The Office of the Comptroller of the Currency (OCC) recently released anย updated FAQย on third-party management expectations for banks of all sizes.ย While no new guidance or requirements were issued, the FAQ addresses a number of concerns regarding third-party risk that weโve heard from our clients in recent years.ย In particular, it addresses:
- Banksโ use of fintech providers and startup tech companies
- Relationships with third-party aggregators (such asย Mintย andย You Need a Budget)
- Oversight related to your vendorsโ subcontractors
- Strategies for vendors with whom you have limited information or negotiating leverage
The FAQ also includes information about risk assessing these various third-parties and tailoring oversight requirements based on risk.
We have compiled a few key takeaways from the FAQ:
- Cloud providers unambiguously fall under the vendor and third-party management requirements.ย When vendors utilize cloud providers (which is common in SaaS providers), the bank should be aware of those subcontracting arrangements.
- Data aggregators do not often have a direct relationship with the bank, and are not considered third-party service providers.ย However, there are several ways that a bank could establish a direct relationship with the aggregators through the use of APIs, data sharing, special security requirements, etc. that need to be assessed.ย The FAQ details several questions and scenarios around this.
- In some cases, banks have very little negotiating leverage with a third-party, or the third-party is unwilling to provide requested information. In these cases, the bank should implement mitigating controls, if possible, or evaluate any deficiencies against its risk appetite.
- While monitoring and oversight is required for all vendors, the degree of oversight should be based on risk.ย Low-risk vendors will likely have little oversight performed, corresponding with bank policy.ย Vendor risk ratings need to be reassessed over time to ensure they maintain a low-risk status.
- The FAQ defines what are considered “critical activities” and provides general guidance on how to perform risk assessments based on this and other factors.
- Fintech providers may or may not perform โcritical activitiesโ as defined above.ย If they do, a โcomprehensive and rigorousโ level of monitoring and oversight is expected.
- The bankโs direct responsibility regarding its vendorsโ subcontractors is generally limited to supervising the vendorโs oversight program for those subcontractors.ย A SOC report should have sufficient information about these processes.ย The bank should be aware of subcontractors and should contractually stipulate notification of the use of subcontractors.
- Collaborative processes for multiple users to get information from a service provider can be useful.ย However, risks to each institution by the use of the service may vary, and risk analyses still need to be performed individually.ย This also applies to tools and services offering security evaluation information regarding your third-parties.
- Fintechs (especially startups) are likely to have limited information available regarding financial condition and internal controls.ย Banks should have contingency plans for providers that can’t prove their financial viability.ย Lack of internal controlsโor lack of proof of internal controlsโshould be considered a risk and evaluated according to the nature of the vendor’s services and your own risk appetite.
The OCC FAQ on third-party vendor management details some of the most pressing issues related to managing third-party relationships and mitigating prevalent third-party risk. Although the document does not declare any new regulations surrounding third-party security risk or enterprise risk management, its insightful statements will help align your risk management processes for optimal security.
