Tag: FDIC

18 Aug 2023
Third-Party Risk Management Final Guidance – An In-depth Analysis

Third-Party Risk Management Final Guidance – An In-depth Analysis 

Background 

In July of 2021, the three primary bank regulators (OCC, FDIC, and Federal Reserve) proposed new guidance on third-party risk management (TPRM).  According to the agencies, “The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships.”  In June of 2023 all three (OCC, FDIC, Federal  Reserve) jointly adopted the final guidance, stating that: “The final guidance offers the agencies’ views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.”  The agencies issued this simultaneously to “promote consistency in supervisory approaches”, something we fully support and have long advocated.  It replaces each agency’s existing guidance on this topic and is applicable to all banking organizations supervised by the agencies (currently all financial institutions except credit unions). 

Analysis 

Since third-party relationships represent a significant amount of residual enterprise-wide strategic, operational, and information security risk to many financial institutions (we refer to this as the ‘inherited risk’), and because we believe regulators will greatly increase their scrutiny of your risk management efforts in this area, we’ve taken the last couple months to take a deep dive into the details of the guidance, and the potential implications to your TPRM program.  The following is a summary of our observations. 

The agencies are advising a 5-step continuous life-cycle, wrapped in a formal, 3-phase governance process: 

Each of the 5 phases consists of one or more sections, each of those with one or more statements:   

  1. Planning – 1 section, 11 statements 
  1. Due Diligence & Third-Party Selection – 14 sections, 40 statements 
  1. Contract Negotiation – 17 sections, 61 statements 
  1. Ongoing Monitoring – 1 section, 14 statements 
  1. Termination – 1 section, 6 statements 

and 

  • Governance – 3 sections, 29 statements 

In total, there are 161 statements to evaluate, and they range from what we’ve interpreted as strong recommendations (“It is important for contracts to stipulate…”), to what we’ve determined are general observations and best practices (“May want to consider whether the contract…”).   

Implications 

In addition to factoring the “must have vs. nice to have” interpretation of each statement into the analysis, institutions will also need to determine the applicability of each individual statement to your organization.  No fewer than 13 times in the guidance they mention some variation of “…commensurate with the banking organization’s risk appetite and the level of risk and complexity of its third-party relationships.”  This is the applicability filter through which your “implement/do not implement” determination will pass.   Simply put, although you should be familiar with each statement and its implications, you may not necessarily need to adopt them all.  Indeed, if you currently have and maintain a compliant third-party management program, many are very likely already in place.   

However, the single most important take-away for us is how the statements are distributed throughout the sections, which we believe give a pretty good indication of how the regulators will evaluate your TPRM program on the exam side.  The vast majority (~70%) of statements are clustered in what can be referred to as “pre-engagement” phase, or before you formally engage (by contract or otherwise) with the third-party; the Planning, Due Diligence and Contract phases: 

Does this mean that ~70% of your third-party management efforts going forward should be pre-engagement?  We think that is a reasonable assumption, and we anticipate that sooner or later the regulators will also align their expectations in that direction.  And since most compliant TPRM programs very likely already address the On-going Monitoring and Governance areas, the biggest challenge for most folks will be: 

  1. Evaluating each of the 112 statements in this pre-engagement phase, and determining, 
  1. Whether the statement is already addressed somewhere in your current program, 
  1. If not, deciding whether or not to implement it given the criticality, complexity, and nature of the service(s) provided by the third-party given your risk appetite. 

Pre-engagement vs. Pre-initiative 

Although significantly expanded here, due diligence and contract considerations have, to a greater or lesser degree, always been in place. However, the biggest challenge for most institutions will be in the Planning phase.  There are only 11 statements in this section, but they all address the risks of the business initiative itself, NOT the third-party!  These statements include items such as: 

  • “Understanding the strategic purpose of the business arrangement…” 
  • “Identifying and assessing the benefits and the risks associated with the business arrangement…”, and 
  • “Considering the nature of the business arrangement…” 

While most folks would consider these types of strategic (“why” instead of “how”) discussions to be beyond the scope of a traditional TPRM program, it is clear that regulators are certain to look for them going forward.  Make sure to build this pre-initiative “why” phase into your program.   

Summary 

As with all things in the compliance space, be sure to document your entire decision-making process and don’t hesitate to reach out to our experts for assistance.  As the guidance also states,  “A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.” 

The agencies have indicated that they plan to develop additional resources to assist smaller, less-complex community banking organizations in managing relevant third-party risks, and we’re keeping an eye on this.  In the meantime, we have created an interactive tool that lists all sections and statements, allows you to acknowledge each statement, add your notes, and track your overall progress.  Click here for a copy.   

We also offer a complimentary high-level regulatory compliance evaluation of your existing vendor management program. Click here to request more information. 

We will be hosting an in-depth webinar and analysis on this new guidance on September 20th. A registration link will be available on our webinar page within the next week. 

19 Oct 2016

Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”

Hey Guru!

Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC banks to complete the Assessment?


 The FFIEC issued a press release October 17, 2016, on the Cybersecurity Assessment Tool titled Frequently Asked Questions. This reiterated that the assessment is voluntary and an institution can choose to use either this assessment tool, or an alternate framework, to evaluate inherent cybersecurity risk and control maturity.

Since the tool was originally released in 2015, all the regulatory agencies have announced plans to incorporate the assessment into their examination procedures:

  • OCC Bulletin 2015-31 states “The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts. While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.”
  • Federal Reserve SR 15-9 states “Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.”
  • FDIC FIL-28-2015 states “FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”
  • NCUA states “FFIEC’s cybersecurity assessment tool is provided to help them assess their level of preparedness, and NCUA examiners will use the tool as a guide for assessing cybersecurity risks in credit unions. Credit unions may choose whatever approach they feel appropriate to conduct their individual assessments, but the assessment tool would still be a useful guide.”

Even though the FFIEC format is officially voluntary, the institution still has to evaluate inherent risk and cybersecurity preparedness in some way. Therefore, unless you already have a robust assessment program in place, we strongly encourage all institutions to adopt the FFIEC Cybersecurity Assessment Tool format since this is what the examiners will use.

NOTE:  The FAQ also made it clear that the FFIEC does not intend to offer an automated version of the tool.  To address this, we have developed a full-featured cybersecurity service (RADAR) that includes an automated assessment, plus a gap analysis / action plan, cyber-incident response test, and several other components.

12 Jul 2016

FDIC Updates IT Examination Procedures

Starting immediately, all FDIC-examined institutions will be subjected to new IT examination procedures, the first major overhaul since December 2007.  The new format is dubbed the InTREx program (Information Technology Risk Examination), and is designed to be a bit simpler in the pre-examination phase.  In fact, the InTREx has only 26 questions vs. 59 for the 12/07 version.  But what the new version gives up in the pre-exam phase, it more than makes up for in the actual on-site examination portion.  I believe most institutions should prepare for a much more thorough (i.e. time-consuming) examination experience going forward.

The InTREx is based on the URSIT methodology (Uniform Rating System for Information Technology), which dates back to 1999.  URSIT consists of four main components used to assess the overall performance of IT management within an organization; Audit, Management, Development and Acquisition, and Support and Delivery (AMDS).  Additionally InTREx adds an Expanded Analysis section for both Management and Support and Delivery.

First, the similarities:  Both the old and new model share a pre-exam and an on-site phase.  The pre-exam phase consists of the questionnaire, which is designed to help the examiner “scope” the examination (see #2 below), and determine exactly what documentation they will require from you (some of which they will request ahead of time, some will be requested on-site).

Once on-site the differences between the old and new are more apparent.  The new exam procedures require examiners to “review” (47 instances) and “evaluate” (54 instances) your documentation, and “determine” (30 instances) whether it is sufficient to prove that you’re doing what you say you will do.  The examiner uses the “Core Analysis Procedures” to assess each “Decision Factor” as either Strong, Satisfactory, Less than satisfactory, Deficient, or Critically deficient.  Examiners will then assign a 1 – 5 rating score to each AMDS component, and then assign an overall composite score.  All component ratings and scores, along with examination findings and recommendations, will appear in the final report.

Here is how the pre-exam and on-site phases break down in terms of type and volume of information requested:

  • The pre-exam phase is divided into 6 sections, with a total of 26 questions (most of which have an “If Yes…” portion, very similar to the 12/07 version):
SECTION # QUESTIONS
Core Processing 4
Network 6
Online Banking 4
Development and Programming 1
Software and Services 2
Other 9
  • The on-site exam phase is where the new examiner procedures are defined, and is divided into the AMDS sections, plus the 2 Expanded Analysis sections.  Each of the AMDS sections has a Core Analysis Decision Factors, and a Core Analysis Procedures sub-section:
Exam Procedures Components Core Analysis Decision Factors Core Analysis Procedures
Audit 10 8
Management 8 16
Development and Acquisition 6 9
Support and Delivery 8 26
Management: Expanded Analysis 6 7
Support and Delivery: Expanded Analysis 7 8
GLBA Information Security Standards* 1* 0
Cybersecurity* 1* 0

* These components are not assessed separately, but are scattered throughout the program.

OBSERVATIONS:
  1. This is much more granular process, requiring a deeper analysis by the examiner, which in turn puts a greater burden on the bank.  Proper documentation will often make the difference between a “satisfactory” and a “less than satisfactory” assessment.  If you prepared for previous exams by not just answering “Yes” or “No” to the pre-exam questions, but identifying all supporting documentation whether or not it was asked for, you should be fine with the InTREx.  If you were used to answering “Yes” or “No” with little or no examiner follow-up, download the InTREx now and focus on all the items in the Core Analysis Procedures sections.  Pay particular attention to the 34 “Control Test” items marked with FDIC Control Test Image , and make sure you can get your hands on those items.  Again, being able to provide the documentation may make all the difference in your final exam score.
  2. The pre-exam portion of the questionnaire should (in theory) allow the exam to scale to the size and complexity of the institution.  We’ll have to wait and see if that actually occurs, but let’s hope so.  We’ve heard from far too many smaller institutions that said they felt their examiner treated them as if they were much larger.
  3. There is quite a bit of overlap between the elements in the InTREx and the Declarative Statements in the Cybersecurity Assessment Tool.  That should mean that actions taken to strengthen your cybersecurity control maturity will also strengthen your overall IT controls.  Also, cybersecurity elements are now permanently baked-in to the IT examination process, not a separate assessment.  This is consistent with what I’ve been saying all along, that cybersecurity is simply a subset of information security.  However, as with the Control Tests, you should make sure you have documentation available for all items marked with FDIC Cyber Image .
  4. Hopefully, one potentially positive outcome from all this will be a more consistent examination experience.  Inconsistent examination results have been a source of concern for many institutions recently.  This new process should address that by removing some of the subjectivity that results when different examiners interpret the same guidance differently, and also by clarifying precisely what resources they need to “review”, and “evaluate” in order to “determine” the level of compliance achieved. 
  5. It is uncertain how quickly the new format will be adopted by regulators, but I’m guessing it will be pretty quickly.  Since they will send the questionnaire 90 days prior to your scheduled exam, we should expect the new methodology to be implemented for exams conducted in Q4 2016 at the soonest.
  6. It’s also unclear whether the other (non-FDIC) regulators will adopt this format. However, the FDIC insures the funds in all banks they have supervisory authority at all insured institutions (including those for which it is not the primary federal supervisor), so a single standard would make sense.  In any case, even non-FDIC institutions would be wise to familiarize themselves with this guidance.

Shoot me an email if and when you get the new InTREx, and let me know your experiences with it.  I’ll update the post periodically.

20 Apr 2016

FDIC Targets Board Responsibilities

“A topic is at times of such significant interest to bankers and examiners that it warrants a special issue…”  Whenever something from a regulatory body begins this way all bankers should take notice, and the latest Special Corporate Governance Edition from the FDIC is no exception.  In fact the Guru did a little research and the last time the FDIC released a Special Edition of its Supervisory Insights was the Foreclosure Edition in 2011, which was a post-mortem on the banking crisis.

So all bankers would be well advised to review this latest publication, but particularly community bankers.  In fact the full title is:  A Community Bank Director’s Guide to Corporate Governance: 21st Century Reflections on the FDIC Pocket Guide for Directors.  The emphasis on community banks and bankers is intentional, and the release states right up front that:

“Community banks play a vital role in the nation’s economy and local communities, and a bank’s management – including its directors and senior management – is perhaps the single most important element in the successful operation of a bank.”

[pullquote]…a director’s responsibility…necessitates using independent judgment and providing a credible challenge (to management).[/pullquote]

Although the FDIC states that this does not constitute new guidance (the original Pocket Guide was issued almost 30 years ago, but the basics haven’t really changed), the fact that they chose this topic and this time to release a special issue indicates that this is almost certainly going to be an area of increased focus for examiners going forward.

If there is one common theme that resonates from this issue it is that directors are expected to play a more active role in the day-to-day affairs of their institutions, and NOT be simply a “rubber stamp” for management.  This sums it up pretty well:

“…a director’s responsibility to oversee the conduct of the bank’s business necessitates using independent judgment and providing a credible challenge.  This entails engaging in robust discussions with senior management and perhaps challenging recommendations at times, rather than simply deferring to their decisions.”

I’ve talked about this concept of “credible challenge” before, which also appears several times in the recent FFIEC Management Handbook, and is defined as “being actively engaged, asking thoughtful questions, and exercising independent judgment.”  In order to do that, directors need access to accurate, timely and relevant information.  Board reports, once very high-level, should now include sufficient detail to allow members to comprehend (and if necessary, challenge) management decisions.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why some of the most commonly believed “facts” about IT outsourcing for banks are actually myths.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



Make sure your IT management systems and processes are capable of producing these Board-level summary reports, then get them in front of the Board and in the Board minutes.  And be prepared for 2 things going forward; first, examiners WILL ask for these Board minutes and expect to see evidence of more engagement.  And secondly, expect Board meetings to become a lot more spirited!

04 Mar 2016

FDIC Expands Criteria for 18 Month Exam Cycle

The FDIC released FIL-17-2016 today, which will increase the examination cycle for community banks meeting certain criteria from 12 months to 18 months, thereby potentially decreasing one of the most intrusive events in the bankers life.

The criteria is as follows:

  • Must be less than $1 B in assets
  • Must have a CAMELS composite rating of “1” or “2”
  • Must be well-capitalized
  • Must be well-managed
  • Must not have undergone any change in control during the previous 12 months
  • Must not be under an enforcement order or proceeding.

The 18 month examination cycle was previously not available to any community bank smaller than $500 million in assets, but now any bank smaller than 1 B will qualify, provided they meet the other criteria.

This is good news for already overly-burdened and otherwise healthy institutions, but what concerns me is the definition of “well-managed”. All of the other criteria is objective, and pretty easy to define and establish. But how will the regulators define well-managed? For example, if the institution had a single, non-material, repeat finding in their last exam, could that reflect poorly on management? After all, responsiveness to recommendation from auditors and supervisory authorities is one of the elements that make up the CAMELS management component.

And is it even possible for an institution to rate a composite score of “1” or “2” if it is not well-managed? Here is an extract from the FDIC Uniform Financial Institutions Rating System (UFIRS) relating to management:

  • Composite 2 : Only moderate weaknesses are present and are well within the board of directors’ and management’s capabilities and willingness to correct.
  • Composite 3: Management may lack the ability or willingness to effectively address weaknesses within appropriate time frames.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

Based in this I think it’s highly unlikely that a bank could score a “2” and be poorly managed.

Anyway, time will tell how examiners define well-managed, but this is certainly a step in the right direction and should bring much needed relief to many institutions.

23 Jul 2014

Cybersecurity – Part 2

In Part 1 I discussed the increasing regulatory focus on cybersecurity, and what to expect in the short term.  In this post I want to dissect the individual elements of cybersecurity, and list what you’ll need to do to demonstrate compliance on each one going forward. So here are the required elements of a cybersecurity program, followed by what you need to do:

  • Governance – risk management and oversight
  • Threat intelligence and collaboration – Internal & External Resources
  • Third -party service provider and vendor risk management
  • Incident response and resilience

1.     Governance – risk management and oversight

Nothing new about this one, virtually all FFIEC IT Handbooks list proper governance as the first and most important item necessary for compliance, and governance begins at the top.  In fact a recent FFIEC webinar was titled “Executive Leadership of Cybersecurity: What Today’s CEO Needs to Know About the Threats They Don’t See.”  But governance involves more than just management oversight.  The IT Handbook defines it this way:

“Governance is achieved through the management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources, monitoring, and accountability.”

 What you need to do:

  •  Update & Test your Policies, Procedures and Practices.  Verify that cyber threats are specifically included in your information security, incident response, and business continuity policies.
  • Assess your Cybersecurity Risk (Risk = Threat times Vulnerability minus Controls).  When selecting controls, remember that there are three categories; preventive, detective, and responsive/corrective.  Preventive controls are always best, but given the increasing reliance on third-parties for data processing and storage, they may not be optimal.  Focus instead on detective and responsive controls.  Also, make sure your assessment accounts for any actual events affecting you or your vendors.  Document both:
    • Inherent cybersecurity risk exposure – risk level prior to application of mitigating controls
    • Residual cybersecurity risk exposure – risk remaining after application of controls
  • Adjust your Policies, Procedures and Practices as needed based on the risk assessment results.
  • Use your IT Steering Committee (or equivalent) to manage the process.
  • Provide periodic Board updates.

2.     Threat intelligence and collaboration – Internal & External Resources

This element reflects both the complexity and the pervasiveness of the  cybersecurity problem, and (unlike governance) is a particular challenge to smaller institutions (<1B).  According to a study conducted in May of this year by the New York State Department of Financial Services, the information security frameworks of small institutions lagged behind larger institutions in two key areas: oversight over third party service providers (more on that later), and membership in an information-sharing organization.

What you need to do:

Regulators expect all financial institutions to identify and monitor cyber-threats to their organization, and to the financial sector as a whole.  Make sure this “real-world” information is factored into your risk assessment.  Some information sharing resources include:

3.     Third -party service provider and vendor risk management

For the vast majority of outsourced financial institutions, managing cybersecurity comes down to managing the risk originating at third-party providers and other unaffiliated third-parties. As the Chairman of the FFIEC, Thomas J Curry, recently stated:

“One area of ongoing concern is the increasing reliance on third parties..The OCC has long considered bank oversight of third parties to be an important part of a bank’s overall risk management capability.”

Smaller institutions may be even more at risk, because they tend to rely more on third-parties, and (as I pointed out earlier) tend to lag behind larger institutions when it comes to vendor management.  This is mostly because of available internal resources.  Larger institutions may conduct their own compliance audits, while smaller institutions may rely more on external resources, such as SOC reports and FFIEC Reports of Examination (ROE).  And once the reports are received, interpreting them to determine if they indeed address your concerns can be an even bigger challenge.

What you need to do:

Regardless of size, all institutions should  employ basic vendor management best practices to understand and control third-party risk.  Pay particular attention to the following:

  • Pre-contract Planning & Due Diligence – in addition to reviewing the SOC reports and ROE’s, determine if the vendor had any significant recent security events.
  • Contracts – they should define if and how you’ll be notified in the event of a security event involving you or your customer’s data, and who is responsible for customer notification.  They should also include a “right-to-audit” clause, giving you the right to conduct audits at the service provider if necessary.
  • Ongoing Monitoring – in addition to updated SOC reports, financials, and ROE’s, don’t forget to take advantage of vendor forums and user groups.  As the FFIEC statement stressed:

“…financial institutions that utilize third party service providers should check with their provider about the existence of user groups that also could be valuable sources of information.”

  • Termination/Disengagement – management should understand what happens to their data at the end of the relationship.

4.     Incident response and resilience

Incident response has been mentioned in all regulatory statements about cybersecurity, and for good reason.  Regardless of whether it originates internally or externally, a security incident is a virtual certainty.  And regulators know that although vendor oversight does provide some measure of assurance, you have very little actual control over specific vendor-based preventive controls.  So detective and corrective/responsive controls must compensate.

What you need to do:

Make sure your incident response program (IRP) has been updated to accommodate a response to a cybersecurity event.  As I stated in Part 1, your existing policies should already do this if they are impact-based instead of threat-based.  “Cyber” simply refers to the source or nature of the threat.  The impact of a cybersecurity event is generally the same as any other adverse event; information is compromised or business is interrupted.  However, all IRP’s should contain certain elements:

  • The incident response team members
  • A method for classifying the severity of the incident
  • A response based on severity, to include internal escalation, and external notification.
  • Periodic testing and Board reporting

Regarding testing, the FFIEC considers it so important they refer to it as one of the primary take-aways from their recent webinar, encouraging all institutions to consider:

How often is my institution testing its plans to respond to a cyber attack? Do these tests include our key internal and external stakeholders?

 In summary, review the requirements for cybersecurity, and compare them with your current policies, procedures and practices.  Hopefully you’ve already incorporated many (if not most) of these elements into your program, and very little adjustment needs to be made.  But either way, be prepared to discuss what you are doing, and how you are doing it, with the regulators…they WILL be asking you.