On June 6, 2023, the Federal Deposit Insurance Corporation (“FDIC”), the Board of Governors of the Federal Reserve System (“FRB”) and the Office of the Comptroller of the Currency (“OCC”) issued their final Interagency Guidance on Third-Party Relationships (“Guidance”). The Guidance provides principles that banking organizations should consider when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.
The new Guidance replaces each agency’s existing guidance regarding risk management practices for third-party relationships, including the FRB’s 2013 guidance, the FDIC’s 2008 guidance, and the OCC’s 2013 guidance and 2020 frequently asked questions. The Guidance is not legally binding and does not impose any new requirements on banking organizations, but outlines principles banking organizations can leverage when developing and implementing risk management processes adapted to the risks and complexity of their third-party relationships. In publishing the Guidance, the agencies emphasized that “the use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.”
The Guidance addresses business arrangements between a banking organization and another legal entity. Notably, the Guidance provides that a third-party relationship may exist despite the absence of a contract or remuneration. Examples of third-party relationships include outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, joint ventures and services provided by affiliates and subsidiaries.
Under the Guidance, a banking organization should analyze the risks associated with each third-party relationship and tailor risk management practices, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of the third-party relationship. Where third-party relationships support higher-risk activities, including “critical activities,” banking organizations should implement more comprehensive and rigorous oversight and management. An activity may be considered “critical” if it could (1) cause a banking organization to face significant risk if the third party fails to meet expectations; (2) have significant customer impacts; or (3) have a significant impact on a banking organization’s financial condition or operations.
The Guidance provides that effective management of third-party relationships follows a continuous, five-stage life cycle that includes: (1) planning, (2) due diligence and third-party selection, (3) contract negotiation, (4) ongoing monitoring and (5) termination. The planning stage allows a banking organization to evaluate the risk profile of a third-party relationship and consider risk management before entering into the relationship. Certain third-party relationships may require a greater degree of planning and consideration. For example, where a third-party relationship involves critical activities, a banking organization may present plans to and seek the approval of the organization’s board of directors.
The second stage, due diligence, includes assessing a third party’s ability to: (1) perform the activity as expected, (2) adhere to a banking organization’s policies related to the activity, (3) comply with all applicable laws and regulations, and (4) conduct the activity in a safe and sound manner. The Guidance provides that the scope and degree of the due diligence should be commensurate with the level of risk and complexity of the third-party relationship. As part of due diligence, a banking organization typically considers factors, including but not limited to the following with respect to the third party: (1) strategies and goals; (2) legal and regulatory compliance; (3) financial condition; (4) business experience; (5) qualifications and backgrounds of key personnel and other HR considerations; (6) risk management; (7) information security; (8) management of information systems; (9) operational resilience; (10) incident reporting and management processes; (11) physical security; (12) reliance on subcontractors; (13) insurance coverage; and (14) contractual arrangements with other parties.
If a banking organization determines that a contract is needed with a third party, the organization begins contract negotiation, the third stage of the lifecycle. During this stage, a banking organization typically negotiates contract provisions to facilitate risk management and oversight and specify the expectations and obligations of both parties, tailoring the provisions to the risk and complexity of the third-party relationship. The Guidance states that a banking organization’s board of directors should be aware of and, as appropriate, approve of contracts involving higher-risk activities. During contract negotiations, a banking organization may consider factors such as (1) the nature and scope of arrangement; (2) performance measures or benchmarks; (3) responsibilities for providing, receiving and retaining information; (4) the right to audit and require remediation; (5) responsibility for compliance with applicable laws and regulations; (6) costs and compensation; (7) ownership and license; (8) confidentiality and integrity; (9) operational resilience and business continuity; (10) indemnification and limits on liability; (11) insurance; (12) dispute resolution; (13) customer complaints; (14) subcontracting; (15) foreign-based third parties; (16) default and termination; and (17) regulatory supervision.
Through ongoing monitoring, the fourth stage of the life cycle, a banking organization can: (1) confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations; (2) escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and (3) respond to such significant issues or concerns when identified. Monitoring activities typically include: (1) review of reports regarding the third party’s performance and the effectiveness of its controls; (2) periodic visits and meetings with third-party representatives to discuss performance and operational issues; and (3) regular testing of the banking organization’s controls that manage risks from its third-party relationships, particularly when supporting higher-risk activities, including critical activities.
When a banking organization enters the last stage of the life cycle, termination, it must terminate third-party relationships in an efficient manner, including where activities are transitioned to another third party, managed internally or suspended.
The Guidance indicates that, in structuring a third-party risk management process, banking organizations typically consider oversight and accountability, independent reviews and documentation and reporting. The banking organization’s board of directors should provide oversight and accountability. In particular, the board should oversee third-party risk management, provide clear guidance regarding acceptable risk tolerance, approve relevant policies and ensure the establishment of appropriate procedures and practices. The third-party risk management processes also should include periodic independent reviews to evaluate the adequacy of the processes, as well as proper documentation of and reporting on the processes and individual third-party relationships.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code