Interagency Guidance on Risks Associated with Third-Party Relationships

Hot Topic Webinar! Get the must-know information on the new interagency playbook on vendor management in our upcoming Hot Topic Webinar: New Interagency Guidance on Third-Party Relationships: Risk Management - What You Must Know! Learn more.
 

Great News for Vendor Managers!

Have you found yourself waiting for new guidance for vendor management? Have you felt on your own to determine what the best path forward is? If so, you are not alone. For all intents and purposes, we have been waiting over a decade for new vendor management guidance. The good news is that it is finally here, and it is here in a significant way!

On June 6, 2023, the Board of Governors of the Federal Reserve (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued their Final Interagency Guidance on managing risks associated with third-party relationships. This is, quite possibly, the most substantial interagency guidance published to date in the cybersecurity space.

Before this new guidance, financial institutions have been left to their own devices in determining the correct path forward when navigating vendor management. This has been done through internal or external expertise and adjusted based on audit or exam findings. Prior guidance is outdated, with the most recent coming out in 2013 and others dating all the way back to 2004. While this is not a new FFIEC IT Handbook, it does add clarifying expectations of a comprehensive vendor management program that all financial institutions can follow. Additionally, this guidance rescinds each agency’s former guidance: FIL-44-2008, OCC Bulletin 2013-29, OCC Bulletin 2020-10, SR 13-19.

What’s in the Guidance?

The new guidance is broken down as follows:

A. Overview
B. Risk Management
C. Third-Party Relationship Life Cycle
        1. Planning
        2. Due Diligence and Third-Party Selection
        3. Contract Negotiation
        4. Ongoing Monitoring
        5. Termination
D. Governance
        1. Oversight and Accountability
        2. Independent Reviews 
        3. Documentation and Reporting

E. Supervisory Reviews of Third-Party Relationships

Much of the guidance is focused on section C, Third-Party Relationship Life Cycle. Ongoing monitoring activities are slimmed down more than anticipated. This further reinforces the notion that “building good risk management processes and acting on them in good faith goes a long way in reducing risk over the course of a life cycle and reduces ongoing management overhead in the future.”

This new guidance does not mean ongoing management responsibilities are removed; in fact, far from it. Financial institutions should work on updating their existing processes for vendor onboarding and ongoing monitoring to fit the requirements of this guidance.

What we believe financial institutions will find overall is a far more manageable process that assists in clear communication with senior management, auditors, and examiners if implemented appropriately. The rest of this article will focus on three pieces: due diligence and third-party selection, contract negotiation, and ongoing monitoring.

NOTE: SBS utilizes the term “vendor” rather than “third-party” and “vendor management” rather than “third-party management.” You’ll find those terms are used interchangeably in this article. Specific verbiage from the guidance will contain “third-party” terminology, while “vendor” language references the verbiage SBS uses in our products and services.

Due Diligence and Third-Party Selection

Conducting due diligence before engaging in a vendor relationship is an important part of sound risk management. Due diligence includes assessing the vendor’s ability to:

• Perform the activity as expected.
• Adhere to a financial institution’s policies related to the activity.
• Comply with all applicable laws and regulations.
• Conduct the activity in a safe and sound manner.

Relying solely on experience with or prior knowledge of a vendor is not an adequate proxy for performing appropriate due diligence, as due diligence should be tailored to the specific vendor activity.

The scope and degree of due diligence should align with the level of risk and complexity of the vendor relationship. More comprehensive due diligence should be spent on more critical relationships identified through a solid risk management process. The guidance also mentions that sometimes vendors are unable to or will not provide all documentation requested by a financial institution. In those cases, the financial institution should identify and document the limitations of its due diligence efforts, understand the risks associated with those limitations, and consider alternative methods for assessing the vendor, such as:

• Obtaining alternative information to assess the vendor.
• Implementing additional controls on or monitoring of the vendor to address the information limitation.
• Considering the use of a different vendor.

Depending on the degree of risk and complexity of the vendor relationship, financial institutions should consider the following factors, among others, as part of due diligence:

1. Strategies and Goals
2. Legal and Regulatory Compliance
3. Financial Condition
4. Business Experience
5. Qualifications and Background of Key Personnel and Other Human Resources Considerations
6. Risk Management
7. Information Security
8. Management of Information Systems
9. Operational Resilience
10. Incident Reporting and Management Processes
11. Physical Security
12. Reliance on Subcontractors
13. Insurance Coverage
14. Contractual Arrangements with Other Parties

Contract Negotiation

Not all vendor relationships require a contract. it is up to the financial institution to determine if a contract is relevant. However, if a contract is necessary, it is equally important to ensure financial institutions engage in contracts that meet their business goals and risk management needs.

Vendors may initially offer a standard contract, which is fine if the financial institution seeks a standard service. Yet, financial institutions may find value in requesting modifications, additional contract provisions, or addendums to satisfy their needs. When a financial institution has limited negotiating power, it is important to understand any resulting limitations and consequent risks.

Periodic reviews of executed contracts allow the financial institution to confirm that the existing provisions continue to address pertinent risk controls and legal protections. A financial institution may consider renegotiating the contract if new risks are identified. Otherwise, contract reviews are performed when a contract changes or the review criteria change, such as with the publication of this guidance.

Depending on the degree of risk and complexity of the vendor relationship, a financial institution typically considers the following factors, among others, during contract negotiations:

1. Nature and Cope of Arrangement
2. Performance Measures and Benchmarks
3. Responsibilities for Providing, Receiving, and Retaining Information
4. The Right to Audit and Require Remediation
5. Responsibility for Compliance with Applicable Laws and Regulations
6. Costs and Compensation
7. Ownership and License
8. Confidentiality and Integrity
9. Operational Resilience and Business Continuity
10. Indemnification and Limits on Liability
11. Insurance
12. Dispute Resolution
13. Customer Complaints
14. Subcontracting
15. Foreign-Based Third Parties
16. Default and Termination
17. Regulatory Supervision

Ongoing Monitoring

Ongoing monitoring of already onboarded vendors throughout the duration of the relationship allows a financial institution to:

• Confirm the quality and sustainability of a vendor’s controls and ability to meet contractual obligations.
• Escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk.
• Respond to such significant issues or concerns when identified.

Typical monitoring activities include:

• Review of reports regarding the vendor’s performance and the effectiveness of its controls.
• Periodic visits and meetings with third-party representatives to discuss performance and operational issues.
• Regular testing of the financial institution’s controls that manage risks from its vendor relationships, particularly when supporting higher-risk activities, including critical activities.

Depending on the degree of risk and complexity of the vendor relationship, a financial institution typically considers the following factors, among others, as part of ongoing monitoring: 

• The overall effectiveness of the third-party relationship, including its consistency with the financial institution’s strategic goals, business objectives, risk appetite, risk profile, and broader corporate policies.
• Changes to the vendor’s business strategy and its agreements with other entities that may pose new or increased risks or impact the vendor’s ability to meet contractual obligations.
• Changes in the vendor’s financial condition, including its financial obligations to others.
• Changes to, or lapses in, the vendor’s insurance coverage.
• Relevant audits, testing results, and other reports that address whether the vendor remains capable of managing risks and meeting contractual obligations and regulatory requirements.
• The vendor’s ongoing compliance with applicable laws and regulations and its performance as measured against contractual obligations.
• Changes in the vendor’s key personnel involved in the activity.
• The vendor’s reliance on, exposure to, and use of subcontractors, the location of subcontractors (and any related data), and the vendor’s own risk management processes for monitoring subcontractors.
• Training provided to employees of the financial institution and the vendor.
• The vendor’s response to changing threats, new vulnerabilities, and incidents impacting the activity, including any resulting adjustments to the vendor’s operations or controls.
• The vendor’s ability to maintain the confidentiality, availability, and integrity of the financial institution’s systems, information, and data, as well as customer data, where applicable.
• The vendor’s response to incidents, business continuity, and resumption plans, and testing results to evaluate the vendor’s ability to respond to and recover from service disruptions or degradations.
• Factors and conditions external to the vendor that could affect its performance and financial and operational standing, such as changing laws, regulations, and economic conditions.
• The volume, nature, and trends of customer inquiries and complaints, the adequacy of the vendor’s responses (if responsible for handling customer inquiries or complaints), and any resulting remediation.

The Simple Message

Good news! If it seems confusing, let’s simplify the overall message. Financial institutions should ensure they have a strong and consistent risk management process for vendor management that includes a process to inventory all vendors, risk assesses all vendors, and provide a rating system for identifying vendor criticality.

Critical vendors should be reviewed more frequently and more rigorously, while less critical vendors can be reviewed less frequently and less rigorously. This, like any other process, starts with good risk management. Once you define and understand how to identify vendor criticality, you can review your vendors based on the above criteria when onboarding new vendors and during ongoing vendor reviews. That’s the playbook!

Additionally, the guidance provides provisions for allowing financial institutions to seek external assistance in the performance of vendor management! However, it remains the financial institution’s responsibility to ensure those reviews are performed professionally, provide meaningful analysis and results, and provide thoughtful and useful communication to personnel and management.