BILLING CODE 6210-01-P; 6714-01-P; 4810-33-P, [FR Doc. The contract addresses the submission of sufficient, timely, and usable information to enable the banking organization to analyze customer complaint activity and trends for risk management purposes. analyze relevant consumer protection laws and regulations to understand the opportunities, risks, and compliance requirements before using alternative data. Management's monitoring may result in changes to the frequency and types of reports from the third party, including service-level agreement performance reports, audit reports, and control testing results. should verify the contents of the documents against a final, official Banks can also rely on pooled audit reports, which are audits paid for by a group of banks that use the same company for similar products or services. The use of third parties can offer banking organizations significant advantages, such as quicker and more efficient access to new technologies, human capital, delivery channels, products, services, and markets. Banking organizations, including smaller and less complex banking organizations, should adopt risk management practices commensurate with the level of risk and complexity of their third-party relationships and the risk and complexity of the banking organization's operations. What type of due diligence and ongoing monitoring should be conducted when a bank enters into a contractual arrangement in which the bank has limited negotiating power? whether subcontractors provide services for critical activities. 11. The proposed guidance describes third-party relationships as business arrangements between a banking organization and another entity, by contract or otherwise. For example, the banking organization may consider expected growth, earnings, pending litigation, unfunded liabilities, or other factors that may affect the third party's overall financial stability. 5 from OCC Bulletin 2017-21). It is important that banking organization management properly document and report on its third-party risk management process and specific business arrangements throughout their life cycle. Whether activities are performed internally or outsourced to a third party, a banking organization is responsible for ensuring that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations. Determine whether the third party has the necessary licenses to operate and the expertise, processes, and controls to enable the banking organization to remain compliant with domestic and international laws and regulations. documents in the last year, 75 documents in the last year, by the Forest Service integrating the use of product and delivery channels into the bank's strategic planning process and ensuring consistency with the bank's internal controls, corporate governance, business plan, and risk appetite. 17. Refer to OCC News Release 2015-1, Collaboration Can Facilitate Community Bank Competitiveness, OCC Says, January 13, 2015. Also, operational risk can increase quickly if the operational processes of the banks and the marketplace lenders do not include appropriate limits and controls, such as contractually agreed-to loan volume limits and proper underwriting. In what areas should the level of detail be increased or reduced? make sure completed work is incorporated into the bank's model risk management and third-party risk management processes. An example would be the Financial Data Exchange's FDX API Standard.. Regardless of the division of control responsibilities between the cloud service provider and the bank, the bank is ultimately responsible for the effectiveness of the control environment. Banking organizations should have effective risk management practices whether the banking organization performs an activity in-house or through a third party. on The OFR/GPO partnership is committed to presenting accurate and reliable For example, several banks have partnered with fintech companies to establish dedicated interactive kiosks or automated teller machines (ATM) with video services that enable the consumer to speak directly to a bank teller. Risks include reputation, credit, concentrations, compliance, market, liquidity, and operational risks. The scope of examinations focuses on the services provided and key technology and operational controls communicated in the FFIEC Information Technology Examination Handbook and other regulatory guidance. Specify whether the banking organization or third party is responsible for responding to customer complaints. Refer to OCC Bulletin 2003-12, Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing: Revised Guidelines on Internal Audit and its Outsourcing.. When a bank does not receive all the information it is seeking about a third party that supports the bank's critical activities, bank management should take appropriate actions to manage the risks in that arrangement. the current document as it appeared on Public Inspection on TSP reports of examination14 are available only to banks that have contractual relationships with the TSPs at the time of the examination. The following are examples of different types of interactions that banks might have with data aggregators. The degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship. Evaluate the qualifications and experience of the company's principals related to the services provided by the third party. Text of Proposed Guidance on Third-Party Relationships, 2.

Third-party assessment service companies have been formed to help banks with third-party risk management, including due diligence and ongoing monitoring. How may a bank use third-party assessment services (sometimes referred to as third-party utilities)? documents in the last year, 1384 These companies offer banks a standardized questionnaire with responses from a variety of third parties (particularly information technology-related companies). Consider including indemnification clauses that specify the extent to which the banking organization will be held liable for claims that cite failure of the third party to perform, including failure of the third party to obtain any necessary intellectual property licenses. OCC Bulletin 2013-29 states that the OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities. For example, as explained in FAQ No. For more information, refer to OCC Bulletin 2019-43, Appraisals: Appraisal Management Company Registration Requirements., 3.

make risk-based decisions that these critical third-party service providers are the best service providers available to the bank despite the fact that the bank cannot acquire all the information it wants. OCC Bulletin 2013-29 indicates that a bank's board should approve contracts with third parties that involve critical activities. Consider whether any fees or incentives are subject to, and comply with, applicable law. 8. (Originally FAQ No. FIL-44-2008, Guidance for Managing Third-Party Risk (June 6, 2008). Some community banks have joined an alliance to create a standardized contract with their common third-party service providers and improve negotiating power. for better understanding how a document is structured but The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships. critical activities and how a bank can determine the risks associated with third-party relationships. During due diligence and before signing a contract, bank management should assess the risks posed by the relationship and understand the third party's risk management and control environment. As the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs. Specification of the type and frequency of management information reports to be received from the third party, where appropriate.

Some fintech companies offer other ways for banks to partner with them. Whether the report, certificate, or audit is consistent with widely recognized standards. When this occurs, it is important for management to terminate relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued. The bank has a business arrangement with each of these types of companies.4. Evaluate the third party's ownership structure (including any beneficial ownership, whether public or private, foreign or domestic ownership) and its legal and regulatory compliance capabilities.

Banking organizations are engaging in different types of relationships[6] It is common for a bank to have several third-party relationships that support the same critical activity (e.g., a major Start Printed Page 38199bank project or initiative), but not all of these relationships are critical to the success of that particular activity. When technology supports service delivery, assess the third party's data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests.

5. Additionally, the OCC's model risk management guidance contains important principles, including those that may leverage alternative data. Other banks have centralized the management of the process under their compliance, information security, procurement, or risk management functions. Indicate whether any records generated by the third party become the banking organization's property. A bank that has a business arrangement with a data aggregator has a third-party relationship, consistent with the existing guidance in OCC Bulletin 2013-29. Each banking organization, however, is ultimately accountable for managing the risks of its own third-party business arrangements. develop appropriate alternative ways to analyze these critical third-party service providers. The agencies seek public comment on the extent to which the concepts discussed in the OCC's 2020 FAQs should be incorporated into the final version of the guidance. Evaluate whether additional risks may arise from the third party's reliance on subcontractors and, as appropriate, conduct similar due diligence on the third party's critical subcontractors, such as when additional risk may arise due to concentration-related risk, when the third party outsources significant activities, or when subcontracting poses other material risks. The proposed guidance sets forth considerations with respect to the management of risks arising from third-party relationships. When available, these reports can provide valuable information to the bank. Check the third party's SEC or other regulatory filings. Evaluate the potential legal and financial implications to the banking organization of these contracts between the third party and its subcontractors or other parties. 14. (Originally FAQ No. Some banking organizations have business arrangements with third parties to offer competitive and innovative financial products and services that otherwise would be difficult, cost-prohibitive, or time-consuming to develop in-house. The Public Inspection page may also documents in the last year, 34 Any collaborative activities among banks must comply with antitrust laws. 10. Banks still have a responsibility, however, to manage these relationships in a safe and sound manner with consumer protections. In overseeing the management of risks associated with third-party relationships, boards of directors (or directors) typically consider the following factors, among others: When executing and implementing third-party relationship risk Start Printed Page 38194management strategies and policies, management typically considers: Banking organizations typically conduct periodic independent reviews of the third-party risk management process, particularly when third parties perform critical activities. Any collaborative activities among banks must comply with antitrust laws. The banking organization's internal auditor or an independent third party may perform the reviews, and senior management confirms that the results are reported to the board. About the Federal Register Consider outlining cost and responsibility for purchasing and maintaining hardware and software and specifying the conditions under which the cost structure may be changed, including limits on any cost increases. Federal Register. the official SGML-based PDF version on govinfo.gov, those relying on it for When dual employees will be used, the contract typically clearly articulates their responsibilities and reporting lines. The proposed guidance provides examples of third-party relationships, including use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which a banking organization has an ongoing relationship or may have responsibility for the associated records. [18] Additionally, ongoing monitoring typically includes the regular testing of the banking organization's controls to manage risks from third-party relationships, particularly when critical activities are involved.

Banks may use the Financial Services Information Sharing and Analysis Center (FS-ISAC), the U.S. Computer Emergency Readiness Team (US-CERT), InfraGard, and other information-sharing organizations to monitor cyber threats and vulnerabilities and to enhance their risk management and internal controls. The agencies recognize the prevalence of the range of relationships between banking organizations and third parties. Third-party assessment service companies have been formed to help banking organizations with third-party risk management, including due diligence. [8] 1. Aggregators are often intermediaries between the financial technology (fintech) applications that consumers use to access their data and the sources of data at financial services companies. Assess the third party's financial condition, including reviews of the third party's audited financial statements, annual reports, filings with the U.S. Securities and Exchange Commission (SEC), and other available financial information. risk management when the bank has limited negotiating power in contractual arrangements. ongoing benchmarking of service provider performance against the contract or service-level agreement. Effective management teams should establish responsibility and accountability for managing third parties commensurate with the level of risk and complexity of the relationship. (Originally FAQ No. OP-1752, by any of the following methods: All public comments will be made available on the Board's website at: http://www.federalreserve.gov/generalinfo/foia/RevisedRegs.cfm as submitted, unless modified for technical reasons or to remove personally identifiable information at the commenter's request. If available, consider reviewing System and Organization Control (SOC) reports and whether these reports contain sufficient information to assess the third party's risk or whether additional scrutiny is required through an assessment or audit by the banking organization or other third party at the banking organization's request. In some instances, banks serve only as facilitators for the fintech companies' products or services with one of the products or services coming from the banks. In such situations, it is important to identify limitations, understand the risks, consider how to mitigate the risks, and determine whether the residual risks are acceptable. Contract provisions reserve the banking organization's right to conduct its own audits of the third party's activities or to engage an independent party to perform such audits. The proposed guidance addresses due diligence and contract negotiations in dealing with a third party's subcontractors. The agencies seek public comment on the extent to which the concepts discussed in the OCC's 2020 FAQs should be incorporated into the final version of the guidance. To the extent the activities performed by the third party are subject to specific laws and regulations (e.g., privacy, information security, Bank Secrecy Act/anti-money laundering (BSA/AML), or fiduciary requirements). Evaluate the third party's depth of resources and any previous experience in meeting the banking organization's expectations. What third-party relationships involve critical activities? How could the proposed guidance better help a banking organization appropriately scale its third-party risk management practices? In addition, the risks inherent in such a chain may be heightened when a banking organization uses third parties for critical activities. could have a major impact on bank operations if the bank needs to find an alternate third party or if the outsourced activity has to be brought in-house. to the courts under 44 U.S.C. Refer to the Federal Trade Commission and U.S. Department of Justice's Antitrust Guidelines for Collaborations Among Competitors.. Whether a bank has a business arrangement with the data aggregator depends on the level of formality of any arrangements that the bank has with the data aggregator for sharing customer-permissioned data. The appropriate degree of ongoing monitoring is commensurate with the level of risk and complexity of the third-party relationship. OCC Bulletin 2013-29 states that banks should consider the financial condition of their third parties during due diligence and ongoing monitoring. Clearly assigns all costs and obligations associated with transition and termination. Determine whether the third party maintains an appropriate business continuity management program, including disaster recovery and business continuity plans that specify the time frame to resume activities and recover data. 7. Specify when and how the third party will disclose, in a timely manner, information security breaches that have resulted in unauthorized intrusions or access that may materially affect the banking organization or its customers. Reflect the associated risks in the overall assessment of the banking organization's risk profile. Bank management should perform due diligence to evaluate the business experience and reputation of the data aggregator to gain assurance that the data aggregator maintains controls to safeguard sensitive customer data. 3. Financial market utilities typically provide disclosures to explain how their businesses and operations reflect each of the applicable Principles for Financial Market Infrastructures. on NARA's archives.gov. The proposed guidance notes that banking organizations may collaborate when they use the same third party, Start Printed Page 38186which can improve risk management and lower the costs among such banking organizations. In some instances, a banking organization may not be able to obtain the desired due diligence information from the third party. reliance on and use of third party-provided reports, certificates of compliance, and independent audits. The OCC has received requests for clarification regarding business arrangements and how those arrangements relate to OCC Bulletin 2013-29. In conducting due diligence and ongoing monitoring, bank management may obtain and review various reports (e.g., reports of compliance with service-level agreements, reports of independent reviewers, certificates of compliance with International Organization for Standardization (ISO) standards,12 or SOC reports).13 The person reviewing the report, certificate, or audit should have enough experience and expertise to determine whether it sufficiently addresses the risks associated with the third-party relationship. conduct ongoing monitoring on third parties in a manner and with a frequency commensurate with the risk to the bank from the third-party relationship. Confirm that the contract sufficiently addresses: The contract often establishes the banking organization's right to audit, monitor performance, and provide for remediation when issues are identified. 10. Some smaller and less complex banking organizations have expressed concern that they are expected to institute third-party risk management practices that they perceive to be more appropriate for larger and more complex banking organizations. Proposed interagency guidance and request for comment. Use the PDF linked in the document sidebar for the official electronic format. documents in the last year, 1038 The agencies seek to promote consistent third-party risk management guidance, better address use of, and services provided by, third parties, and more clearly articulate risk-based principles on third-party relationship risk management. better and aid in comparing the online edition to the print edition. How should banks structure their third-party risk management process? For critical activities, the OCC expects that due diligence and ongoing monitoring will be robust, comprehensive, and appropriately documented. monitoring the third party's disaster recovery and business continuity time frames for resuming activities and recovering data for consistency with the bank's disaster recovery and business continuity plans. The proposed guidance is intended to provide principles that are useful for a banking organization of any size or complexity and uses the concept of critical activities to help banking organizations scale the nature of their risk management activities. documents in the last year, 264 Appraisers and appraisal management companies: Some banks maintain an approved panel or list of individual appraisers. These examinations typically are conducted in coordination with the Board of Governors of the Federal Reserve Board, Federal Deposit Insurance Corporation, and other banking agencies with similar authorities. What revisions to the proposed guidance, if any, would better assist banking organizations in assessing third-party risk as technologies evolve? Banking organizations periodically re-assess existing relationships to determine whether the nature of an activity subsequently becomes critical. Because almost all banks issue debit cards and offer transaction accounts, banks frequently participate in mobile payment environments even if they do not issue credit cards. documents in the last year, 19 Consider whether the contract should establish a dispute resolution process (arbitration, mediation, or other means) to resolve problems between the banking organization and the third party in an expeditious manner, and whether the third party should continue to provide activities to the banking organization during the dispute resolution period. These actions may include issuing Matters Requiring Attention, issuing Matters Requiring Board Attention, and recommending formal enforcement actions; Consider the findings when assigning the management component of the Federal Financial Institutions Examination Council's Uniform Financial Institutions Rating System. OCC: Kevin Greenfield, Deputy Comptroller for Operational Risk Division, Lazaro Barreiro, Director for Governance and Operational Risk Policy, Emily Doran, Governance and Operational Risk Policy Analyst, Stuart Hoffman, Governance and Operational Risk Policy Analyst, Operational Risk Policy Division, (202) 649-6550; or Tad Thompson, Counsel or Eden Gray, Assistant Director, Chief Counsel's Office, (202) 649-5490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219. Banking organization management is responsible for implementing third-party risk management. Some banks have expressed confusion about whether third-party service providers need to meet a bank's credit underwriting guidelines. The President of the United States communicates information on holidays, commemorations, special observances, trade, and policy through Proclamations. Some banks categorize their third-party relationships by similar risk characteristics and criticality (e.g., information technology service providers; portfolio managers; catering, maintenance, and groundkeeper providers; and security providers). Consistent with OCC Bulletin 2013-29, a bank that has a business arrangement with a cloud service provider has a third-party relationship with the cloud service provider. No matter where accountability resides, each applicable business line can provide valuable input into the third-party risk management process, for example, by completing risk assessments, reviewing due diligence questionnaires and documents, and evaluating the controls over the third-party relationship. What additional information, if any, could the proposed guidance provide to banking organizations in managing the risk associated with third-party platforms that directly engage with end customers? In such an instance, a bank has a business arrangement with the appraisal management company that the bank uses.2, Professional service providers: Service providers such as law firms, Start Printed Page 38197consultants, or audit firms often provide professional services to banks. If a third party uses subcontractors (also referred to as fourth parties), a bank may find the third party's SOC 1 type 2 report particularly useful, as SSAE 18 requires the auditor to determine and report on the effectiveness of controls the third party has implemented to monitor the controls of the subcontractor. In what ways, if any, could the proposed description of third-party relationships be clearer? documents in the last year, 12 Bank management should determine the risks associated with each third-party relationship or category of relationship. Indicate which party is responsible for payment of legal, audit, and examination fees associated with the activities involved. Periodic board reporting is essential to ensure that board responsibilities are fulfilled. Until the ACFR grants it official status, the XML Banking organizations' expanded use of third parties, especially those with new or innovative technologies, may also add complexity, including in managing consumer compliance risks, and otherwise heighten risk management considerations. Refer to OCC Bulletin 2001-12, Bank-Provided Account Aggregation Services: Guidance to Banks (national banks) for more information on direct relationships. Some banks assign a criticality or risk level to each third-party relationship, whereas others identify critical activities and those third parties associated with the critical activities.

Sitemap 4