OCC Updates Vendor Management Exam Procedures
Thursday, March 30, 2017
Vendor Management has been one of the hottest regulatory examination topics over the past 24 months, and 2017 is shaping up to be no different. With an increased reliance on external third parties and service providers, financial institutions must continue to realize that the ultimate responsibility for protecting customer information sits solely with the institution. Most regulatory guidance imposes that institutions know and understand how their information is being protected “to the same extent as if the third-party activity were handled within the institution.”
On January 24, 2017, the OCC released Bulletin 2017-7 – Supplemental Examination Procedures to the original OCC Bulletin 2013-29 – Third-Party Relationships: Risk Management Guidance, issued October 30, 2013. If you are an OCC financial institution, or if your institution is interested in vendor management best practices, below are five (5) major takeaways from these new supplemental exam procedures.
- Examination Procedures, not guidance: This new bulletin is an addition to Appendix A and B of OCC Bulletin 2013-29. Appendix A and B of all OCC guidance are examination procedures, to be used by examiners when assessing the state of Third Party Relationship Management at the financial institution. However, if examiners are looking at specific areas, those areas may be construed to be “guidance.”
- Five (5) question Scope: The initial component of Bulletin 2017-7 is a five (5) question Scope to determine if the remaining areas of these examination procedures are necessary, including:
- Follow-up from previous outstanding items (memorandums, previous reports, outstanding enforcement actions, and risk assessments)
- Planned or actual material changes in either third party relationships or the risk management process
- Key items of the Third Party Management Program (inventory, policies and procedures, Board minutes discussing third party management, listing of IT systems or applications tied to vendors, contracts, complaints, reports, independent reviews, etc.)
- Findings from other exam areas related to potential third party management issues
- Scope of third-party risk management process review
- Focus on Foreign Service Providers and Subcontractors: A focus on foreign service providers used by institutions has been in place for a while now, but examiners are looking to ensure the risk of utilizing foreign-based service providers is appropriately reflected in your risk assessment. SBS recommends you have a separate, additional Due Diligence and Contract Review question set for foreign vendors that reflect FFIEC guidance. Additionally, the new Exam Procedures attempt to determine if the institution has a process in place for identifying subcontractors of vendors, not necessarily for risk-assessing subcontractors yourself./li>
- Addition of Termination and Contingency Planning: Previously, the OCC identified four (4) phases of Third Party Management – (1) Planning; (2) Selection – Due Diligence; (3) Selection – Contract Review; (4) Ongoing Management. This new Exam Procedure has now broken out Termination and Contingency Planning into its own fifth section. Much of the guidance from the FFIEC BCP Booklet – Appendix J is being added to this Exam Procedure.
- Quantification of Risk: Like most guidance that is being released, this Exam Procedure focuses on quantifying (measuring) risk. The five (5) areas of risk identified in this Exam Procedure include Operational, Compliance, Strategic, Reputation, and Credit risk. The last two pages of the OCC 2017-7 provide a risk management methodology that examiners will use to identify high areas of risk and risk trends at financial institutions. While this methodology still relies on subjectivity, if your institution does not implement a third party risk assessment, this is the best starting point you’ll find from federal examiners.
Written by: Jon Waldman, CISA, CRISC
Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity
Categories: SBS Blog