Third-Party Relationships: Frequently Asked Questions
Author: Ryan Rodrigue
The Office of the Comptroller of the Currency (OCC) recently released an updated FAQ on third-party management expectations for banks of all sizes. The document contains no new guidance or requirements. However, the FAQ addresses a number of concerns regarding third-party risk that we continue to hear about from our customers.
In particular, it addresses:
- Banks’ use of fintech providers and startup tech companies,
- Relationships with third-party aggregators (such as Mint and You Need a Budget),
- Oversight related to your vendors’ subcontractors, and
- Strategies for vendors with whom you have limited information or negotiating leverage.
The FAQ also includes information about:
- Risk assessing these various third-party relationships, and
- Tailoring oversight requirements based on risk.
Key takeaways from the third-party relationships FAQ
Cloud Providers & Data Aggregators:
- Cloud providers unambiguously fall under the vendor and third-party management requirements. When vendors utilize cloud providers (which is common in SaaS providers), the bank should be aware of those subcontracting arrangements.
- Data aggregators do not often have a direct relationship with the bank. As a result, they are not considered third-party service providers. However, there are several ways that a bank could establish a direct relationship with the aggregators. This includes:
- The use of APIs,
- Data sharing, and
- Special security requirements.
- The FAQ defines “critical activities” and provides general guidance on how to perform risk assessments based on this and other factors.
- Fintech providers may or may not perform “critical activities” as defined above. If they do, a “comprehensive and rigorous” level of monitoring and oversight is expected.
- The bank’s direct responsibility regarding its vendors’ subcontractors is generally limited to supervising the vendor’s oversight program for those subcontractors.
- A SOC report should have sufficient information about these processes.
- In addition, the bank should be aware of subcontractors and should contractually stipulate notification of the use of subcontractors.
- Collaborative processes for multiple users to get information from a service provider can be useful. However, risks to each institution by the use of the service may vary.
- As a result, risk analyses still need to be performed individually.
- This also applies to tools and services offering security evaluation information regarding your third parties.
Considerations for Fintechs
- Fintechs (especially startups) are likely to have limited information available regarding financial condition and internal controls. As a result, banks should have contingency plans for providers that can’t prove their financial viability.
- Lack of internal controls—or lack of proof of internal controls—should be considered a risk and evaluated according to the nature of the vendor’s services and your own risk appetite.
Other Key Points:
- In some cases, banks have very little negotiating leverage with a third party, or the third party is unwilling to provide requested information. In these cases, the bank should implement mitigating controls, if possible, or evaluate any deficiencies against its risk appetite.
- While monitoring and oversight are required for all vendors, the degree of oversight should be based on risk. Low-risk vendors will likely have little oversight performed, corresponding with bank policy. Vendor risk ratings need to be reassessed over time to ensure they maintain a low-risk status.
If your organization does qualify as a business under CCPA regulation, it is recommended that you evaluate your data collection and ensure that adequate processes are implemented to address consumers’ requests for monitoring their private information.