Third Party Risk Management

Today, third parties provide and enable more and more critical services to firms within the financial services industry.  The process of outsourcing technology and services has reached a point for many firms where they are completely reliant on third parties to provide mission critical services to their customers and counterparties.  However, as stated in the October 30, 2013 release by the Office of the Comptroller of the Currency (OCC), “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”  In order to firms to maintain oversight and exercise their responsibility, it is critical firms have in place and maintain robust and mature third party risk management program that encompasses all aspects of risk, and the many stages of the lifecycle that a third party relationship will transition through, as stipulated in a recent release by the Federal Reserve Board.


SIFMA Response

In response to the increased risks posed to the financial industry, such as, the concentration risk noted by firms due to consolidation of services, and the increased regulatory scrutiny the SIFMA membership organized a Task Force composed of over 40 firms to review these concerns and determined that the focus of effort should consider the following:

Develop a clear matrix of all global regulations that pertain to third party risk for firms to have a clear view of their regulatory obligations,  and to map those to the OCC Risk Management Life Cycle for Third Party Risk.
Assist firms in maturing their internal third party risk management programs by providing tools, templates and guidance from across the membership.
Align all work to the OCC Risk Management Life Cycle for Third Party Risk to provide a complete structure for how firms should be viewing the issue.

Regulation Mapping

The Task Force Working Group identified 17 different regulations globally that related to third party risk.  The key criteria of those regulations have been captured in the two documents below and mapped to the OCC Risk Management Life Cycle for Third Party Risk.  In addition, we have provided links to each of the identified rules.

List of Regulations: 

Third Party Risk Management Program Toolkit

In order to improve the internal risk management program of the members, a program toolkit Working Group was formed to create and donate effective tools, templates and guidance that could be leveraged by all in the industry to address this risk and as much as possible, standardize the manner in which certain activities are conducted.   The pieces of the toolkit are organized below to map to the OCC Risk Management Life Cycle for Third Party Risk.  We expect this to be the phase 1 release of a multiple phase effort to create a comprehensive toolkit that covers all eight areas.

1) Planning: 

2) Due Diligence and Third-Party Selection:

3) Contract Negotiation: *Area of Future Development*

4) Ongoing Monitoring:

5) Termination: *Area of Future Development*

6) Oversight and Accountability: *Area of Future Development*

7) Documentation and Reporting: *Area of Future Development*

8) Independent Reviews:  *Area of Future Development*

Download the completed set of documents here. (ZIP)

OCC Risk Management Life Cycle for Third Party Risk

 OCC Risk Management Life Cycle for Third Party Risk

An effective third-party risk management process follows a continuous life cycle for all relationships and incorporates the following phases:

  • Planning:  Developing a plan to manage the relationship is often the first step in the third-party risk management process. This step is helpful for many situations but is necessary when a bank is considering contracts with third parties that involve critical activities.
  • Due diligence and third-party selection: Conducting a review of a potential third party before signing a contract5 helps ensure that the bank selects an appropriate third party and understands and controls the risks posed by the relationship, consistent with the bank’s risk appetite.
  • Contract negotiation: Developing a contract that clearly defines expectations and responsibilities of the third party helps to ensure the contract’s enforceability, limit the bank’s liability, and mitigate disputes about performance.
  • Ongoing monitoring: Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the bank’s ability to manage risk of the third-party relationship.
  • Termination: Developing a contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.

In addition, a bank should perform the following throughout the life cycle of the relationship as part of its risk management process:

  • Oversight and accountability: Assigning clear roles and responsibilities for managing third-party relationships and integrating the bank’s third-party risk management process with its enterprise risk management framework enables continuous oversight and accountability.
  • Documentation and reporting: Proper documentation and reporting facilitates oversight, accountability, monitoring, and risk management associated with third-party relationships.
  • Independent reviews: Conducting periodic independent reviews of the risk management process enables management to assess whether the process aligns with the bank’s strategy and effectively manages risk posed by third-party relationships.


SIFMA welcomes input on topics and areas for future development that will help improve the maturity of third party risk programs within the industry. Please submit requests to Thomas Wagner.