Financial regulators have long been concerned about the cyber risk associated with third-party- supplied products or services in financial institutions. For example, in 2013, federal financial regulators put out an issuance to financial institutions regarding how to manage third-party cyber risk. Over the last few years since this 2013 bulletin was published, the attention on third-party risk has continued to increase and the topic has been included on several examination priorities published by the Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), and the Federal Reserve.
Looking to streamline your vendor risk management process? Take a look at these tools and techniques.
In January 2017, the OCC issued a new handbook of procedures regarding third-party risk management. This guidance is to be used by on-site regulatory examiners in the financial services space to assist in the examination of third-party risk management programs at financial institutions.
If you’re in the financial services space and haven’t thoroughly reviewed this document, now is the time to do so. Regulatory examiners will be asking very specific questions from this bulletin, and you’ll need to be able to answer them.
Here are a few critical areas to consider as you do.
1. Concentration Risk Management
Concentration risk is an issue that takes place when an organization holds many business relationships with very few or particular third parties—and it’s something discussed in the new OCC-issued guidance. Financial institutions shouldn’t only be concerned with the third parties they could have a concentration risk with but also whether they have a technology concentration risk (i.e., if they’re too reliant upon a small number of tech service providers). Alternatively, their third parties may be too reliant on a small number of tech service providers (i.e., fourth-party risk).
Per the examination process laid out in this 2017 bulletin, examiners will be looking at the methodology in place for identifying any concentration risk and how this is being managed.
2. Third-Party Risk Management Quality
It’s not enough to say you have a third-party risk management policy—you actually have to be actively engaged with it. Examiners will look at the process the financial institution uses to identify third-party relationships and how frequently they review risk from those third parties.
The examination documentation (page 14) states that the examiner should “determine whether management has dedicated sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third party in a manner commensurate with the level of risk and complexity of the relationship.”
In simpler terms, examiners want to know if the organization has high-quality processes in place that are being executed on.
3. Board & Executive Active Involvement
The bulletin specifically calls out the importance of senior executive and board member responsibility regarding third-party risk management. The examination documentation (pages 15-16) states the examiner should “determine whether the board (or designated board committee) has adopted a risk-based process that, at a minimum, establishes policies, operating standards, and procedures throughout the third-party risk management life cycle, including documentation and reporting, oversight and accountability, and independent reviews.”
In other words, this updated bulletin requests that the examiner determine if the institution in question regularly briefs the board on the ongoing monitoring of third-party risk. This is impactful as regulators aren’t just concerned with whether this information makes it to the board level but also the result of the reported information.
Your on-site regulatory examiners will be asking you questions based on the OCC-issued third-party risk management guide. The bottom line? You need to have the right third-party risk management processes and procedures in place in order to respond appropriately.