OCC 2013-29 – The Modern Vendor Management Guidance
In October of 2013, the Office of the Comptroller of the Currency released OCC 2013-29, “Third-Party Relationships: Risk Management Guidance.” The OCC used 2013-29 to build on the vendor management concepts introduced by the FFIEC in its Outsourcing of Technology Services booklet (2004) and the FDIC’s FIL 2008-44 guidance, “Managing Third Party Risk.” OCC 2013-29 is the most recent version of vendor management guidance available for financial institutions, regardless of charter, and the only guidance that’s not nine-plus years old.
OCC Supplement to 2013-29 – Frequently Asked Questions
While the timing is interesting (it’s been over 3.5 years since this guidance has been released), the OCC published a Frequently Asked Questions relating to OCC 2013-29 and vendor management in general on June 7th, 2017. Releasing a FAQ now gives us a pretty good idea about all the changes in vendor management over the past few years (much less the last 10), and where vendor management is going over the next few years.
FAQ: Top 5 Takeaways
The OCC FAQ is 14 questions long and contains plenty of valuable information. Here are the Top 5 Takeaways from the OCC’s 2013-29 FAQ, though SBS encourages you to read the FAQ in its entirety, especially if you are responsible for vendor management at your institution.
- Additional emphasis on Board oversight: this FAQ reminds us once again that the Board of Directors is ultimately responsible for the protection of customer information, no matter where that information resides. With thirteen (13) references to Board involvement, including the responsibility for setting the institution’s risk appetite, ensuring appropriate risk-mitigating controls are established, and making risk-based decisions (notice a theme?), the Board of Directors must not only be a part of the vendor management process; the Board should drive vendor management using metrics and information to make risk-based decisions.
- Categorize your vendors and perform appropriate vendor management: Not all vendors are created equal, but the OCC expects you to categorize your vendors based on a vendor risk assessment, then perform appropriate vendor management according to the level of risk. Most institutions break vendors down into different tiers or categories, often ranging from “Critical” to “Important” to “Nonessential” to “Exempt.” The OCC expects that “Critical” vendors have a “robust, comprehensive, and appropriately documented” vendor review process, and maintain appropriate “Board-established policies and procedures” for lower-risk vendor reviews.
- Collaboration with other institutions on vendor management: the OCC says in this FAQ that since some financial institutions are likely to use the same vendors for certain products and services, collaborating to perform due diligence or vendor reviews can be very beneficial. However, while collaboration is a good idea, it’s still “insufficient to fully meet the bank’s responsibilities under OCC Bulletin 2013-29.” This means that collaborating with other institutions to perform vendor management can be helpful and efficient, but you will still need to take responsibility for your vendor risk analysis and to take appropriate action to ensure the vendor relationship meets your institution’s acceptable levels of risk. Tools (software applications) are also a good idea to help standardize vendor management processes.
- Welcome to the party, Fintech: Perhaps the most interesting – and previously undocumented – part of this OCC FAQ is the inclusion of five (5) questions relating to “fintech” companies. Fintech companies can be defined as providing new and innovative – often mobile-related – technologies and applications to financial institutions or directly to consumers in order to compete with financial institutions). Questions include:
- Is a fintech company arrangement considered a critical activity? (OCC says: Probably.)
- Can a bank engage with a start-up fintech company with limited financial information? (OCC says: depends on your business analysis.)
- How can a bank offer products or services to underbanked or underserved segments of the population through a third-party relationship with a fintech company? (OCC says: a number of different ways, including offering savings, credit, financial planning, or payment products or applications, along with a few others.)
- What should a bank consider when entering a marketplace lending arrangement with nonbank entities? (OCC says: the same things you should consider when using other vendors.)
- Does OCC Bulletin 2013-29 apply when a bank engages a third party to provide bank customers the ability to make mobile payments using their bank accounts, including debit and credit cards? (OCC says: Absolutely.)
- The importance of reports: the last two questions deal with two different reports you can or should receive regarding your vendors. Technology Service Provider Reports of Examination (TSP reports), a report from the vendor’s most recent regulatory examination (where applicable), may be obtained through the OCC (or other federal regulators) by any institution that has a contractual relationship with the vendor at the time of examination. Also, SOC Reports (in accordance with SSAE 18 standards) should be analyzed to determine the effectiveness of controls around the products and services provided to the institution, as well as to identify the use of subcontractors by the vendor. The SSAE 18 standard builds vendor management into the SOC reporting process, making it an expectation from your vendors as well.
Where Is Your Weakest Link?
While much of the OCC 2013-29 FAQ has likely been discussed before, there are a number of new items that are either being addressed or clarified, officially, by the OCC for the first time. Vendor management is an ever-changing discipline, and as financial institutions continue to outsource more of its products, services, information, and technology, having a strong Vendor Management Program at your institution is no longer a nice thing to have, it’s a critical component of your day-to-day operations. Just as the chain is only as strong as its weakest link, so is your financial institution when it comes to cyber-attacks and breaches. Are you making sure your vendors do not become your weak links?
Written by: Jon Waldman, CISA, CRISC
Partner and Executive Vice President, IS Consulting - SBS CyberSecurity
Advance your cyber education with a certification!
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
How SBS Can Help
Our TRAC risk management solution includes a vendor management module, 3PM (3rd Party Management), that helps you make fast, easy decisions around vendor risk assessment, vendor selection, and ongoing vendor management. TRAC’s 3PM Module also allows you to ensure a comprehensive, flexible, and consistent vendor management process is implemented across your institution. 3PM provides pre-defined risk measurements for vendors, a central repository for all your vendor documentation, and ready-to-use reports to streamline your upstream reporting process. Click here to learn more.
We also provide a full-service Vendor Management solution, saving you time by allowing an industry expert to assist with your vendor management responsibilities. We will take on the stressful and time-consuming vendor management review process for your critical vendors, provide reports for your management teams, and keep you up-to-date on any potential issues or breaches with your vendors. Click here to learn more.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.