vessel Repair Duties for Vessels Entering U.S. The banking organization's internal auditor or an independent third party may perform the reviews, and senior management confirms that the results are reported to the board. 14. While screen-scraping activities typically do not meet the definition of business arrangement, banks should engage in appropriate risk management Start Printed Page 38198for this activity. Bank management should understand and evaluate the results of validation and risk control activities that are conducted by third parties. Information about this document as published in the Federal Register. Review the third party's websites and other marketing materials related to the banking products or services to ensure that statements and assertions align with the banking organization's expectations and accurately represent the activities and capabilities of the third party. Stipulate the frequency and type of reports needed. Comments must be received no later than September 17, 2021. Also refer to Consumer Financial Protection Bureau (CFPB), Request for Information Regarding Use of Alternative Data and Modeling Techniques in the Credit Process, 82 FR 11183 (February 21, 2017). establishing the XML-based Federal Register as an ACFR-sanctioned In order to facilitate or supplement a banking organization's due diligence, a banking organization may use the services of industry utilities or consortiums, including development organizations, consult with other banking organizations,[15] could have a major impact on bank operations if the banking organization has to find an alternate third party or if the outsourced activity has to be brought in-house. Contracts or other governing documents should lay out the terms of service-level agreements and contractual obligations. What type of due diligence and ongoing monitoring should be conducted when a bank enters into a contractual arrangement in which the bank has limited negotiating power? documents in the last year, 81 A security breach at the data aggregator could compromise numerous customer banking credentials and sensitive customer information, causing harm to the bank's customers and potentially causing reputation and security risk and financial liability for the bank. Effective management teams should establish responsibility and accountability for managing third parties commensurate with the level of risk and complexity of the relationship. While every effort has been made to ensure that A vendor is typically an individual or company offering something for sale, and banks may outsource a bank function or task to another company. As part of sound risk management, banking organizations engage in more comprehensive and rigorous oversight and management of third-party relationships that support critical activities. Critical activities are significant bank functions[13] Evaluate the third party's ownership structure (including any beneficial ownership, whether public or private, foreign or domestic ownership) and its legal and regulatory compliance capabilities. Banks typically allow for the sharing of customer information, as authorized by the customer, with data aggregators to support customers' choice of financial services. 15. Based on that analysis, data that present greater compliance risk warrant more robust compliance management. Banking organizations are engaging in different types of relationships[6] As part of ongoing monitoring, bank management should periodically assess existing third-party relationships to determine whether the nature of the activity performed constitutes a critical activity. Confirm that the contracts do not include burdensome upfront fees or incentives that could result in inappropriate risk taking by the banking organization or third party. An API for a particular routine can easily be inserted into code that uses that API in the software. Banks may also gain additional insight into a third party's resilience capabilities by reviewing the results of business continuity testing results and performance during actual disruptions. Assess the banking organization's ability to oversee and manage its relationships; Highlight and discuss material risks and any deficiencies in the banking organization's risk management process with the board of directors and senior management; Carefully review the banking organization's plans for appropriate and sustainable remediation of such deficiencies, particularly those associated with the oversight of third parties that involve critical activities; Identify and report deficiencies in supervisory findings and reports of examination and recommend appropriate supervisory actions. documents in the last year, by the Nuclear Regulatory Commission Bank management should conduct appropriate due diligence on the third-party relationship and on the model itself. and the OCC's 2013 guidance and its 2020 FAQs. Performance and risk measures can be used to motivate the third party's performance, penalize poor performance, or reward outstanding performance. The agencies have each adopted regulations setting forth Statements Clarifying the Role of Supervisory Guidance as guidance. Consider whether the contract should establish a dispute resolution process (arbitration, mediation, or other means) to resolve problems between the banking organization and the third party in an expeditious manner, and whether the third party should continue to provide activities to the banking organization during the dispute resolution period. Banking organizations may also gain advantage by negotiating contracts as a group with other users. Confirm that the third party's escalation and notification processes meet the banking organization's expectations and regulatory requirements. 15. When this occurs, it is important for management to terminate relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued. 1464(d)(7)(D) and 1867(c)(1). When third parties, such as fintechs, start-ups, and small businesses, have limited due diligence information, the bank should consider alternative information sources. Confirming that risks related to third-party relationships are managed in a manner consistent with the banking organization's strategic goals and risk appetite; Approving the banking organization's policies that govern third-party risk management; Approving, or delegating to, an appropriate committee reporting to the board, approval of contracts with third parties that involve critical activities; Reviewing the results of management's ongoing monitoring of third-party relationships involving critical activities; Confirming that management takes appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring; and. The level of due diligence and ongoing monitoring, however, may differ for, and should be specific to, each third-party relationship. OCC Bulletin 2013-29 states that banks should consider the financial condition of their third parties during the due diligence stage of the life cycle before the banks have selected or entered into contracts or relationships with third parties. Determine whether the contract: Additionally, effective contracts enable the banking organization to terminate the relationship upon reasonable notice and without penalty in the event that the banking organization's primary federal banking regulator formally directs the banking organization to terminate the relationship. Refer to OCC Bulletin 2019-62, Consumer Compliance: Interagency Statement on the Use of Alternative Data in Credit Underwriting, for more information about compliance risk management considerations regarding the use of alternative data. Many bank customers expect to use transaction accounts and credit, debit, or prepaid cards issued by their banks in mobile payment environments. A material or significant contract with a third party typically prohibits assignment, transfer, or subcontracting by the third party of its obligations to another entity without the banking organization's consent. 3. documents in the last year, 1038 confirming that contracts meet the bank's needs even if they are not customized contracts. State whether and how the third party has the right to use the banking organization's information, technology, and intellectual property, such as the banking organization's name, logo, trademark, metadata, and copyrighted material. A banking organization typically considers the following factors, among others, during due diligence of a third party: Review the third party's overall business strategy and goals to consider how the third party's current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures, partnerships, joint ventures, or joint marketing initiatives) may affect the activity. Effective validation reports include clear executive summaries, with a statement of model purpose and a synopsis of model validation results, including major limitations and key assumptions. Confirm that the third party regularly tests its operational resilience in an appropriate format and frequency. (Originally FAQ No. 9. The agencies seek to promote consistent third-party risk management guidance, better address use of, and services provided by, third parties, and more clearly articulate risk-based principles on third-party relationship risk management. Additionally, ongoing monitoring typically includes the regular testing of the banking organization's controls to manage risks from third-party relationships, particularly when critical activities are involved. Where sensitive banking organization data may be accessible, review employee on- and off-boarding procedures to ensure physical access rights are managed appropriately. The principles in OCC Bulletin 2013-29 are relevant when a bank uses a third-party model or uses a third party to assist with model risk management, as are the principles in OCC Bulletin 2011-12, Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management. Accordingly, third-party models should be incorporated into the bank's third-party risk management and model risk management processes. 5. The scope of due diligence and the due diligence method should vary based on the level of risk of the third-party relationship. (Originally FAQ No. OCC Bulletin 2013-29 indicates that critical activities include significant bank functions (e.g., payments, clearing, settlements, and custody) or significant shared services (e.g., information technology) or other activities that. Confirm that the contract sufficiently addresses: The contract often establishes the banking organization's right to audit, monitor performance, and provide for remediation when issues are identified. This guidance offers a framework based on sound risk management principles that banking organizations supervised by the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (together, the agencies)[9] A banking organization typically considers the following factors, among others, in planning for a third-party relationship: As with all other phases of the third-party risk management life cycle, it is important for planning and assessment to be performed by those with the requisite knowledge and skills. Some smaller and less complex banking organizations have expressed concern that they are expected to institute third-party risk management practices that they perceive to be more appropriate for larger and more complex banking organizations. The use of third parties can offer banking organizations significant advantages, such as quicker and more efficient access to new technologies, human capital, delivery channels, products, services, and markets. Consider including indemnification clauses that specify the extent to which the banking organization will be held liable for claims that cite failure of the third party to perform, including failure of the third party to obtain any necessary intellectual property licenses. The agencies seek to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management. documents in the last year, 12 The President of the United States issues other types of documents, including but not limited to; memoranda, notices, determinations, letters, messages, and orders. Please use the title Proposed Interagency Guidance on Third-Party Relationships: Risk Management to facilitate the organization and distribution of the comments. Banks that have third-party relationships with financial market utilities can rely on these disclosures. to the courts under 44 U.S.C. 6. 11. 2021-15308 Filed 7-16-21; 8:45 am], updated on 11:15 AM on Friday, July 29, 2022, updated on 8:45 AM on Friday, July 29, 2022. documents in the last year, by the Maritime Administration Consider whether the third party has identified, and articulated a process to mitigate, areas of potential consumer harm, particularly in which the third party will have direct contact with the bank's customers, develop customer-facing documents, or provide new, complex, or unique products. Many third-party models can be customized by a bank to meet its needs. Contracts should stipulate when and how the third party will notify the bank of its intent to use a subcontractor as well as how the third party will report to the bank regarding a subcontractor's conformance with performance measures, periodic audit results, compliance with laws and regulations, and other contractual obligations of the third party. Confirm that the contract gives the banking organization the right to monitor the third party's compliance with applicable laws, regulations, and policies, conduct periodic reviews to verify adherence to expectations, and require remediation if issues arise. It is common for a bank to have several third-party relationships that support the same critical activity (e.g., a major Start Printed Page 38199bank project or initiative), but not all of these relationships are critical to the success of that particular activity. Provide that the contract requires compliance with laws and regulations and considers relevant guidance and self-regulatory standards. A data aggregator typically acts at the request of and on behalf of a bank's customer without the bank's involvement in the arrangement. Periodic board reporting is essential to ensure that board responsibilities are fulfilled. may use when assessing and managing risks associated with third-party relationships. 8. Because the OCC's (and other federal banking regulators') statutory authority is to examine a TSP that enters into a contractual relationship with a regulated financial institution, the OCC (and other federal banking regulators) cannot provide a copy of a TSP's report of examination to financial institutions that are either considering outsourcing activities to the examined TSP or that enter into a contract after the date of examination. More specifically, management may consider the following: Whether the report, certificate, or scope of the audit is enough to determine if the third-party's control structure will meet the terms of the contract. documents in the last year, 1451 Register, and does not replace the official print version or the official In some instances, banks serve only as facilitators for the fintech companies' products or services with one of the products or services coming from the banks. evaluate and track identified issues and ensure they are addressed. For some relationships, on-site visits may be useful to understand fully the third party's operations and capacity. For example, the third party may not have a long operational history or demonstrated financial performance. The OCC may, however, Start Printed Page 38203proactively distribute TSP reports of examination in certain situations because of significant concerns or other findings to banks with contractual relationships with that particular TSP. The bank may consider a company's access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect the third party's overall financial stability. When technology supports service delivery, assess the third party's data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests. (Originally FAQ No. These companies offer banks a standardized questionnaire with responses from a variety of third parties (particularly information technology-related companies). the Federal Register. Detail contractual obligations, such as reporting on the subcontractor's conformance with performance measures, periodic audit results, compliance with laws and regulations, and other contractual obligations. Banks still have a responsibility, however, to manage these relationships in a safe and sound manner with consumer protections. 7. Federal Deposit Insurance Corporation. corresponding official PDF file on govinfo.gov. Address the powers of each party to change security and risk management procedures and requirements and resolve any confidentiality and integrity issues arising out of shared use of facilities owned by the third party.

Third parties can fail to manage their subcontractors with the same rigor that the bank would have applied if it had engaged the subcontractor directly. Accordingly, comments will not be edited to remove any identifying or contact information. Each document posted on the site includes a link to the Banks may partner with fintech companies to offer savings, credit, financial planning, or payments in an effort to increase consumer access. Whether activities are performed internally or outsourced to a third party, a banking organization is responsible for ensuring that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations. Reserve the right to terminate the contract with the third party without penalty if the third party's subcontracting arrangements do not comply with the terms of the contract. These activities could include model validation and review, compliance functions, or other activities in support of internal audit. retain appropriate documentation of all their efforts to obtain information and related decisions. 16. This statement may have been misunderstood as meaning a bank may not enter into relationships with third parties that do not meet the bank's lending criteria. 10. You may review comments and other related materials that pertain to this action by the following method: The docket may be viewed after the close of the comment period in the same manner as during the comment period. It is therefore important for a banking organization to identify, assess, monitor, and control the risks associated with the use of third parties and the criticality of services being provided. Indicate whether any records generated by the third party become the banking organization's property. Refer to U.S. Department of the Treasury report A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation for more information on data aggregators. The goal is for the bank's risk management practices for each relationship to be commensurate with the level of risk and complexity of the third-party relationship.