Comments requested on third party risk management guidelines

On July 13, 2021, federal bank regulators – the Board of Governors of the Federal Reserve System (the “Board”), the Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”) (collectively, the “regulators”) – request public comments on the proposal joint orientation concerning the management by banking organizations of risks related to relations with third-party service and support providers (the “Guidance Proposal”). Each of the regulators has previously issued guidance on the subject for their respective supervised banking organizations. The draft guidance aims to promote consistency in the management of third-party risks for banking organizations, by replacing the agency-specific guidelines with a framework that applies to all banking organizations supervised by regulators. According to regulators, the draft guidance would largely adopt the text of the 2013 OCC guidance, broadening its scope to include organizations overseen by the three regulators.

Regulators note that affected third parties can take a variety of forms, including those that perform the business functions of banking organizations, as well as those that provide products and services (such as mobile and point-of-sale payments) to banking organizations. customers.

The draft guidance states that the use of a third party does not diminish the responsibility of a banking organization to conduct business in a safe and sound manner that complies with applicable law. The draft guidance provides that banking organizations adopt third-party risk management processes corresponding (1) to the level of risk identified, (2) to the complexity of the relationship with third parties and (3) to the organizational structure. of the banking organization.

The framework provided in the draft guidance identifies the principles applicable at each stage of the life cycle of the relationship with a third party, in particular:

• Develop a plan that describes a strategy, identifies inherent risks and details how to identify, assess, select and supervise a third party;

• Exercise due diligence in selecting a third party;

• Negotiate written contracts that articulate the rights and responsibilities of all parties;

• Oversight by the board of directors and management of risk management processes, documentation, accounting reports and independent reviews;

• Continuous monitoring of the activity and performance of third parties; and

• Contingency planning for relationship breakdowns.

Notable provisions address factors relevant to exercising due diligence on third party information security programs (1) (for example, controls, vulnerability and penetration testing, multi-factor authentication, end-to-end encryption and secure source code management); (2) information systems management (for example, technology, business process and management); (3) operational resilience (for example, disaster recovery capabilities, business continuity plans, regular testing, redundancy and preparedness for known and emerging threats and vulnerabilities); (4) incident report (for example, escalation and notification process); (5) physical security (for example, protections for facilities, technological systems, data and employees); (6) human resources management (for example, quality of compliance training); (7) use of subcontractors (for example, ability to guarantee the same level of quality and control regardless of the place of residence of the subcontractors); and (8) insurance coverage (for example, maintaining cybersecurity coverage).