Federal Reserve – Compliance Guru

18 Aug 2023

From the Field, Hot Topics, Resources The Safe Systems Compliance Team 0 comment

Third-Party Risk Management Final Guidance – An In-depth Analysis

Background

In July of 2021, the three primary bank regulators (OCC, FDIC, and Federal Reserve) proposed new guidance on third-party risk management (TPRM). According to the agencies, “The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships.” In June of 2023 all three (OCC, FDIC, Federal Reserve) jointly adopted the final guidance, stating that: “The final guidance offers the agencies’ views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.” The agencies issued this simultaneously to “promote consistency in supervisory approaches”, something we fully support and have long advocated. It replaces each agency’s existing guidance on this topic and is applicable to all banking organizations supervised by the agencies (currently all financial institutions except credit unions).

Analysis

Since third-party relationships represent a significant amount of residual enterprise-wide strategic, operational, and information security risk to many financial institutions (we refer to this as the ‘inherited risk’), and because we believe regulators will greatly increase their scrutiny of your risk management efforts in this area, we’ve taken the last couple months to take a deep dive into the details of the guidance, and the potential implications to your TPRM program. The following is a summary of our observations.

The agencies are advising a 5-step continuous life-cycle, wrapped in a formal, 3-phase governance process:

Each of the 5 phases consists of one or more sections, each of those with one or more statements:

Planning – 1 section, 11 statements

Due Diligence & Third-Party Selection – 14 sections, 40 statements

Contract Negotiation – 17 sections, 61 statements

Ongoing Monitoring – 1 section, 14 statements

Termination – 1 section, 6 statements

and

Governance – 3 sections, 29 statements

In total, there are 161 statements to evaluate, and they range from what we’ve interpreted as strong recommendations (“It is important for contracts to stipulate…”), to what we’ve determined are general observations and best practices (“May want to consider whether the contract…”).

Implications

In addition to factoring the “must have vs. nice to have” interpretation of each statement into the analysis, institutions will also need to determine the applicability of each individual statement to your organization. No fewer than 13 times in the guidance they mention some variation of “…commensurate with the banking organization’s risk appetite and the level of risk and complexity of its third-party relationships.” This is the applicability filter through which your “implement/do not implement” determination will pass. Simply put, although you should be familiar with each statement and its implications, you may not necessarily need to adopt them all. Indeed, if you currently have and maintain a compliant third-party management program, many are very likely already in place.

However, the single most important take-away for us is how the statements are distributed throughout the sections, which we believe give a pretty good indication of how the regulators will evaluate your TPRM program on the exam side. The vast majority (~70%) of statements are clustered in what can be referred to as “pre-engagement” phase, or before you formally engage (by contract or otherwise) with the third-party; the Planning, Due Diligence and Contract phases:

Does this mean that ~70% of your third-party management efforts going forward should be pre-engagement? We think that is a reasonable assumption, and we anticipate that sooner or later the regulators will also align their expectations in that direction. And since most compliant TPRM programs very likely already address the On-going Monitoring and Governance areas, the biggest challenge for most folks will be:

Evaluating each of the 112 statements in this pre-engagement phase, and determining,

Whether the statement is already addressed somewhere in your current program,

If not, deciding whether or not to implement it given the criticality, complexity, and nature of the service(s) provided by the third-party given your risk appetite.

Pre-engagement vs. Pre-initiative

Although significantly expanded here, due diligence and contract considerations have, to a greater or lesser degree, always been in place. However, the biggest challenge for most institutions will be in the Planning phase. There are only 11 statements in this section, but they all address the risks of the business initiative itself, NOT the third-party! These statements include items such as:

“Understanding the strategic purpose of the business arrangement…”

“Identifying and assessing the benefits and the risks associated with the business arrangement…”, and
“Considering the nature of the business arrangement…”

While most folks would consider these types of strategic (“why” instead of “how”) discussions to be beyond the scope of a traditional TPRM program, it is clear that regulators are certain to look for them going forward. Make sure to build this pre-initiative “why” phase into your program.

Summary

As with all things in the compliance space, be sure to document your entire decision-making process and don’t hesitate to reach out to our experts for assistance. As the guidance also states, “A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.”

The agencies have indicated that they plan to develop additional resources to assist smaller, less-complex community banking organizations in managing relevant third-party risks, and we’re keeping an eye on this. In the meantime, we have created an interactive tool that lists all sections and statements, allows you to acknowledge each statement, add your notes, and track your overall progress. Click here for a copy.

We also offer a complimentary high-level regulatory compliance evaluation of your existing vendor management program. Click here to request more information.

We will be hosting an in-depth webinar and analysis on this new guidance on September 20^th. A registration link will be available on our webinar page within the next week.

19 Oct 2016

Ask the Guru Holly Hooks 1 Comment

Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”

Hey Guru!

Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC banks to complete the Assessment?

The FFIEC issued a press release October 17, 2016, on the Cybersecurity Assessment Tool titled Frequently Asked Questions. This reiterated that the assessment is voluntary and an institution can choose to use either this assessment tool, or an alternate framework, to evaluate inherent cybersecurity risk and control maturity.

Since the tool was originally released in 2015, all the regulatory agencies have announced plans to incorporate the assessment into their examination procedures:

OCC Bulletin 2015-31 states “The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts. While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.”
Federal Reserve SR 15-9 states “Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.”
FDIC FIL-28-2015 states “FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”
NCUA states “FFIEC’s cybersecurity assessment tool is provided to help them assess their level of preparedness, and NCUA examiners will use the tool as a guide for assessing cybersecurity risks in credit unions. Credit unions may choose whatever approach they feel appropriate to conduct their individual assessments, but the assessment tool would still be a useful guide.”

Even though the FFIEC format is officially voluntary, the institution still has to evaluate inherent risk and cybersecurity preparedness in some way. Therefore, unless you already have a robust assessment program in place, we strongly encourage all institutions to adopt the FFIEC Cybersecurity Assessment Tool format since this is what the examiners will use.

NOTE: The FAQ also made it clear that the FFIEC does not intend to offer an automated version of the tool. To address this, we have developed a full-featured cybersecurity service (RADAR) that includes an automated assessment, plus a gap analysis / action plan, cyber-incident response test, and several other components.

09 Apr 2014

Hot Topics Tom Hinkel 0 comment

FDIC Re-issues Service Provider Guidance

Originally released in 2001, the FDIC recently re-issued 3 publications related to managing outsourced relationships:

Effective Practices for Selecting a Service Provider
Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
Techniques for Managing Multiple Service Providers

What struck me about this re-release, and the fact that they were released without modification of any kind, suggests that not only have expectations changed very little over the past 12 years, but also (and more significantly) that regulators expect that you are already adhering to them. But are you?

First of all, this guidance (and indeed the guidance released last year by the OCC and the Federal Reserve) makes it clear that there is no meaningful distinction between service provider, vendor, subcontractor, and outsourcer…they are all the same as far as regulatory expectations are concerned.

SO just in case the realities of your vendor management activities have fallen short of those expectations, here are just a few things regulators expect:

The vendor management process actually starts before the vendor becomes a vendor, indeed it begins even prior to identifying prospective vendors. It actually starts when management identifies the need for outsourcing, and identifies how outsourcing will support the institutions objectives and strategic plans.
Even when only one provider has been identified, you must still evaluate their expertise, technical controls, financial condition and management.
Although not a strict requirement, an RFP, RFQ and/or RFI can greatly contribute to the selection process by making sure the deliverables match your expectations.
If an RFP was used to solicit proposals, those documents can be incorporated into the contract.
The contract remains the single most important vendor management control, and regulators believe the Service Level Agreement (SLA) is a key component in a structuring a successful outsourcing contract.

One final thought on this re-release; between this and the OCC and Federal Reserve issuing updated guidance on outsourcing late last year, and the fact that almost all of the recent updates to FFIEC IT Examination Handbooks dealt either directly or indirectly with vendor management, all lead me to believe even more strongly than ever that this will be a regulator hot-button in the immediate (and foreseeable) future.

20 Aug 2013

Ask the Guru, From the Field Tom Hinkel 2 Comments

Ask the Guru: Vendor vs. Service Provider

Hey Guru
I recently had an FDIC examiner tell me that we needed to make a better distinction between a vendor and a service provider. His point seemed to be that by lumping them together in our vendor management program we were “over-analyzing” them. He suggested that we should be focused instead only on those few key providers that pose the greatest risk of identity theft. Our approach has always been to assess each and every vendor. Is this a new approach?

I don’t think so, although I think I know where the examiner is coming from on the vendor vs. service provider distinction. First of all, let’s understand what is meant by a “service provider”. The traditional definition of a service provider was one who provided services subject to the Bank Service Company Act (BSCA), which dates back to 1962. As defined in Section 3 of the Act, these services include:

“…check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.”

But lately the definition has expanded way beyond the BSCA, and today almost anything you can outsource can conceivably be provided by a “service provider”. In fact according to the FDIC, the products and services provided can vary widely:

“…core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers.”

Furthermore, in a 2010 interview with BankInfoSecurity, Don Saxinger (Team Lead – IT and Operations Risk at FDIC) said this regarding what constitutes a service provider:

“We are not always so sure ourselves, to be quite honest…but, in general, I would look at it from a banking function perspective. If this is a function of the bank, where somebody is performing some service for you that is a banking function or a decision-making function, including your operations and your technology and you have outsourced it, then yes, that would be a technology service that is (BSCA) reportable.”

Finally, the Federal Reserve defines a service provider as:

“… any party, whether affiliated or not, that is permitted access to a financial institution’s customer information through the provision of services directly to the institution. For example, a processor that directly obtains, processes, stores, or transmits customer information on an institution’s behalf is its service provider. Similarly, an attorney, accountant, or consultant who performs services for a financial institution and has access to customer information is a service provider for the institution.”

And in their Guidance on Managing Outsourcing Risk…

“Service providers is broadly defined to include all entities that have entered into a contractural relationship with a financial insitiution to provide business functions or activities”

So access to customer information seems to be the common thread, not necessarily the services provided. Clearly the regulators have an expanded view of a “service provider”, and so should you. Keep doing what you’re doing. Run all providers through the same risk-ranking formula, and go from there!

One last thought…don’t get confused by different terms. According the the FDIC as far back as 2001, other terms synonymous with “service providers” include vendors, subcontractors, external service provider (ESPs) and outsourcers.

06 Oct 2011

From the Field Tom Hinkel 0 comment

Material Loss Reviews: Does responsibility = liability?

I asked in my previous post whether or not the regulators should share any of the blame when institutions fail, and if so, should they shoulder any of the liability? The thought occurred to me as I was reviewing some recent Material Loss Reviews.

A Material Loss Review (MLR) is a post-mortum written by the Office of Inspector General for each of the federal regulators with oversight responsibility after a failure of an institution if the loss to the deposit insurance fund is considered to be “material”. (The threshold for determining whether the loss is material was recently increased by the Dodd-Frank Act from $25 million to $200 million, so we are likely to see fewer of these MLR’s going forward.) All MLR’s have a similar structure. There is an executive summary in the front, followed by a break-down of capital and assets by type and concentration. But there is also a section that analyzes the regulator’s supervision of the financial institution, and I noticed a recurring theme in this section:

…(regulator) failed to adequately assess or timely identify key risks…until it was too late.
…(regulator) did not timely communicate key risks…
…Regulator should have taken “a more conservative supervisory approach”, and used “forward-looking supervision”.
…examiners identified key weaknesses…but…they did not act on opportunities to take earlier and more forceful supervisory action.
…serious lapse in (regulator’s) supervision
…(regulator), in its supervision…did not identify problems with the thrift
…(regulator) should have acted more forcefully and sooner to address the unsafe and unsound practices
…(regulator) did not fully comply with supervisory guidance

There were also many references to the responsibilities of the Board, which I addressed here, but in almost every case the regulator was found at least partially responsible for the failure of the institution.

Here is where you can find the reports for each regulator:

I encourage you to take a look at these and draw your own conclusions as to the issues of responsibility and liability. But clearly there are lessons to learn from any failure, and one lesson that I think we should all learn from this is that regulators will be pressured to be much more critical going forward. (I.e. quicker to apply “Prompt Corrective Action“.) After all, no one likes to be called out for doing a bad job.

One other part I found interesting (in the sense that it perfectly fits the narrative) is where the review lists all examination CAMELS ratings in the periods immediately prior to the failure. What struck me was how many times institutions scored 1’s and 2’s just prior to the failure, and then dropped immediately to 4’s and 5’s in a single examination cycle. Again, the lesson is that there will be tremendous downward pressure on CAMELS scores. And don’t think that just because you are healthy you’re immune from the additional scrutiny. As one MLR stated “…a forceful supervisory response is warranted, even in the presence of strong financial performance.”

09 Aug 2010

Hot Topics Tom Hinkel 1 Comment

FDIC can now step in regardless of primary regulator (part 2)

Further to the previous post, the memorandum requires the FDIC opinion to prevail in the event that an institutions’ PFR (primary federal regulator) CAMELS rating differs from the FDIC:

If the FDIC’s CAMELS ratings for an institution differ from a PFR’s assigned ratings, the FDIC is required to provide the PFR with an explanation of the basis for the FDIC’s position. In the event of a disagreement, the matter must be referred to the FDIC Director of the Division of Supervision and Consumer Protection (Director), or other designee, and the appropriate supervision official of the PFR. Any decision by the FDIC to use an assigned rating different than the PFR’s rating must be made by the Director (or other designee), after consultation with the Chairman of the FDIC.

Again, best advice is to adopt the FDIC interpretation of FFIEC regulations, regardless of your PFR.

12 Next →