Tag: FDIC

05 Apr 2023
Evolution of Third-party Management

Evolution of Third-party Management

Evolution of Third-party Management

Pending interagency guidance on the management of third-party relationships will significantly alter how financial institutions (FIs) handle risks related to external service providers. The new guidelines will increase the complexity and responsibility of third-party management for banking organizations in the near future. These standards will apply to all financial institutions—including community banks—with third-party relationships.1

The updated guidance—proposed jointly by the Board of Governors of the Federal Reserve System (the Board), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC)—will consolidate2 the agencies’ separate rules into a single common guideline built around the OCC Bulletin 2013-29. The proposed guidance states that “the new framework is based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.”

Increased Regulatory Expectations

FIs s need to consider the key implications of increased regulatory scrutiny in this area, particularly where they expand on current expectations. For instance, regulators will expect them to do more due diligence on the pre-engagement side, which affects the initial selection and contract negotiation process. Institutions will also be held more accountable for understanding and predefining the termination process for outside service providers. This includes considering who owns data, how the data is returned, and how it is disposed of after the relationship with the provider ends.

From a regulatory perspective, third parties represent the biggest single source of noncontrollable risk to a bank or credit union. To a considerable extent, examiners will draw comparisons to overall enterprise risk management maturity from an institution’s third-party risk management program. In their words; “A banking organization’s failure to have an effective third-party risk management process that is commensurate with the level of risk, the complexity of third-party relationships, and the organizational structure of the banking organization may be an unsafe or unsound practice.” In addition, they will expect to see sufficient oversight at all levels, from the board to senior management, and ultimately the employees directly overseeing the individual relationships.

Vendor vs. Third Party

It is also critical for FIs to be aware of—and adjust for—the difference between the terms “vendor” and “third party.” While banks have historically used these words interchangeably, it is now clear that institutions will have to remove the term “vendor” from their vocabulary and substitute “third-party” in its place. The proposed guidance uses the term “vendor” only 4 times, while the term “third-party” is used 262 times!

The reason for the change is more than just semantic, it represents a significant shift in how a third party is defined. A third party can be any entity with which the institution has a business relationship, and neither a written contract nor monetary exchange is necessary to establish a business arrangement. A business relationship can include more obvious arrangements such as referral agreements and professional services providers like law and audit firms, but also less obvious companies such as maintenance, catering, and custodial service companies. Business arrangements have greatly expanded and become more varied and, in some cases, far more complex. FI’s should be prepared to expand the scope of their third-party risk management (TPRM) program.

Expansion of Third-Party Risk Assessment

Financial institutions will also need to expand third-party risk management beyond the scope of the Gramm-Leach-Bliley Act (GBLA) to comply with the new guidance. They should broaden their focus beyond non-public information (NPI) to include anything that may not be directly related to customer information, but still needs to remain confidential. This can include strategic plans, unaudited financial statements, HR and shareholder records, and committee meeting minutes. Regardless of the type of information, regulators will expect institutions to manage their risk by accurately assessing all third-party exposure to the storage, transmittal, and processing of information.

While institutions cannot directly control third-party risks, they will need to request and review certain documents—especially from critical parties. A few key third-party documents that institutions should examine prior to engagement3 include contracts, audit reports4, and financials. Depending on criticality, FIs may also need to maintain a list of potential alternate providers in case their primary provider fails or cannot complete the terms of their contract. Finally, institution management should be fully aware of any gaps or limitations in third-party contracts, so they can manage any increased residual risk effectively.

Another area likely to draw increased scrutiny is Complementary User-entity Controls (CUECs), included in the SOC report. These are the controls third parties require for you to utilize their products or service. The best practice strongly suggests you document these CUECs and adhere to them.

Financial institutions that may lack the internal time and/or expertise to review third-party contracts, financials, and SOC reports, can consider adding a solution like Safe Systems’ Vendor Management Document Review. The service enhances the control review process and makes it easier for institutions to meet the increased regulatory expectations for managing third parties. Read more about this topic by accessing our “Evolution of Third Party Management” webinar.

1 As of this date the NCUA has not indicated that they will be a signatory on this new guidance.

2 The Board’s 2013 guidance, the FDIC’s 2008 guidance, the OCC’s 2013 guidance and its 2020 FAQs.

3 Certain documents such as SOC reports may only be made available after a contract is in place.

4 Depending on the trust criteria selected, audit reports like the AICPA System and Organization Controls (SOC) 1 and SOC 2 should also include an auditor opinion on the information security and business continuity controls in place at the third party.

02 Feb 2022
Compliance Review and Tactics

2021 Compliance Review and Tactics for Staying Ahead of Regulators in 2022

Compliance Review and Tactics

With 2021 in the rearview and 2022 well underway, it’s a good time to consider some compliance issues from last year, and current trends and tactics for keeping ahead of regulators this year. In 2021, we saw a number of compliance-related changes from the Federal Financial Institutions Examination Council’s (FFIEC) and Federal Deposit Insurance Corporation (FDIC). One important development, especially for smaller community banks and credit unions, was the FDIC’s new Office for Supervisory Appeals. The office—launched in December to operate independently within the FDIC—considers and decides appeals of material supervisory determinations. It replaces the existing Supervision Appeals Review Committee.

The Office of Supervisory Appeals will “enhance the independence of the FDIC’s supervisory appeals process and further the FDIC’s goal of ensuring consistency and accountability in the examination process,” according to the FDIC. There’s a broad range of material supervisory determinations that institutions can appeal through the office, including CAMELS ratings under the Uniform Financial Institutions Rating System; IT ratings under the Uniform Rating System for Information Technology (URSIT); and Trust ratings under the Uniform Interagency Trust Rating System. This new appeal process isn’t a guarantee that supervisory findings will be changed but may prove useful as a last resort for FDIC institutions facing downgrades in scores where there is a material disagreement between the FI and the FDIC.

Another significant FFIEC development last year involved amendments to the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations. The BSA amendments included certain provisions to the USA Patriots Act to detect, deter and disrupt terrorist financing networks. This would appear to be an area of focus going forward, as 3 of the 10 most substantive (i.e., non appointment-related) FFIEC releases in 2021 were related to BSA/AML.

In June, the FFIEC issued a new Architecture, Infrastructure and Operations (AIO) booklet as part of its Information Technology Handbook. With this logical move, the FFIEC replaced its July 2004 Operations Handbook with a single booklet that merges three interconnected areas. In August the FFIEC also enhanced its guidance on authentication and access to services and systems—advocating for the widespread use of multi-factor authentication (MFA)—and released guidance on conducting due diligence on fintech companies.

One additional item of note in 2021; the FDIC’s tech lab, FDITECH, launched an initiative to challenge institutions to measure and test bank operational resiliency. Ultimately, a set of metrics may be applied to financial institutions—perhaps community banks in particular—to determine whether they are adequately resilient against operational disruptions. We’re keeping a close eye on this as it may lead to a universal formula for grading or ranking resilience. Anything that reduces subjectivity also reduces uncertainty, and that is a good thing when it comes to regulations.

Tips, Tricks, and Tactics

One of the main tactics to apply now to enhance compliance is to focus on the concept of resilience in all areas of the financial institution. Incorporate this concept into your business continuity management plan, vendor management program, third-party supply chain management, and information security. The key is to prepare in advance for a disruption—to put processes in place to reduce the possibility of disruption, and to minimize the impact of disruption should it occur.

Here’s another way to stay ahead of regulators: Financial institutions can connect the concept of risk appetite to the acceptable risk in their risk assessments. This goes beyond merely asserting that whatever residual risk you may have is deemed acceptable, which is highly subjective. Inherent risk less controls establish residual risk. However, residual risk levels must be compared to pre-determined risk appetite levels to determine acceptability. Only if the residual risk is less than or equal to their risk appetite can residual risk be considered acceptable. This process also reduces subjectivity and uncertainty—which should leave examiners and auditors much less room for interpretation, and result in a better audit/exam experience for you.

What to Consider in 2022 and Current Trends

Another area we’ll definitely be watching in 2022 involves the new incident notification rules that were issued late last year. All financial institutions will need to update their incident response plan and possibly their vendor management program and business continuity plans to accommodate these new regulations. These changes, while not necessarily difficult, can be pervasive in that they will cross over into multiple policies and procedures. In short, the rule requires institutions to notify their primary federal regulator as soon as possible—no later than 36 hours—after they determine that a notification incident has occurred. There are also new requirements for third parties to notify you if they experience a similar event, which could require changes to the vendor contract. The effective date of the new rule is April 1, 2022, with compliance expected to begin on May 1, 2022. There may be a grace period, but financial institutions should be prepared for examiners to ask questions about your adherence to these new rules at your next Safety and Soundness exam.

Regarding trends, we believe the focus on third-party risk management will continue in 2022 and into the future. Currently, there’s growing support for the idea of having the FDIC, Federal Reserve, National Credit Union Administration (NCUA) and other agencies coalesce around a single set of standards for third-party management. This would create more consistency with the rules concerning how regulators and others define third parties and vendors, and expectations for effective risk management. The outcome of the discussions around this topic may not manifest until Q3 or Q4 of this year, but institutions should work on formalizing their process for conducting due diligence when dealing with fintech companies and other critical vendors.

Safe Systems has been serving financial institutions for more than 25 years. To get more of our experts’ views on this topic, listen to our webinar on “Compliance Review and Tips, Tricks, and Trends for Staying Ahead of Regulators in 2022.”