Enhancing control environment across supply chains and managing exposure to vendor and third-party risks

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Stuart Hoffman, Governance & Operational Risk Policy Analyst, OCC

Third-party risk management continues to be an area of heightened supervisory focus. Digitalization and technological advances have continued to reinforce the increasing trend of banks outsourcing technology operations and banks entering into partnerships or other arrangements with fintech firms for delivering innovative financial products and services.

What controls should firms develop when managing third parties?

Effective internal controls are a key foundation of the safety and soundness of any firm. Controls help managers measure performance, make decisions, evaluate processes, and limit risks. When discussing controls for third-party risk management (TPRM), it helps to think about the TPRM lifecycle.

The TPRM lifecycle comprises five stages: planning, due diligence, contract negotiation, ongoing monitoring, and termination. As part of planning, firms outline their strategy, identify the inherent risks of the activity with the third party, and detail how the firm will identify, assess, select, and oversee the third party. Performing proper due diligence helps ensure a firm selects an appropriate third party and understands the risks posed by the relationship. Negotiating written contracts that articulate the rights and responsibilities of all parties helps to ensure the contract’s enforceability, limits the firm’s liability, and mitigates disputes about performance. Conducting ongoing monitoring of the third party’s activities and performance is essential to managing the risks posed by the relationship. Developing contingency plans to terminate the relationship helps ensure the firm can transition activities to another third party, bring the activities in-house, or discontinue activities as necessary.

Firms implement controls in each phase of the TPRM lifecycle, commensurate with the level of risk and complexity of the third-party relationships. The effectiveness of the overall TPRM lifecycle is supported by having the board of directors and management oversee the firm’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews.

Firms should maintain processes to periodically test the design and effectiveness of controls. The Office of the Comptroller of the Currency (OCC)’s Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance[1] provides guidance on an effective risk management process throughout the lifecycle of a third-party relationship and provides descriptions of various controls. Proposed interagency guidance[2] on third-party risk management is under development. As described in the news release, the OCC’s 2013-29 guidance serves as the basis for this proposed interagency guidance.

What are effective practices firms should consider tomitigate the introduction of additional risks when starting a third-party relationship and throughout the relationship?

The most effective practices a firm can adopt are designing and implementing TPRM processes commensurate with the levels of risks and complexities of its third-party relationships and ensuring comprehensive risk management and oversight of third-party relationships involving critical activities. While new risks can be introduced, or the severity of known risks can change throughout any stage of the TPRM lifecycle, I highlight the importance of controls in the due diligence and ongoing monitoring stages.

Conducting proper due diligence on a potential third party before entering into a relationship is an important component of effective TPRM and aids firms in assessing the potential introduction of risk with new third-party relationships. Due diligence can help ensure that a firm selects an appropriate third party and understands and controls the risks posed by the unique relationship, consistent with the firm’s risk appetite. Due diligence should include assessing the third party’s ability to perform the activity as expected, adhere to the firm’s policies related to the activity, comply with all applicable laws and regulations, and perform the activity in a safe and sound manner.

After entering into a third-party relationship, effective ongoing monitoring enables a firm to confirm the quality and sustainability of the third party’s controls and ability to meet contractual obligations for delivering services in a safe and sound manner. Effective ongoing monitoring allows a firm to escalate significant issues or concerns (e.g., material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk) in a timely manner and allows management to take appropriate actions to mitigate risks associated with those significant issues or concerns in order to safeguard the financial institution and its customers.

Examples of important areas of focus for ongoing monitoring include assessing changes to the third party’s business strategy, its compliance with legal and regulatory requirements, changes to key personnel, weaknesses in internal controls, and its ability to maintain operations during a disruption. As both the level and types of risks change over the lifetime of a relationship, firms should adapt their ongoing monitoring practices accordingly. Firms should dedicate sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor third parties commensurate with the levels of risks and complexities of the relationships.

Are there any particular risks that firms are frequently experiencing that they should consider when managing their third-party relationships?

The risks a firm may experience with its third-party relationships will be unique to each relationship and the nature of the services being delivered. Current risks facing the federal banking system are detailed in the OCC’s Semiannual Risk Perspective[3]. Many of these risks apply to third-party relationships, but key risks I would highlight include cybersecurity risks, risks associated with the adoption of new and innovative products and services, and supply chain or fourth party risks.

Cyber threats have been one of the top concerns impacting the banking sector. These threats often target banks’ third-party service providers and technology software vendors. In recent remarks[4], Acting Comptroller of the Currency Michael Hsu shared the OCC’s heightened focus on cybersecurity and key controls to safeguard against cyber threats. Additional resources to assist strengthening a firm’s controls against cyber threats include Federal Financial Institutions Examination Council (FFIEC)’s IT Examination Handbook[5] booklets and cybersecurity page[6], resources provided by the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA)[7], and the interagency paper titled “Sound Practices to Strengthen Operational Resilience.”[8]

As banks adopt emerging technologies and engage with fintech firms for the delivery of new and innovative products and services to customers, risk assessments and change-management practices should keep pace. The OCC’s bulletin “New, Modified, or Expanded Bank Products and Services: Risk Management Principles”[9] outlines risk management principles banks should follow to prudently manage the risks associated with offering new, modified, or expanded products and services (collectively, new activities). Given the breadth and speed of change, bank management and boards of directors should understand the impact of new activities on banks’ financial performance, strategic planning process, risk profiles, traditional banking models, and ability to remain competitive.

Supply chain management is another area of focus for third-party risk management. Third-party relationships may involve subcontracting arrangements, which can create a chain of service providers for a firm. The absence of a direct relationship with a subcontractor can affect a firm’s ability to assess and control risks inherent in parts of its supply chain. Due diligence and contract management practices should identify subcontracting of critical services and, as a best practice, address notification or approval requirements for use of subcontractors. This will allow firms to better manage the end-to-end delivery of services and measure potential concentration risk.

How does a firm’s relationship with a third party pose reputation risk to the firm?

A firm has the ability to outsource an activity, but it cannot outsource risk. Conceptually, any third-party relationship that does not meet the expectations of the firm’s customers exposes that firm to reputation risk. Ultimately, it is the firm’s product and service that is being delivered.

Many factors can cause reputation risk, but potential issues that expose firms to reputation risk can include unfair practices and poor service delivery by the firm’s third parties. Actions firms can take to monitor potential reputation risks include monitoring customer complaints and performance monitoring to identify and address adverse trends or incidents.

Firms should also include provisions in contracts that require the third party to comply with laws and regulations and adhere to policies established by both the firm and the third party. Additionally, commensurate with the risk of the activity, the contract should give the firm the right to monitor the third party’s compliance with applicable laws, regulations, and policies; conduct periodic reviews to verify adherence to expectations; and require remediation when issues arise.

An incident has occurred. What should a firm’s management do?

Firms should have robust incident response plans that include the firm’s significant third-party relationships. Incidents can strike at any time and require firms to respond quickly to restore operations and continue service to customers. Details such as defining responsibilities and identifying key contacts and technical resources should be in place and tested to prepare for adverse events. The degree of the firm’s proactive action may ultimately determine the firm’s survivability in the face of a major disaster or incident.

Incident response plans should have protocols to declare and respond to an incident and consider, as appropriate, notification of resources responsible for responding to the incident; coordination with significant third parties and law enforcement for security incidents; processes for restoring systems, preserving data, and if applicable, evidence; plans for providing assistance to impacted customers; and other processes and standards for facilitating operational resilience of the firm. Firms should periodically test response plans with third parties, especially those which provide critical activities.

When an incident impacts a firm operating in a regulated banking environment, the firm should contact its primary regulator. For example, bankers should be familiar with the “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”[10] and the instructions on how to notify the OCC[11]. The rule also requires a bank service provider to notify the bank when it has experienced a computer-security incident that has materially disrupted or degraded covered services for four or more hours.

[1] Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html

[2] https://www.occ.gov/news-issuances/news-releases/2021/nr-ia-2021-74.html

[3] OCC’s Semiannual Risk Perspective https://www.occ.treas.gov/publications-and-resources/publications/semiannual-risk-perspective/index-semiannual-risk-perspective.html

[4] https://www.occ.gov/news-issuances/speeches/2022/pub-speech-2022-94.pdf

[5] IT Examination Handbook https://ithandbook.ffiec.gov

[6] https://www.ffiec.gov/cybersecurity.htm

[7] https://www.cisa.gov

[8] https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-144a.pdf

[9] https://www.ots.treas.gov/news-issuances/bulletins/2017/bulletin-2017-43.html

[10] https://www.federalregister.gov/documents/2021/11/23/2021-25510/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank

[11] https://www.occ.gov/news-issuances/bulletins/2022/bulletin-2022-8.html

Stuart was a speaker at our 2022 Operational Risk Management USA Congress.