OCC: New Guidance for Third-Party RisksRegulator Highlights Need for More Vendor Oversight
The Office of the Comptroller of the Currency on Oct. 30 became the first major U.S. banking regulator to issue updated guidance on third-party risks.
But other federal banking regulators, such as the Federal Deposit Insurance Corp., are expected follow the OCC's lead, experts say. Which means banking institutions should prepare now for increased scrutiny of their vendor management programs.
The OCC's updated guidelines note eight specific areas where banking institutions need to make improvements to their vendor management programs related to third-party relationships. In its statement about the issuance of the updated guidance, the OCC notes that institutions face new and increased operational, compliance, reputation, strategic and credit risks when dealing with third parties.
"The OCC is right on the mark by focusing on managing third-party relationships," says fraud expect and distinguished Gartner analyst Avivah Litan. "Responsibility and liability can always be a grey area when relying on third parties - and this makes it clear that the buck stops with the bank who engages with that third party. With more reliance on third parties for all functions, it's important to set these guidelines."
The FDIC also has noted concerns about third-party security vulnerabilities in the wake of the breach that compromised core processor Fidelity National Information Services, better known as FIS, suggesting that this agency could be the next regulator to issue updated guidance, Litan adds (see FDIC: Improve Vendor Management).
But the OCC likely felt some urgency on the topic, which is why it chose to go out on its own in this case, she says.
"I'm assuming the OCC didn't want to wait around for all the other agencies to get onboard with this guidance and issue it through the FFIEC [Federal Financial Institutions Examination Council]," Litan says. "While that is desirable, as it ensures uniformity across the U.S. financial services industry, it can be a painstakingly slow process to gain consensus across the agencies. The result is the: too little too late."
The OCC recommends banking institutions better manage their third-party risks by following these practices:
- Develop plans that outline and identify inherent risks associated with the third-party activity and detail how the banking institution will select, assess and oversee the third party;
- Perform proper due diligence in selecting a third-party provider;
- Negotiate written contracts that clearly outline the rights and responsibilities of all parties;
- Continually monitor third parties' activities and performance;
- Execute plans to terminate a relationship with a third-party if certain criteria are not met, and ensure that the bank is able to transition the outsourced activities to another third party, bring those activities in-house, or discontinue those activities all together;
- Assign clear roles and responsibilities for overseeing and managing third-party relationships and the risk management processes;
- Maintain proper documentation and reporting to facilitate oversight, accountability, monitoring and adequate risk management;
- Conduct independent reviews of the risk management process to ensure that the bank's processes can effectively manage risks from third-party relationships.
The OCC also points out that its updated guidance rescinds OCC Bulletin 2001-47, "Third-Party Relationships: Risk Management Principles," and OCC Advisory Letter 2000-9, "Third-Party Risk."
According to the OCC, third-party relationships include business arrangements between banking institutions and external entities, by contract or otherwise. "This guidance provides more comprehensive instruction for banks to ensure these relationships and activities are conducted in a safe and sound manner," says Comptroller of the Currency Thomas J. Curry.
On Sept. 18, in a speech before banking leaders and others in Washington, Curry said more regulatory oversight of third-party relationships was a top priority (see OCC on Cybersecurity: More Regs on Way?).
"Banks not only operate their own networks, they also rely on third parties to support their systems and business activities," Curry said. "Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system. Ultimately, these interconnected networks are vulnerable to attacks that may affect multiple organizations at one time."
More Regulatory Oversight to Come
Echoing Litan's opinion about further guidance to come, Al Pascual, a senior analyst with consultancy Javelin Strategy & Research, says it's just a matter of time before a more formalized update is issued by the FFIEC.
"Improving cybersecurity has become a priority at the federal level," he says. "This issue was pressing enough that regulators decided that they had to step out in front of it, sans the quorum and the time investment that the usual process represents."
Mike Versace, global research director for industry analysis firm IDC, says regulators are increasingly viewing third-party relationships from a critical infrastructure vantage point. Thus, more oversight is a given.
"This trend, and the risks that accompany vendor and supply chain relationships, will continue to be important to regulators as firms both consolidate and expand vendor relationships," Versace says. "Consolidation aggregates risk, and expansion invites new risks. As vendor risk management becomes a more costly proposition, interest will increase in shared services models to spread these costs and risks."
But Mike Wyffels, chief technology officer of Iowa-based banking holding company QCR, says the reaction to this guidance among banking institutions - including those not regulated by the OCC - is likely to be mixed.
While clarity is always welcomed, anytime new or updated guidance is issued, it usually means banking institutions will have to make additional investments in technology, processes or personnel, Wyffels says. And those increased investments are not likely to sit well with many institutions, he adds.
"More guidance usually means more expense, regardless if it is exhausting more employee time or purchasing something to help facilitate the work," Wyffels says.
As Aite fraud analyst Shirley Inscoe points out, banking institutions, even with enhanced due diligence and oversight, cannot prevent third-party breaches. "These continuing instances of data breaches and hacking incidents may appear to infer banks are not taking this responsibility seriously," she says. "The OCC is reminding them of their responsibility and shedding additional light on how to fulfill the requirements. Unfortunately, as we all know, it is very difficult to protect against data breaches and hacking incidents in today's environment."