No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Proposed Inter-Agency Guidance Would Rewrite the Book on Third-Party Risk Management and Raise the Bar for SOC 2 Compliance

The Fed and FDIC Have Trailed the OCC in Regulatory Rigor. That May Soon Change.

by Eva Pittas
October 20, 2021
in Risk
close up shot of a dollar bill

The Fed, OCC and FDIC took an unprecedented step this summer in proposing a joint third-party risk management and information security framework that could apply broadly across the financial industry.

In 2013, the Office of the Comptroller of the Currency (OCC) provided guidance to national banks for assessing and managing risks associated with third-party relationships. Shortly thereafter, the Federal Reserve released their own guidance on managing outsourcing risk. This guidance was spawned due to the ever-increasing reliance on third parties coupled with a significant rise in cyberattacks and operational risk associated with vendors.

The need for increased oversight and governance of third parties was clear. Years later, it is evident that this regulatory change drove the rapid growth in Service Organization Control Reports (SOC 2) as many other industry verticals followed suit.

And now, the regulators are at it again, but this time with a unified voice. In July 2021, for the first time ever, the Federal Reserve System (Fed), FDIC, and OCC released new, proposed guidance that would enhance that of the OCC from 2013.

This new unified guidance signals a need for harmonization in the financial services industry around managing third parties.

Why Now?

Well, the traditional outsourcing activities are continuing and on the rise, but now the banks are entering into new partnerships with fintech companies and introducing new risks into the financial system.

Existing, Disparate Infosec Standards

To understand the new interagency guidance proposal, we need to examine the regulations that have preceded it.

In 2008, the FDIC issued “Guidance for Managing Third-Party Risk,” which was followed in 2013 by “Guidance on Managing Outsourcing Risk” from the Federal Reserve and the OCC’s “Third-Party Relationships: Risk Management Guidance.”

Almost a decade later, the financial technology sector has exploded with innovation and added thousands of new innovative tech partners and vendors to the space. This has catalyzed the need for updated, harmonious regulations. But first, let’s understand what the landscape looks like today.

OCC 2013 Guidance

The 2013 guidance issued by the OCC outlined steps banks should take to secure their consumers’ data, protect their financial records, and create safeguards to guarantee the integrity and availability of services. They called for a risk-based approach to managing third parties and were very prescriptive in their expectations around managing the lifecycle of vendors – including vendor selection, ongoing monitoring, and management and termination.

All eyes are on the final draft of this new guidance and the regulators have requested comments from the industry.

Overview of the Proposed Regulation

These guidelines require bank executives and management to claim responsibility for risk associated with third-party service providers. While many financial services have existing vendor management and procurement processes, the new regulation requires these processes to exist inside a formal framework.

As with most issued guidance, the proposed shifts are small but mighty. The agencies primarily recognize the importance of regulating not only third parties but vendors that store or transfer your third-parties’ data as well. This ripple effect pulls fourth and fifth parties into scope when assessing information privacy and security.

Lack of Harmonization within the Industry

While Fed, OCC and FDIC have put forward security guidelines previously, this is the first time all three came together to condense and commit to one set of requirements. Not all financial institutions are regulated by the same regulators, but it is likely that vendors could sell into each industry and find the need to comply with all three slightly different compliance standards.

As the first unified guidance, we expect the reaction to amend existing disparities and lack of cohesiveness.

The hope: this isn’t just another standard. This will trickle down to small local banks and businesses, driving harmonization across the financial industry.

Taking a Risk-Based Approach

The document requires high-risk vendors providing critical services to be managed under the most stringent and comprehensive systems. The decision is largely left up to the banks to decide what determines criticality.

The draft also indicates that regulated banks should prepare to discuss and defend their risk-based approach when it departs from the guidance. For example, when assessing a third-party’s finances, the guidance states that the “analysis required may be as comprehensive as if it were extending credit to the third party.”

Though vague, the proposed guidance explicitly states that vendors must be managed based on risk and criticality. A lack of risk-based analysis has been deemed an unsafe or unsound process, exposing the regulated bank and their customers to breaches.

The document goes so far as to state that financial analysis should reach to credit-approval levels for high-risk vendors, and if an organization claims not to hold any relationships with critical vendors, they’ll need to explain that claim.

Expanding the Vendor Management Process

The governing bodies outlined six steps that banks should follow when managing vendors, which are largely in effect at most financial services currently. The process begins with scoping, detailing exactly how the bank will handle procurement; assessment, selection, and oversight of vendors; and followed by due diligence and procurement.

Most vendors and partners to the financial services firms are likely familiar with security questionnaires already, but this step asks banks to perform the appropriate due diligence to select vendors commensurate with the criticality of their service.

After procurement is satisfied, banks need to assign stakeholders to negotiate contracts and document any SLAs that determine the responsibilities of each party. The FDIC, OCC and Fed ask banks to define oversight and responsibilities of the stakeholders and processes responsible for vendor management. This should include their board of directors and management team, as well as documentation and independent reviews.

As we see the industry moving toward higher standards for continuous compliance, the interagency guidance calls for monitoring vendor activity and performance on an ongoing basis by the bank’s assigned stakeholders. And finally, the bank must develop a contingency plan for the termination of a third-party service provider relationship.

Differentiating the New Guidance

The most notable part of this new guidance is the triad of regulators presenting it. However, there are a number of other departures from the norm, like requiring the business to examine third-party’s diversity policies and hiring practices.

Importantly, the document defines a third-party entity, widening the scope of the term to include casual relationships with partners or vendors. Banking organizations will need to create a standard, internal definition of vendors and prepare to defend their classification. This becomes especially pertinent when including (or excluding) non-traditional vendors.

Industry Implications

For larger banking organizations that have mature third-party risk management programs following the OCC’s 2013 guidance, there should be minimal changes to existing programs. For smaller institutions currently subject to the Federal Reserve or FDIC Guidance, which is generally less prescriptive and detailed than the proposed guidance and the OCC Guidance on which it is based, the new document may represent a more meaningful change.

Service providers and fintechs can anticipate an increased level of rigor when selling into or partnering with banks, from the procurement processes to annual diligence to ongoing monitoring requirements.

Compliance Challenges for Growing Businesses

Finally, these large agencies seek to protect the banking system more broadly and regulate and protect consumers’ data and the availability of services especially due to ever-increasing cyberattacks and the introduction of new risks associated with new innovative technologies. These requirements do however pose a heavy burden on small, growing tech companies that don’t have the information security and compliance expertise and resources to maintain robust security and compliance programs.

The industry needs to provide a solution to support the cycle of innovation and make it easier for smaller tech companies to comply with this higher bar by being open to stage-appropriate solutions to secure information within startup environments and in a similar way, to examining criticality and closing gaps as the business scales.


Tags: Third Party Risk Management
Previous Post

Allianz Report Finds Companies Need Stronger Controls to Stem Ransomware Tide

Next Post

Menendez, Rubio, Merkley Lead Probe Into U.S. Firm’s Reported Use of Uyghur Forced Labor in China

Eva Pittas

Eva Pittas

Eva Pittas headshotEva Pittas is the co-founder and chief operating officer of Laika, an information security and compliance software company. She spent almost two decades of experience at Citi, where she held a number of senior roles in IT risk and control, and in finance, operations & technology.

Related Posts

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

ProcessUnity Unify Third Party Risk and Cybersecurity Whitepaper-f

Unify Third Party Risk & Cybersecurity for Sustainable Resiliency

by Corporate Compliance Insights
March 14, 2023

Align risk reduction efforts by bringing together third-party and cybersecurity functions White Paper Unify Third-Party Risk & Cybersecurity for Sustainable...

risk cliff

Gartner: 84% of Enterprise Risk Management Teams Have Overlooked a Third-Party Issue

by Staff and Wire Reports
February 21, 2023

A staggering eight in 10 executive risk committee members say their organizations have experienced operations disruptions due to a third-party...

thread needle

Regulatory Clarity Is Coming, But Companies Still Need to Thread the Needle on ESG

by Dean Alms
February 15, 2023

A handful of ESG-related regulations are in the works or go into effect in 2023 targeting global supply chains. Despite...

Next Post
Menendez, Rubio, Merkley Lead Probe Into U.S. Firm’s Reported Use of Uyghur Forced Labor in China

Menendez, Rubio, Merkley Lead Probe Into U.S. Firm’s Reported Use of Uyghur Forced Labor in China

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT