Telavance, Inc. – 517 US Route 1 South, Suite 5400, Iselin, NJ 08830
THIRD PARTY MANAGEMENT RISK
Ex per ience the Te lavance Adva ntage™
On October 30, 2013 the Office of the Comptroller of the Currency (OCC) issued updated guidance on
third-party risks and vendor management. The OCC's bulletin points out that its updated guidance
replaces OCC Bulletin 2001-47, "Third-Party Relationships: Risk Management Principles," and OCC
Advisory Letter 2000-9, "Third-Party Risk."
These OCC guidance apply to all banks with third-party relationships. Bank’s risk management practices should be appropriate with the level of risk and complexity of its third-party relationships. The OCC expects bank's board and management to have risk management processes and practices in place to assess, monitor, and manage the risks. For critical activities that impact significant banking functions, the OCC expects banks to have a comprehensive oversight, management and regular monitoring of third-party. This regulatory risk and compliance elevates the importance of vendor management to entire financial institution. Banks’ face considerable challenges in managing, monitoring and documenting third-party relationships. As banks outsource mission critical processes to third-party vendors, the effort required to ensure compliance increases. Vendor management should not be considered only from a risk and compliance perspective but also the business benefits derived from managing these relationships effectively. It could help reduce costs, increase the value from the third-party and potentially reduce risk.
Telavance, Inc. – 517 US Route 1 South, Suite 5400, Iselin, NJ 08830
The bank’s board of directors and senior management are responsible for overseeing the bank’s third-party risk management program. However, the responsibility is often
delegated to the Compliance or Risk department. And the oversight has to align with the level of risk and criticality of the activities provided by the third-party. The third party relationship impacts bank’s current risk or adds new risks. A bank has to incorporate this in their Enterprise Risk Management framework and has to assess and rate third-party risks in categories of Operational, Strategic, Reputational, Credit, and Compliance Risk. By aligning the third-party assessment with standard risk category the bank can benefit from the practices and procedures established in the Risk Office. Telavance has developed process, procedures and templates based on the Operational Risk and Control Self-Assessment concepts to help banks identify, assess, classify, risks and controls and due diligence for third party relationships. This repository also has third party information with third party criticality, controls, performance measurements, compliance testing, reporting and other functions will help bank document, track and report. Creating this “single version of truth” is critical to meet compliance requirements and also helps drive down the overall cost. Telavance can help you with an effective third-party risk management process that follows a continuous lifecycle for all relationships and incorporates the following:
Vendor Management Program Setup
Vendor Risk Assessment – Initial and Ongoing
Vendor Risk Level Quantification
Ongoing Monitoring and Compliance Testing
Documentation and Reporting
Independent Reviews of Vendor Management Program
Third Party Risks To put the third party risks in context,
consider the statement from The New
York State Department of Financial
Services’ 2014 Report on Cyber
Security in the Banking Sector said:
“Another continuing challenge is the
industry’s reliance on third-party
service providers for critical banking
functions. … In addition, most small
and medium institutions outsource
functions such as payment processing
and most of their web application and
online banking systems to external
companies. This interconnectedness
suggests that an institution’s cyber risk
level depends in large part on the
processes and controls put in place by
third parties. … To the extent that
institutions do not have adequate
insight into the sufficiency of the
processes and controls of their third-
party service providers, this may
represent an area in need of
heightened due diligence and
monitoring. Cyber security and data
protection requirements should be
incorporated into institutions’ third-
party contracts from the outset.”
While the financial institutions will
have the means and methods to
counter cyber-attacks, there is a
focused effort to target smaller third
party service providers. (An infamous
incident is the Target breach).
The question to ask yourself is - How
would my financial institute work with
a third-party without understanding
their security practices, risk controls
and monitoring on a regular basis and
what risks does it put a financial
institution under?