-
New Third-party Management Guidance Pending
In July of 2021, the three primary bank regulators (OCC, FDIC, and Federal Reserve) proposed new guidance on third-party risk management. According to the agencies, “The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships.” After an extended comment period […]
-
Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”
Hey Guru! Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC […]
-
FDIC Re-issues Service Provider Guidance
Originally released in 2001, the FDIC recently re-issued 3 publications related to managing outsourced relationships: Effective Practices for Selecting a Service Provider Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements Techniques for Managing Multiple Service Providers What struck me about this re-release, and the fact that they were released without modification of any […]
-
Ask the Guru: Vendor vs. Service Provider
Hey GuruI recently had an FDIC examiner tell me that we needed to make a better distinction between a vendor and a service provider. His point seemed to be that by lumping them together in our vendor management program we were “over-analyzing” them. He suggested that we should be focused instead only on those few […]
-
FDIC can now step in regardless of primary regulator (part 2)
Further to the previous post, the memorandum requires the FDIC opinion to prevail in the event that an institutions’ PFR (primary federal regulator) CAMELS rating differs from the FDIC: If the FDIC’s CAMELS ratings for an institution differ from a PFR’s assigned ratings, the FDIC is required to provide the PFR with an explanation of […]
