13. on Relying solely on experience with or prior knowledge of a third party is not an adequate proxy for performing appropriate due diligence. In addition, the risks inherent in such a chain may be heightened when a banking organization uses third parties for critical activities. FIL-44-2008, Guidance for Managing Third-Party Risk (June 6, 2008). If a third party uses subcontractors (also referred to as fourth parties), a bank may find the third party's SOC 1 type 2 report particularly useful, as SSAE 18 requires the auditor to determine and report on the effectiveness of controls the third party has implemented to monitor the controls of the subcontractor. discuss its plans with an OCC portfolio manager, examiner-in-charge, or supervisory office if the use of alternative data from a third-party relationship constitutes a substantial deviation from the bank's existing business plans or material changes in the bank's use of alternative data. These tools are designed to help you understand the official document Open for Comment, Proposed Addition of American Single Malt Whisky to the Standards of Identity for Distilled Spirits, Economic Sanctions & Foreign Assets Control, Vessel Repair Duties for Vessels Entering U.S. For some relationships, on-site visits may be useful to understand fully the third party's operations and capacity. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. An API refers to a set of protocols that links two or more systems to enable communication and data exchange between them. Assess the banking organization's ability to oversee and manage its relationships; Highlight and discuss material risks and any deficiencies in the banking organization's risk management process with the board of directors and senior management; Carefully review the banking organization's plans for appropriate and sustainable remediation of such deficiencies, particularly those associated with the oversight of third parties that involve critical activities; Identify and report deficiencies in supervisory findings and reports of examination and recommend appropriate supervisory actions. documents in the last year, 1451 the FDIC's 2008 guidance,[4] The proposed guidance does not revise any existing, or create any new, information collections pursuant to the PRA. In what areas should the level of detail be increased or reduced? edition of the Federal Register. Bank management should keep in mind that specific technical controls in cloud computing may operate differently than in more traditional network environments. to the courts under 44 U.S.C. Proposed interagency guidance and request for comment. These can be useful critical activities and how a bank can determine the risks associated with third-party relationships. Risk does not depend on the size of the third-party relationship. the Federal Register. The agencies have each adopted regulations setting forth Statements Clarifying the Role of Supervisory Guidance as guidance. Ports, Packaging and Transportation of Radioactive Material, Rate Adjustments for Indian Irrigation Projects, Bolstering Efforts To Bring Hostages and Wrongfully Detained United States Nationals Home, Establishing an Emergency Board To Investigate Disputes Between Certain Railroads Represented by the National Carriers' Conference Committee of the National Railway Labor Conference and Their Employees Represented by Certain Labor Organizations, Office of the Comptroller of the Currency, C. Tailored Approach to Third-Party Risk Management, E. Due Diligence and Collaborative Arrangements, f. Qualifications and Backgrounds of Company Principals, k. Incident Reporting and Management Programs, p. Conflicting Contractual Arrangements With Other Parties, c. Responsibilities for Providing, Receiving, and Retaining Information, d. The Right To Audit and Require Remediation, e. Responsibility for Compliance With Applicable Laws and Regulations, i. Once a banking organization selects a third party, it negotiates a contract that clearly specifies the rights and responsibilities of each party to the contract. For relevant third-party relationships, stipulate that the performance of activities by external parties for the banking organization is subject to regulatory examination oversight, including access to all work papers, drafts, and other materials.[19]. Subsequent significant contractual changes should prompt reevaluation of bank policies, processes, and risk management practices.Start Printed Page 38202. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day. Consider the consistency of the third party's information security program with the banking organization's program, and whether there are gaps that present risk to the banking organization. Refer to FAQ No. OCC Bulletin 2013-29 states that depending on the significance of the third-party relationship, a bank's analysis of a third party's financial condition may be as comprehensive as if the bank were extending credit to the third-party service provider. Bank management should understand how the information contained within the utility report covers the specific services that the bank has obtained from the third party and meets the bank's due diligence and ongoing monitoring needs. 15. Seek legal advice to confirm the enforceability of all aspects of a proposed contract with a foreign-based third party and other legal ramifications of each such business arrangement, including privacy laws and cross-border flow of information. Banks may also outsource the process of engaging real estate appraisers to appraisal management companies. Collaboration can Start Printed Page 38200leverage resources by distributing costs across multiple banks. If third parties provide input data or assumptions, the relevance and appropriateness of the data or assumptions should be validated. could have a major impact on bank operations if the banking organization has to find an alternate third party or if the outsourced activity has to be brought in-house. For more information on types of audits and control reviews, refer to appendix B of the Internal and External Audits booklet of the Comptroller's Handbook. documents in the last year, by the Indian Affairs Bureau Specify when and how the third party will disclose, in a timely manner, information security breaches that have resulted in unauthorized intrusions or access that may materially affect the banking organization or its customers. The due diligence process also provides management with the information needed to determine whether a relationship mitigates identified risks or poses additional risk. 1464(d)(7)(D)(ii) and 1867(c)(2). Comments should be directed to: Board: When submitting comments, please consider submitting your Start Printed Page 38183comments by email or fax because paper mail in the Washington, DC area and at the Board may be subject to delay. when data aggregators are in a third-party relationship with a bank. In such situations, it is important to identify limitations, understand the risks, consider how to mitigate the risks, and determine whether the residual risks are acceptable. Refer to U.S. Department of the Treasury report A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation for more information on data aggregators. [10] Review the third party's processes for maintaining timely and accurate inventories of its technology and its subcontractor(s). the third party's monitoring and control testing of subcontractors. Banks should take steps to manage the safety and soundness of the sharing of customer-permissioned data with third parties. Agreements for banks' use of data aggregation services:8 A business arrangement exists when a bank contracts or partners with a data aggregator to use the data aggregator's services to offer or enhance a bank product or service. When technology supports service delivery, assess the third party's data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests. A bank should consider whether an SOC 1 type 2 report contains sufficient information and is sufficient in scope to assess the third party's risk environment or whether additional audit or review is required for the bank to properly assess the third party's control environment. There is no one way for banks to structure their third-party risk management process. Periodic board reporting is essential to ensure that board responsibilities are fulfilled.
This PDF is Evaluate the potential legal and financial implications to the banking organization of these contracts between the third party and its subcontractors or other parties. Include in contracts with foreign-based third parties choice-of-law provisions and jurisdictional provisions that provide for adjudication of all disputes between the parties under the laws of a single jurisdiction. documents in the last year, 889 The proposed guidance states that a banking organization's use of third parties does not diminish its responsibility to perform an activity in a safe and sound manner and in compliance with applicable laws and regulations. While collaborative arrangements can assist banks with their responsibilities in the life cycle phases for third-party risk management, each individual bank should have its own effective third-party risk management process tailored to each bank's specific needs. could have significant bank customer impact. Refer to ISO 22301:2012, Societal SecurityBusiness Continuity Management SystemsRequirements, for more information regarding the ISO's standards for business continuity management. analyze relevant consumer protection laws and regulations to understand the opportunities, risks, and compliance requirements before using alternative data. are not part of the published document itself. Evaluate the volume, nature, and trends of consumer inquiries and complaints and assess the third party's ability to appropriately address and remediate inquiries and complaints. 2. Validation reports should not be taken at face value. In order to facilitate or supplement a banking organization's due diligence, a banking organization may use the services of industry utilities or consortiums, including development organizations, consult with other banking organizations,[15] Types of insurance coverage may include fidelity bond; cybersecurity; liability; property hazard and casualty; and intellectual property. As the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs. Due diligence will include assessing a third party's ability to perform the activity as expected, adhere to a banking organization's policies, comply with all applicable laws, regulations, and requirements, and operate in a safe and sound manner. The level of due diligence and oversight should be commensurate with the risk associated with the activity or data using cloud computing. Bank employees who directly manage third-party relationships escalate to senior management significant issues or concerns arising from ongoing monitoring, such as an increase in risk, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, service or system interruptions, or compliance lapses. 15. Where problems are identified, the banking organization should seek to renegotiate at the earliest opportunity. 18. A contract may limit the third party's liability, in which case the banking organization may consider whether the proposed limit is in proportion to the amount of loss the banking organization might experience because of the third party's failure to perform or to comply with applicable laws, and whether the contract would subject the banking organization to undue risk of litigation. (Originally FAQ No. Bank management typically designates an internal party to. What factors should a banking organization consider in determining the types of subcontracting it is comfortable accepting in a third-party relationship? Evaluate the qualifications and experience of the company's principals related to the services provided by the third party. What additional information, if any, could the proposed guidance provide to banking organizations in managing the risk associated with third-party platforms that directly engage with end customers? The OCC expects all banks to develop and maintain an effective compliance management system and provide fair access to financial services, ensure fair treatment of customers, and comply with consumer protection laws and regulations. Third-party risk management for cloud computing services is fundamentally the same as for other third-party relationships. documents in the last year, 498 (Originally FAQ No. How may a bank use third-party assessment services (sometimes referred to as third-party utilities)? developer tools pages. Refer to the Federal Trade Commission and U.S. Department of Justice's Antitrust Guidelines for Collaborations Among Competitors.. The compensation may also be non-financial such as cross-marketing. Use the PDF linked in the document sidebar for the official electronic format. Relevant agreements concerning customer-permissioned information sharing are generally between the customer and the financial service provider or the data aggregator and do not involve a contractual relationship with the bank. The proposed guidance is based on the OCC's existing third-party risk management guidance from 2013 and includes changes to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies. Banking organizations' expanded use of third parties, especially those with new or innovative technologies, may also add complexity, including in managing consumer compliance risks, and otherwise heighten risk management considerations. As part of sound risk management, banking organizations engage in more comprehensive and rigorous oversight and management of third-party relationships that support critical activities. Critical activities are significant bank functions[13] In these situations, bank management is limited in its ability to conduct the type of due diligence, contract negotiation, and ongoing monitoring that it normally would, even if the third-party relationship involves or supports a bank's critical activities. In meeting its due diligence and ongoing monitoring responsibilities, a bank may review a third party's SOC 1 report prepared in accordance with SSAE 18 to evaluate the third party's client(s)' internal controls over financial reporting, including policies, processes, and internal controls. Where applicable, determine whether the third party's internal audit function independently and effectively tests and reports on the third party's internal controls. The OCC issued the 2020 FAQs to clarify the OCC's 2013 third-party risk management guidance and discuss evolving industry topics. 9. on 11 in this bulletin for more information about a third party's subcontractors. If the third party receives a banking organization's customers' personally identifiable information, the contract should ensure that the third party implements and maintains appropriate security measures to comply with privacy regulations and regulatory guidelines.
This PDF is Evaluate the potential legal and financial implications to the banking organization of these contracts between the third party and its subcontractors or other parties. Include in contracts with foreign-based third parties choice-of-law provisions and jurisdictional provisions that provide for adjudication of all disputes between the parties under the laws of a single jurisdiction. documents in the last year, 889 The proposed guidance states that a banking organization's use of third parties does not diminish its responsibility to perform an activity in a safe and sound manner and in compliance with applicable laws and regulations. While collaborative arrangements can assist banks with their responsibilities in the life cycle phases for third-party risk management, each individual bank should have its own effective third-party risk management process tailored to each bank's specific needs. could have significant bank customer impact. Refer to ISO 22301:2012, Societal SecurityBusiness Continuity Management SystemsRequirements, for more information regarding the ISO's standards for business continuity management. analyze relevant consumer protection laws and regulations to understand the opportunities, risks, and compliance requirements before using alternative data. are not part of the published document itself. Evaluate the volume, nature, and trends of consumer inquiries and complaints and assess the third party's ability to appropriately address and remediate inquiries and complaints. 2. Validation reports should not be taken at face value. In order to facilitate or supplement a banking organization's due diligence, a banking organization may use the services of industry utilities or consortiums, including development organizations, consult with other banking organizations,[15] Types of insurance coverage may include fidelity bond; cybersecurity; liability; property hazard and casualty; and intellectual property. As the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs. Due diligence will include assessing a third party's ability to perform the activity as expected, adhere to a banking organization's policies, comply with all applicable laws, regulations, and requirements, and operate in a safe and sound manner. The level of due diligence and oversight should be commensurate with the risk associated with the activity or data using cloud computing. Bank employees who directly manage third-party relationships escalate to senior management significant issues or concerns arising from ongoing monitoring, such as an increase in risk, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, service or system interruptions, or compliance lapses. 15. Where problems are identified, the banking organization should seek to renegotiate at the earliest opportunity. 18. A contract may limit the third party's liability, in which case the banking organization may consider whether the proposed limit is in proportion to the amount of loss the banking organization might experience because of the third party's failure to perform or to comply with applicable laws, and whether the contract would subject the banking organization to undue risk of litigation. (Originally FAQ No. Bank management typically designates an internal party to. What factors should a banking organization consider in determining the types of subcontracting it is comfortable accepting in a third-party relationship? Evaluate the qualifications and experience of the company's principals related to the services provided by the third party. What additional information, if any, could the proposed guidance provide to banking organizations in managing the risk associated with third-party platforms that directly engage with end customers? The OCC expects all banks to develop and maintain an effective compliance management system and provide fair access to financial services, ensure fair treatment of customers, and comply with consumer protection laws and regulations. Third-party risk management for cloud computing services is fundamentally the same as for other third-party relationships. documents in the last year, 498 (Originally FAQ No. How may a bank use third-party assessment services (sometimes referred to as third-party utilities)? developer tools pages. Refer to the Federal Trade Commission and U.S. Department of Justice's Antitrust Guidelines for Collaborations Among Competitors.. The compensation may also be non-financial such as cross-marketing. Use the PDF linked in the document sidebar for the official electronic format. Relevant agreements concerning customer-permissioned information sharing are generally between the customer and the financial service provider or the data aggregator and do not involve a contractual relationship with the bank. The proposed guidance is based on the OCC's existing third-party risk management guidance from 2013 and includes changes to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies. Banking organizations' expanded use of third parties, especially those with new or innovative technologies, may also add complexity, including in managing consumer compliance risks, and otherwise heighten risk management considerations. As part of sound risk management, banking organizations engage in more comprehensive and rigorous oversight and management of third-party relationships that support critical activities. Critical activities are significant bank functions[13] In these situations, bank management is limited in its ability to conduct the type of due diligence, contract negotiation, and ongoing monitoring that it normally would, even if the third-party relationship involves or supports a bank's critical activities. In meeting its due diligence and ongoing monitoring responsibilities, a bank may review a third party's SOC 1 report prepared in accordance with SSAE 18 to evaluate the third party's client(s)' internal controls over financial reporting, including policies, processes, and internal controls. Where applicable, determine whether the third party's internal audit function independently and effectively tests and reports on the third party's internal controls. The OCC issued the 2020 FAQs to clarify the OCC's 2013 third-party risk management guidance and discuss evolving industry topics. 9. on 11 in this bulletin for more information about a third party's subcontractors. If the third party receives a banking organization's customers' personally identifiable information, the contract should ensure that the third party implements and maintains appropriate security measures to comply with privacy regulations and regulatory guidelines.