The Office of the Comptroller of the Currency (OCC) has outlined its third-party risk management requirements for United States national banks and federal savings associations in the OCC Bulletin 2013-29. These risk management standards don't only apply to third-party vendor relationships; the OCC expects all banks to follow best third-party risk management practices, whether activities occur internally or through service providers.
This post summarizes these Vendor Risk Management (VRM) expectations and offers guidance for complying with these standards.
A Summary of OCC’s Ideal Third-Party Risk Management Process
According to the OCC Bulletin 2013-29, a bank’s Third-Party Risk Management program should:
- Have risk management processes in places that are commensurate with the degree and complexity of third-party risks.
- Be capable of comprehensive oversights of all third-party relationships processing critical data.
- Clearly outline the bank’s strategy for managing third-party risks, including details of how the third-party selection process considered operational risks and information technology risks.
- Identity inherent risks associated with third-party vendor activities.
- Perform proper due diligence when partnering with new third-party vendors.
- Complete written contracts detailing the rights, responsibilities, and expectations associated with using third parties.
- Have contingency plans in place very rapidly terminate third-party relationships.
- The board of directors and senior management must ensure all third-party activities are performed safely and in compliance with applicable laws.
- Clearly define roles and responsibilities involved in the third-party risk management process.
- Have documentation and reporting processes in place to support the oversight, accountability, monitoring, and risk management of third parties.
- Undergo independent reviews to measure and determine that the bank's process aligns with its strategy and effectively manages risks.
- Community banks should follow risk management practices that are commensurate with the risk exposure of each third-party relationship.
Meeting the Third-Party Risk Management Requirements of the OCC.
The OCC”s third-party risk management expectations can be represented in a three-pillar compliance framework, where each pillar addresses a series of stages of the risk management lifecycle.
Learn about the top Third-Party Risk Management solutions on the market >
1. Documentation and Reporting
The documentation and reporting pillar includes the due diligence phase of the third-party risk management lifecycle. This is where the inherent risks of a prospective vendor are evaluated and measured. This is a critical step in the Vendor Risk Management process as it determines whether a prospective vendor will be an asset or a liability, increasing the risk of third-party breaches.
To comply with the OCC’s documentation and reporting requirements, organizations in the financial services industry need to implement a process for accurately measuring the security posture of all prospective third-party partners.
An ideal process should include the following:
- Risk assessments - Point-in-time assessments offer deep insights into the information security efforts of each vendor.
- Security ratings - Security ratings continuously scan third-party attack surfaces against attack vectors to quantitatively evaluate security posture.
How UpGuard Can Help
UpGuard helps financial organizations streamline due diligence with the following features.
- A library of industry-leading risk assessments - UpGuard’s library of risk assessments map to popular frameworks and regulations, helping you identify compliance gaps that could be indicative of data breach vulnerabilities.
- Custom questionnaire builder - UpGuard’s questionnaire builder allows financial institutes to customize their due diligence process based on their unique onboarding security requirements.
- Risk Assessments + Security Ratings - By combining point-in-time assessments with security ratings, UpGuard provides the most up-to-date reflection of a vendor’s security posture, starting at the onboarding phase and continuing throughout the entire TPRM lifecycle.
Request a free trial of UpGuard >
2. Oversight and Accountability
The Oversight and Accountability pillar covers the following TPRM lifecycle phase:
- Contract Management
- Ongoing Monitoring
Contract Management
Besides ensuring service expectations by enforcing the use of contracts with all third-party relationships, the contract management process should clearly define all roles and responsibilities involved in Third-Party Risk Management. This will establish a framework for effective communication and collaboration between parties involved in third-party relationships.
To comply with the contract management component of the OCC Bulletin 2013-29, the following items need to be addressed:
- Ensure an effective process is in place to manage risks related to third-party relationships.
- Develop and implement a risk-based policy that governs the third-party risk management process.
- Clearly define all roles and responsibilities involved in third-party risk management.
- Conduct due diligence on potential third parties.
- Outline policies and processes for contract negotiations
- Review and approve contracts with third parties.
- Perform ongoing monitoring of third-party relationships.
- Maintain appropriate documentation and reporting throughout the life cycle of all third-party relationships.
- Perform ongoing benchmarking of service provider performance against the contract or service-level agreement.
- Escalate significant issues to senior management.
- Ensure periodic independent reviews of third-party relationships and the bank's third-party risk management process.
- Hold bank employees accountable within business lines or functions that manage direct relationships with third parties.
- Perform periodic independent reviews of all TPRM processes involving critical activities. An internal auditor or an independent third party can perform these audits.
- Ensure all third parties conduct background checks of all persons and entities with access to critical systems and confidential information, including senior management and subcontractors.
Learn how to calculate risk appetite for Third-Party Risk Management >
Continuous Monitoring
Continuous monitoring is the process of continuously scanning the attack surfaces of third-party service providers for emerging security risks. This process should ideally be capable of ranking vendors based on the severity of their security risks so that critical vendors can be prioritized in remediation efforts.
Because digital transformation keeps multiplying the number of potential data breach attack vectors, ongoing monitoring efforts should cover the widest possible region of the third-party attack surface.
Implementing the following action items will maximize the breadth of your risk monitoring scope, helping you comply with the ongoing monitoring component of the OCC Bulletin 2013-29.
- Periodically assess existing third-party relationships to determine whether their outsourced processes involve a critical activity or significant bank functions.
- Deploy monitoring initiatives whenever outsourcing internal functions, ensuring they are commensurate with the level of risk and complexity of the relationship.
- Conduct regular on-site visits to understand fully the third party's operations and ongoing ability to meet contract requirements.
- Ensure that bank employees have sufficient risk management guidance to identify potential third-party security risks.
- Pay particular attention to the quality and sustainability of the third party's controls, its ability to meet service-level agreements, performance metrics, and other contractual terms, and to comply with legal and regulatory requirements.
- Ensure that ongoing monitoring adapts to changes in the level and types of risks over the lifetime of third-party relationships.
- Assess changes to the third party's business strategy, reputation, compliance with legal and regulatory requirements, financial condition, insurance coverage, key personnel, ability to manage risk, and other critical areas of consideration.
- Escalate significant issues or concerns arising from ongoing monitoring to senior management.
- Community banks should have processes in place for identifying vendors processing critical activities and prioritizing them during monitoring efforts.
- Test the bank's controls to regularly manage risks from third-party relationships, particularly where critical activities are involved.
- Respond to issues when identified, including escalating significant issues to the board, based on ongoing monitoring and internal control testing results.
Learn how to communicate third-party risk to the Board >
How UpGuard Can Help
UpGuard helps financial organizations comply with the Oversight and Accountability component of the OCC"s TPRM standards with the following features:
- Third-Party Attack Surface Monitoring - UpGuard continuously scans third-party vendors against a list of 70+ critical attack vectors, helping you instantly identify and address emerging third-party risks.
- Vendor Tiering - UpGuard's Vendor Tiering feature allows you to categorize vendors based on the severity of their security risks, helping you prioritize vendors at the most significant risk of suffering a data breach. This feature is especially useful for community banks since they are expected to prioritize critical vendors during monitoring processes.
- Trust Page - UpGuard's Trust Page feature simplifies contract management by offering a central repository for hosting all vendor contracts and any other relevant security documentation.
- Regulatory Compliance Risk Monitoring - By mapping vendor questionnaire responses to popular regulations, UpGuard identifies compliance gaps that must be addressed to avoid costly violations.
Request a free trial of UpGuard >
3. Independent Reviews
The Independent Reviews pillar addresses the following stages of the third-party risk management lifecycle:
- Termination
- Planning
Termination
Risk management is as important in the termination phases as it is in the onboarding phase of the TPRM lifecycle. Overlooked third-party connections in terminated vendor partnerships are dormant attack vectors that could facilitate a devastating data breach if they’re discovered by hackers. This is why it’s critical to decommission all end-of-life software.
Addressing the following action items will help you comply with the OCC’s third-party risk management principles in the termination phase of the TPRM lifecycle.
- Ensure that relationships terminate efficiently, whether the activities are transitioned to another third party, in-house, or discontinued.
- Have a plan to bring the service in-house if there are no alternate third parties in the event of contract default or termination, ensuring minimal customer impact during the transition.
- Address risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party relationship.
- Address handling of joint intellectual property developed during the arrangement.
- Manage reputation risks to the bank if the termination happens as a result of the third party's inability to meet expectations.
- Recognize that the extent and flexibility of termination rights may vary with the type of activity.
How UpGuard Can Help
UpGuard’s attack surface monitoring feature detects unmaintained internet-facing assets that should have been decommissioned during the vendor termination process. Visibility into those commonly overlooked attack surfaces mitigates the risk of suffering data breaches through the security risks of terminated vendors.
Request a free trial of UpGuard >
Planning
Though being addressed at the end of this post, the planning phase is actually the first stage of the TPRM lifecycle. This is where a bank assesses the security risks associated with a prospective vendor, confirms that their inherent risks fit within the corporate risk appetite, and outlines a third-party risk management plan ensuring a secure working relationship with that vendor moving forward.
When a bank decides to partner with a vendor, an independent reviewer should review all contracts and proposed TPRM strategies.
The following action items should be addressed to comply with the OCC’s third-party risk management standards within the planning stage.
- Develop a plan to manage the relationship as the first step in the third-party risk management process, particularly for contracts involving critical activities with third parties.
- Conduct due diligence on potential third parties before signing a contract to ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank's risk appetite.
- Review the vendor’s business continuity plan to determine the impact on your business should they suffer a data breach. These plans should be carefully assessed before any business arrangements are formalized.
How UpGuard Can Help
UpGuard’s managed TPRM service allows financial institutions to offload the entire Vendor Risk Management process to risk analysts. By entrusting UpGuard’s security experts with managing your TPRM processes, you can have confidence in the efficacy of your TPRM strategy for new and existing vendors.
Watch the video below for a quick tour of the UpGuard platform.