On July 13, 2021, federal bank regulators – the Board of Governors of the Federal Reserve System (the “Board”), the Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”) (collectively, the “Regulators”) – requested public comment on proposed joint guidance regarding banking organizations’ management of risks related to relationships with third-party support and service providers (the “Proposed Guidance”). Each of the Regulators previously issued guidance on the subject for their respective supervised banking organizations. The Proposed Guidance seeks to promote consistency in banking organizations’ third-party risk management, replacing agency-specific guidance with a framework that applies to all banking organizations supervised by the Regulators. According to the Regulators, the Proposed Guidance largely would adopt the text of the OCC’s 2013 guidance, broadening its scope to include organizations supervised by all three Regulators.
The Regulators note that relevant third parties can come in a variety of forms, including those that service banking organizations’ business functions, as well as those that offer products and services (such as mobile and point-of-sale payments) to banking organizations’ customers.
The Proposed Guidance states that the use of a third party does not diminish a banking organization’s responsibility to perform an activity in a safe and sound manner that complies with applicable law. The Proposed Guidance provides for banking organizations to adopt third-party risk management processes commensurate with the (1) identified level of risk, (2) complexity of the third-party relationship, and (3) organizational structure of the banking organization.
The framework provided in the Proposed Guidance identifies principles applicable to each stage of the third-party relationship life cycle, including:
- Developing a plan that outlines a strategy, identifies inherent risks, and details how to identify, assess, select and oversee a third party;
- Performing proper due diligence in selecting a third party;
- Negotiating written contracts that articulate the rights and responsibilities of all parties;
- Board of directors’ and executives’ oversight of risk management processes, documentation, accountable reporting and independent reviews;
- Ongoing monitoring of third-party activity and performance; and
- Contingency planning for relationship terminations.
Notable provisions address relevant factors for performing due diligence on third parties’ (1) information security programs (e.g., controls, vulnerability and penetration testing, multifactor authentication, end-to-end encryption and secured source code management); (2) management of information systems (e.g., technology, business processes and management); (3) operational resilience (e.g., capabilities with respect to disaster recovery, business continuity plans, regular testing, redundancy and preparedness for known and emerging threats and vulnerabilities); (4) incident reporting (e.g., escalation and notification processes); (5) physical security (e.g., protections for facilities, technology systems, data and employees); (6) human resource management (e.g., compliance training quality); (7) use of subcontractors (e.g., ability to ensure that the same level of quality and controls exist regardless of where subcontractors reside); and (8) insurance coverage (e.g., maintenance of cybersecurity coverage).