Guidelines for Risk Management in Third-Party Relationships, Courtesy of the OCCBanks and financial institutions are increasing their relationships with third parties. In many cases, these collaborations involve key organizational functions, such as partnerships, outsourcing and contracting. In every case, they invite the possibility of serious institutional risk.

Concerned about the quality of risk management conducted by banks and financial entities in governing their (often complex) third-party relationships, the Office of the Comptroller of the Currency (OCC) has issued a bulletin designed to inform national banks and federal savings associations about the risks related to third-party relationships, and guide them in effective risk management.

These guidelines are particularly relevent in the wake of New York State's top financial regulator, Benjamin M. Lawsky, emphasizing the risk posing the financial system from third-party vendors: "It is abundantly clear that, in many respects, a firm's level of cybersecurity is only as good as the cybersecurity of its vendors." Entities wishing to collaborate with third parties should adopt the guidelines as best practices, ensuring that all activities are performed in a safe, compliant manner.

Risk Management Guidelines

The OCC identifies eight specific areas wherein financial institutions must make substantial improvements. These include:

  1. Planning: Banks have to manage third-party relationships like other complex projects. It is essential to identify every activity, analyzing its cost and potential risks.
  2. Due diligence and third-party selection: The OCC requests that banks profile potential third parties, identifying the risks posed by each partnership.
  3. Contract negotiation: The OCC recommends that banks clearly define the expectations and responsibilities of all third parties to ensure that all contracts are enforceable and limit bank liability.
  4. Ongoing monitoring: Since third-party relationships evolve over time, each one requires continuous monitoring once the contract is in place.
  5. Termination: Termination is a critical phase of risk management within each third-party relationship. Banks must evaluate all the risks related to the termination of a relationship or the interruption of any services provided by a third party.
  6. Oversight and accountability: Banks must assign definitive roles and responsibilities to each person involved in the management of third-party relationships. It is strongly suggested that each bank adopt an enterprise-wide risk management framework as well.
  7. Documentation and reporting: Documentation is a key component of the overall relationship life cycle. Clearly documented phases allow efficient monitoring of a third-party relationship and early detection of any potential issues.
  8. Independent reviews: Periodic, independent reviews allow bank managers to control third-party relationships, verifying their adherence to the overall institutional strategies.

Necessary (but Imperfect) First Steps

Although these guidelines are a great start in helping banks manage third-party risk, they're far from perfect. Compliance with new or updated guidance will require banks to make additional investments in processes, technology and human resources — investments that may not align with their current strategies. And despite their enhanced due diligence and clearer vantage points, banks cannot prevent all third-party incidents (for example, data breaches).

Today, banks exchange huge amounts of information with third-party networks — in turn, components of each network connect to other institutions and services. As a result, every relationship and connection introduces potential risks and threats to the bank system. And while this guidance offers a great start for banks seeking to assess and effectively manage third-party risk, experts concur that further guidance is required in a variety of areas, such as cybersecurity. Now a priority at the government level and a growing issue nationwide, it's vital that banks and financial institutions be protected from cybercrime.

It's time to consider risk management a necessary step to reach a new model of banking that efficiently addresses risks and is able to reduce overall costs.

Photo Source: Flickr

About Pierluigi Paganini

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, Editor-in-Chief at "Cyber Defense Magazine," a member of the DarkReading Editorial team, and a regular contributor for major publications in the cyber security field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, and The Hacker News Magazine.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.