In response to the increased risks posed to the financial industry, such as, the concentration risk noted by firms due to consolidation of services, and the increased regulatory scrutiny the SIFMA membership organized a Task Force composed of over 40 firms to review these concerns and determined that the focus of effort should consider the following:
Develop a clear matrix of all global regulations that pertain to third party risk for firms to have a clear view of their regulatory obligations, and to map those to the OCC Risk Management Life Cycle for Third Party Risk.
Assist firms in maturing their internal third party risk management programs by providing tools, templates and guidance from across the membership.
Align all work to the OCC Risk Management Life Cycle for Third Party Risk to provide a complete structure for how firms should be viewing the issue.
The Task Force Working Group identified 17 different regulations globally that related to third party risk. The key criteria of those regulations have been captured in the two documents below and mapped to the OCC Risk Management Life Cycle for Third Party Risk. In addition, we have provided links to each of the identified rules.
List of Regulations:
- OCC Bulletin 2013-29
- Federal Reserve – Guidance on Managing Outsourcing Risk (12/5/13)
- Consumer Financial Protection Bureau (CFPB) Bulletin on Service Providers
- Committee on Payment and Settlement Systems (CPSS 115)
- Financial Conduct Authority (FCA) Outsourcing In Asset Mgmt. Industry
- Federal Financial Institutions Examination Council (FFIEC) – Supervision of Technology Service Providers (TSP) (10/2012)
- Regulatory Notice to Members 11-14 (Proposed Reg 3190) – 35/11
- NASD Notice to Members (NTM) 05-48
- Financial Intermediary Controls and Compliance Assessment Engagements (FICCA) Engagements by the Investment Company Institute (ICI)
- Investment Industry Regulatory Organization of Canada (IIROC) – Notice 14-0012
- International Organization of Securities Commissions, Public Document 187 – (IOSCOPD187)
- International Organization of Securities Commissions, Public Document 432 (IOSCOPD432)
- Gramm-Leach-Bliley Act (GLBA) / Reg S-P – Privacy of Customer Information
- Senior Management Arrangements, Systems and Controls (FRA-FCA)
- Outsourcing Working Group – Industry Response To FSA Dear CEO Letter On Outsourcing
- National Institute of Standards and Technology (NIST) Framework On Cybersecurity
- Federal Reserve SR 14-1/14-1A
Third Party Risk Management Program Toolkit
In order to improve the internal risk management program of the members, a program toolkit Working Group was formed to create and donate effective tools, templates and guidance that could be leveraged by all in the industry to address this risk and as much as possible, standardize the manner in which certain activities are conducted. The pieces of the toolkit are organized below to map to the OCC Risk Management Life Cycle for Third Party Risk. We expect this to be the phase 1 release of a multiple phase effort to create a comprehensive toolkit that covers all eight areas.
2) Due Diligence and Third-Party Selection:
- Third-Party Risk Categorization (PPT)
- Third Party Onsite BCP-DR Guidance (DOC)
- Third-Party Risk Assessment (XLS)
- Third Party Program Checklist (DOC)
3) Contract Negotiation: *Area of Future Development*
4) Ongoing Monitoring:
- COB Assessment (PDF)
- Third Party Monitoring Program Strategies (PPT)
- Third Party Monitoring Program Basics and Mechanics (PPT)
5) Termination: *Area of Future Development*
6) Oversight and Accountability: *Area of Future Development*
7) Documentation and Reporting: *Area of Future Development*
8) Independent Reviews: *Area of Future Development*
OCC Risk Management Life Cycle for Third Party Risk
An effective third-party risk management process follows a continuous life cycle for all relationships and incorporates the following phases:
- Planning: Developing a plan to manage the relationship is often the first step in the third-party risk management process. This step is helpful for many situations but is necessary when a bank is considering contracts with third parties that involve critical activities.
- Due diligence and third-party selection: Conducting a review of a potential third party before signing a contract5 helps ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.
- Contract negotiation: Developing a contract that clearly defines expectations and responsibilities of the third party helps to ensure the contract’s enforceability, limit the bank’s liability, and mitigate disputes about performance.
- Ongoing monitoring: Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the bank’s ability to manage risk of the third-party relationship.
- Termination: Developing a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.
In addition, a bank should perform the following throughout the life cycle of the relationship as part of its risk management process:
- Oversight and accountability: Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-party risk management process with its enterprise risk management framework enables continuous oversight and accountability.
- Documentation and reporting: Proper documentation and reporting facilitates oversight, accountability, monitoring, and risk management associated with third-party relationships.
- Independent reviews: Conducting periodic independent reviews of the risk management process enables management to assess whether the process aligns with the bank’s strategy and effectively manages risk posed by third-party relationships.
SIFMA welcomes input on topics and areas for future development that will help improve the maturity of third party risk programs within the industry. Please submit requests to Thomas Wagner.