Tag: OCC

18 Aug 2023
Third-Party Risk Management Final Guidance – An In-depth Analysis

Third-Party Risk Management Final Guidance – An In-depth Analysis 

Background 

In July of 2021, the three primary bank regulators (OCC, FDIC, and Federal Reserve) proposed new guidance on third-party risk management (TPRM).  According to the agencies, “The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships.”  In June of 2023 all three (OCC, FDIC, Federal  Reserve) jointly adopted the final guidance, stating that: “The final guidance offers the agencies’ views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.”  The agencies issued this simultaneously to “promote consistency in supervisory approaches”, something we fully support and have long advocated.  It replaces each agency’s existing guidance on this topic and is applicable to all banking organizations supervised by the agencies (currently all financial institutions except credit unions). 

Analysis 

Since third-party relationships represent a significant amount of residual enterprise-wide strategic, operational, and information security risk to many financial institutions (we refer to this as the ‘inherited risk’), and because we believe regulators will greatly increase their scrutiny of your risk management efforts in this area, we’ve taken the last couple months to take a deep dive into the details of the guidance, and the potential implications to your TPRM program.  The following is a summary of our observations. 

The agencies are advising a 5-step continuous life-cycle, wrapped in a formal, 3-phase governance process: 

Each of the 5 phases consists of one or more sections, each of those with one or more statements:   

  1. Planning – 1 section, 11 statements 
  1. Due Diligence & Third-Party Selection – 14 sections, 40 statements 
  1. Contract Negotiation – 17 sections, 61 statements 
  1. Ongoing Monitoring – 1 section, 14 statements 
  1. Termination – 1 section, 6 statements 

and 

  • Governance – 3 sections, 29 statements 

In total, there are 161 statements to evaluate, and they range from what we’ve interpreted as strong recommendations (“It is important for contracts to stipulate…”), to what we’ve determined are general observations and best practices (“May want to consider whether the contract…”).   

Implications 

In addition to factoring the “must have vs. nice to have” interpretation of each statement into the analysis, institutions will also need to determine the applicability of each individual statement to your organization.  No fewer than 13 times in the guidance they mention some variation of “…commensurate with the banking organization’s risk appetite and the level of risk and complexity of its third-party relationships.”  This is the applicability filter through which your “implement/do not implement” determination will pass.   Simply put, although you should be familiar with each statement and its implications, you may not necessarily need to adopt them all.  Indeed, if you currently have and maintain a compliant third-party management program, many are very likely already in place.   

However, the single most important take-away for us is how the statements are distributed throughout the sections, which we believe give a pretty good indication of how the regulators will evaluate your TPRM program on the exam side.  The vast majority (~70%) of statements are clustered in what can be referred to as “pre-engagement” phase, or before you formally engage (by contract or otherwise) with the third-party; the Planning, Due Diligence and Contract phases: 

Does this mean that ~70% of your third-party management efforts going forward should be pre-engagement?  We think that is a reasonable assumption, and we anticipate that sooner or later the regulators will also align their expectations in that direction.  And since most compliant TPRM programs very likely already address the On-going Monitoring and Governance areas, the biggest challenge for most folks will be: 

  1. Evaluating each of the 112 statements in this pre-engagement phase, and determining, 
  1. Whether the statement is already addressed somewhere in your current program, 
  1. If not, deciding whether or not to implement it given the criticality, complexity, and nature of the service(s) provided by the third-party given your risk appetite. 

Pre-engagement vs. Pre-initiative 

Although significantly expanded here, due diligence and contract considerations have, to a greater or lesser degree, always been in place. However, the biggest challenge for most institutions will be in the Planning phase.  There are only 11 statements in this section, but they all address the risks of the business initiative itself, NOT the third-party!  These statements include items such as: 

  • “Understanding the strategic purpose of the business arrangement…” 
  • “Identifying and assessing the benefits and the risks associated with the business arrangement…”, and 
  • “Considering the nature of the business arrangement…” 

While most folks would consider these types of strategic (“why” instead of “how”) discussions to be beyond the scope of a traditional TPRM program, it is clear that regulators are certain to look for them going forward.  Make sure to build this pre-initiative “why” phase into your program.   

Summary 

As with all things in the compliance space, be sure to document your entire decision-making process and don’t hesitate to reach out to our experts for assistance.  As the guidance also states,  “A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.” 

The agencies have indicated that they plan to develop additional resources to assist smaller, less-complex community banking organizations in managing relevant third-party risks, and we’re keeping an eye on this.  In the meantime, we have created an interactive tool that lists all sections and statements, allows you to acknowledge each statement, add your notes, and track your overall progress.  Click here for a copy.   

We also offer a complimentary high-level regulatory compliance evaluation of your existing vendor management program. Click here to request more information. 

We will be hosting an in-depth webinar and analysis on this new guidance on September 20th. A registration link will be available on our webinar page within the next week. 

19 Oct 2016

Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”

Hey Guru!

Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC banks to complete the Assessment?


 The FFIEC issued a press release October 17, 2016, on the Cybersecurity Assessment Tool titled Frequently Asked Questions. This reiterated that the assessment is voluntary and an institution can choose to use either this assessment tool, or an alternate framework, to evaluate inherent cybersecurity risk and control maturity.

Since the tool was originally released in 2015, all the regulatory agencies have announced plans to incorporate the assessment into their examination procedures:

  • OCC Bulletin 2015-31 states “The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts. While use of the Assessment is optional for financial institutions, OCC examiners will use the Assessment to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.”
  • Federal Reserve SR 15-9 states “Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.”
  • FDIC FIL-28-2015 states “FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”
  • NCUA states “FFIEC’s cybersecurity assessment tool is provided to help them assess their level of preparedness, and NCUA examiners will use the tool as a guide for assessing cybersecurity risks in credit unions. Credit unions may choose whatever approach they feel appropriate to conduct their individual assessments, but the assessment tool would still be a useful guide.”

Even though the FFIEC format is officially voluntary, the institution still has to evaluate inherent risk and cybersecurity preparedness in some way. Therefore, unless you already have a robust assessment program in place, we strongly encourage all institutions to adopt the FFIEC Cybersecurity Assessment Tool format since this is what the examiners will use.

NOTE:  The FAQ also made it clear that the FFIEC does not intend to offer an automated version of the tool.  To address this, we have developed a full-featured cybersecurity service (RADAR) that includes an automated assessment, plus a gap analysis / action plan, cyber-incident response test, and several other components.

11 Nov 2014

Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments

(NOTE:  Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.)

In this edition:

  • The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC is also the Chairman of the FFIEC.  I comment on 3 recent OCC pronouncements.
  • The FFIEC has completed the cybersecurity risk assessments, and issued some observations.

First up, the OCC recently updated their guidance on Matters Requiring Attention, or MRA’s.  Classified generally as examination “findings”, MRA’s are the most severe type of findings, as they require the immediate attention of senior management and timely (i.e. rapid) corrective action.  While it’s good to see this process standardized (at least among OCC examiners, other agencies have yet to follow suit), what struck me was how the “open” items (those items that have yet to be corrected) were classified.  Particularly one that I haven’t seen before…”Self-identified”.  A “Self-identified” MRA is defined as:

“A significant unresolved concern that the bank initially discovered.  A bank’s action to self-identify concerns is an important consideration when the OCC assesses the adequacy of the bank’s risk management system.

So in other words, you discovered a deficiency first, and then either brought it to the attention of the regulator or they found it.  Instead of counting against you. this actually strengthens the regulator’s view of your risk management system.  Essentially this is an MRA that has a positive impact on your institution!  I’ve discussed this “control self-assessment” process before.  Don’t be afraid of finding problems, it’s much better that you find them then the regulator!

Next up from the OCC, the Chairman (Thomas J. Curry) gave a speech on cybersecurity to the 10th Annual Community Bankers Symposium recently.  Here are a few of my observations:

  • Smaller institutions may be more at risk from cybercrime because of their lack of internal resources compared to larger institutions, so collaboration with information sharing organizations is particularly important.
  • Management is encouraged to incorporate cyber-incident scenarios into their business continuity and incident response planning.
  • It’s “extremely important” for management to understand their risk exposure to cyber-threats and vulnerabilities.
  • Because of the high degree of connectedness among institutions and their third-party providers, managing those relationships is vital.  Curry states that “third-party relationships have been a significant area of concern for years, and not just in the area of cybersecurity.”  The agency has, and will continue to, play a role in watching over these providers, but they stress that their supervision “does not take the place of due diligence or ongoing monitoring” on your part.

Lastly from the OCC, could we see merchants held to the same security standards as financial institutions?  Consider this statement from Chairman Curry in the same speech:

“…we need to level the playing field between financial institutions and merchants. The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”

This is long overdue in my opinion, merchants are considered the weakest links in the cybersecurity chain.  The challenge will be enforcing it.  Until merchants are under the same regulatory burden as financial institutions, they will have no incentive to comply.  PCI-DSS has been proven ineffective, after all both Target and Home Depot claimed to be PCI compliant prior to their breaches.


Finally, the FFIEC has concluded their cybersecurity assessments and issued some general observations.  Summarizing:

  • Management must understand their own cybersecurity exposure (see OCC Chairman comments above).
  • Key to this understanding your cybersecurity status is understanding who connects to you, and how.
  • Manage your third-party relationships, and understand how your vendors are managing their third-parties.
  • Expand your disaster recovery and incident response processes to incorporate cyber incident scenarios (again, see Chairman Curry’s remarks above).

…and last but not least…

  • “As a result of the Cybersecurity Assessment,  FFIEC members are reviewing and updating current guidance to align with changing  cybersecurity risk.”  In other words, new guidance is on the way!
09 Apr 2014

FDIC Re-issues Service Provider Guidance

Originally released in 2001, the FDIC recently re-issued 3 publications related to managing outsourced relationships:

  • Effective Practices for Selecting a Service Provider
  • Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
  • Techniques for Managing Multiple Service Providers

What struck me about this re-release, and the fact that they were released without modification of any kind, suggests that not only have expectations changed very little over the past 12 years, but also (and more significantly) that regulators expect that you are already adhering to them.  But are you?

First of all, this guidance (and indeed the guidance released last year by the OCC and the Federal Reserve) makes it clear that there is no meaningful distinction between service provider, vendor, subcontractor, and outsourcer…they are all the same as far as regulatory expectations are concerned.

SO just in case the realities of your vendor management activities have fallen short of those expectations, here are just a few things regulators expect:

  • The vendor management process actually starts before the vendor becomes a vendor, indeed it begins even prior to identifying prospective vendors.  It actually starts when management identifies the need for outsourcing, and identifies how outsourcing will support the institutions objectives and strategic plans.
  • Even when only one provider has been identified, you must still evaluate their expertise, technical controls, financial condition and management.
  • Although not a strict requirement, an RFP, RFQ and/or RFI can greatly contribute to the selection process by making sure the deliverables match your expectations.
  • If an RFP was used to solicit proposals, those documents can be incorporated into the contract.
  • The contract remains the single most important vendor management control, and regulators believe the Service Level Agreement (SLA) is a key component in a structuring a successful outsourcing contract.

One final thought on this re-release; between this and the OCC and Federal Reserve issuing updated guidance on outsourcing late last year, and the fact that almost all of the recent updates to FFIEC IT Examination Handbooks dealt either directly or indirectly with vendor management, all lead me to believe even more strongly than ever that this will be a regulator hot-button in the immediate (and foreseeable) future.

05 Nov 2013

The OCC Sets a New Standard for Vendor Management…

…but will it become the new standard for institutions with other regulators?  UPDATE – The answer is yes, at least for the Federal Reserve Readers of this blog know that I’ve been predicting an increase in vendor management program scrutiny since early 2010.  And although the FFIEC has been very active in this area, issuing multiple updates to outsourcing guidance in the past 2 years, it appears that the OCC is the first primary federal regulator (PFR) to formalize it into a prescriptive methodology.

So if you are a national bank or S&L regulated by the OCC, what you’ll want to know is “what changed”?  They’ve been looking at your vendor management program for years as part of your safety & soundness exams, exactly what changes will they expect you to make going forward?  The last time the OCC updated their vendor management guidance was back in 2001, so chances are you haven’t made many substantial changes in a while.  That will change.

However if you are regulated by the FDIC or the Federal Reserve or the NCUA, so what?  Nothing has changed, right?  Well no…not yet anyway.  Except for a change adding a “Vendor Management and Service Provider Oversight” section in the IT Officer’s Questionnaire back in 2007, the FDIC hasn’t issued any new or updated guidance since 2001.  Similarly, the NCUA last issued guidance in 2007 but it was really a re-statement of existing guidance that was first issued in 2001.  So considering the proliferation of outsourcing in the last 10 years, I believe all of the other regulators are overdue for updates.  Furthermore, I believe the OCC did a very good job with this guidance, and all financial institutions regardless of regulator would be wise to take a close look.

So what’s changed?  I compared the original 2001 bulletin (OCC 2001-47) side-by-side with the new one (OCC 2013-29), and although most of the content was very similar, there were some significant differences.  Initially they both start out the same way; stating that banks are increasing both the number and the complexity of outsourced relationships.  But the updated guidance goes on to state that…

“The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.”

They specifically cited failure to assess the direct and indirect costs, failure to perform adequate due diligence and monitoring, and multiple contract issues, as troublesome trends.

Conceptually, the new guidance focuses around a 5-phase “life-cycle” process of risk management.  The life-cycle consists of:

  • Planning,
  • Due diligence and third-party selection,
  • Contract negotiation,
  • Ongoing monitoring, and
  • Termination

First of all, a “cycle” concept strongly suggests that a once-a-year approach to program updates is not sufficient.  Secondly, I think the planning, or pre-vendor, phase is potentially the most significant in terms of the changes that regulators will expect going forward.  For one thing, beginning the vendor management process BEFORE beginning the relationship (i.e. before the vendor becomes a vendor) seems like a contradiction in terms (although it is not entirely new to readers of this blog), so many institutions may have skipped this phase entirely.  But it is at this planning stage that elements like strategic justification and complexity and impact on existing customers are assessed.  Those are only a few of the considerations in the planning phase, the guidance lists 13 in all.

The due diligence and contract phases are clearly defined and also expanded, but fairly consistent with existing guidance*.  And although termination is now defined as a separate phase, the expectations really haven’t changed much there either.

On-going monitoring (the traditional oversight phase) has been greatly expanded however.  The original guidance had 3 oversight activities; the third party’s financial condition, its controls, and the quality of its service and support.  The new guidance still has those 3…and adds 11 more.  Everything from insurance coverage, to regulatory compliance, to business continuity and managing customer complaints.

But perhaps the biggest expansion of expectations in the new guidance is the banks’ responsibility to understand how the vendor manages their subcontractors.  Banks are expected to…

“Evaluate the third party’s ability to assess, monitor, and mitigate risks from its use of subcontractors and to ensure that the same level of quality and controls exists no matter where the subcontractors’ operations reside.” (Bold added)

Shorter version: “Know your vendor…and your vendor’s vendor”.  And this expectation impacts all phases of the risk management life-cycle.  Subcontractor concerns start in the planning stage, continue through due diligence and contract considerations, add control expectations to on-going monitoring, and even impact termination considerations.

In summary, everything expands.  Your pre-vendor & pre-contract due diligence expands, oversight requirements (and the associated controls) increase, and of course everything must be documented…which also expands!  The original guidance listed 5 items typically contained in proper documentation, the updated guidance lists 8 items. But it’s the very first item on the list that caught my attention because it would appear to actually re-define a vendor.  Originally the vendor listing was expected to consist of simply “a list of significant vendors or other third parties”, which, depending on the definition of “significant”, was a fairly short list for most institutions.  Now it must consist of “a current inventory of all third-party relationships”, which leaves nothing to interpretation and expands your vendor list considerably.**

So if you are regulated by the OCC you can expect these new requirements to be incorporated into the examination process fairly soon.  If not, use this as a wake-up call.  I think you can expect the other federal regulators to follow suit with their own revised guidance.  The OCC has just set the gold standard.  Use this opportunity to get ahead of your regulator by revisiting and enhancing your vendor management program now.

 

* Safe Systems customers can get updated due diligence and contract checklists from their account manager.

** All vendors on the list must be risk assessed, and although the risk categories didn’t change (operational, compliance, reputation, strategic and credit) some of the risk elements did.  Matt Gunn pointed out one of the more interesting changes in his recent TechComply post.  I’ll cover that and others in a future post.

03 Jul 2012

“Operational Risk Increasing”

In a recent speech to the Exchequer Club1, Thomas J. Curry, the new head of the OCC, stated that although asset quality has improved, charge-off rates have fallen, and capital now stands at its highest level in a decade, another type of risk is gaining increasing prominence; Operational Risk.

“Some of our most seasoned supervisors, people with 30 or more years of experience in some cases, tell me that this is the first time they have seen operational risk eclipse credit risk as a safety and soundness challenge.  Rising operational risk concerns them, it concerns me, and it should concern you.

In fact, the OCC considers it currently to be at the top of the list of safety and soundness issues for the institutions they supervise.  Earlier this year I wrote about how risk assessments were one of the compliance trends of 2012, and how regulators are now asking about things like strategic risk and reputation risk and operational risk, and expecting that these risks are assessed alongside the more traditional categories like privacy and security.

So the question is:  What exactly is operational risk, and how can financial institutions effectively address it?  The FFIEC defines it this way:

“Operational risk (also referred to as transaction risk) is the risk of loss resulting from inadequate or failed processes, people, or systems. The root cause can be either internal or external events. Operational risk is present across all business lines.”

Furthermore, because the implications of operational risk extend to all other risks….

“Management should distinguish the operational risk component from other risks to enable a stronger focus on operational risk mitigation.

If you are still a bit confused about exactly what operational risk looks like, you are not alone.  Because it exists in all business lines and manifests itself in every other risk, it is one of the most difficult risks to assess.  In other words, it’s everywhere…and affects everything!

Simply put (and assuming your policies and procedures are adequate), most of the time operational risk can be defined as a failure to adhere to your own internal policies and procedures.  In other words, if you don’t do what you say you will do, or you don’t do it the way you say you’ll do it, something will fail as a result.  Whether a it’s a process, a control, a system, or a risk model…if they are in place and operational, but either flawed or not followed, operational risk is the result.2   But here is the kicker, even if your processes/procedures/models, etc. are flawless and followed to the letter, if you can’t document that they are,  you may still have a high operational risk finding in your next safety and soundness examination.

The best way to address operational risk is to implement an internal control self-assessment process to assure that risk management controls are adequate, in place, and functioning properly.  Reporting will document that your day-to-day practices follow your written procedures.  Finally, make sure all business decisions reflect the goals and objectives of the strategic plan, and report to the Board on a regular basis.

In summary, integrate assessment of operational risk into your risk management process, and expect to hear more about it from the regulators in the future.  And don’t think that because you aren’t regulated by the OCC you won’t see this trend.  After all, as Mr. Curry stated:

“As regulators, one of our most important jobs is to identify risk trends and bring them to the industry’s attention in a timely way. No issues loom larger today than operational risk in all its dimensions, the manner in which all risks interact, and the importance of managing those risks in an integrated fashion across the entire enterprise.”

[poll id=”3″]

1 The Exchequer Club is comprised of senior professionals from trade associations, federal regulatory agencies, law firms, congressional committees and national press with a primary interest in national economic and financial policy.

2 Business Continuity Planning uses a slightly different definition of operational risk.  Since the basic assumption of a BCP is that your processes and systems have already failed because of a disaster, operational risk manifests itself in the additional overhead that the alternative recovery processes and procedures temporarily impose on your organization.  Of course if your BCP is inadequate, failed processes will be the result.