Proposed Inter-Agency Guidance Would Rewrite the Book on Third-Party Risk Management and Raise the Bar for SOC 2 Compliance

In 2013, the Office of the Comptroller of the Currency (OCC) provided guidance to national banks for assessing and managing risks associated with third-party relationships. Shortly thereafter, the Federal Reserve released their own guidance on managing outsourcing risk. This guidance was spawned due to the ever-increasing reliance on third parties coupled with a significant rise in cyberattacks and operational risk associated with vendors.

The need for increased oversight and governance of third parties was clear. Years later, it is evident that this regulatory change drove the rapid growth in Service Organization Control Reports (SOC 2) as many other industry verticals followed suit.

And now, the regulators are at it again, but this time with a unified voice. In July 2021, for the first time ever, the Federal Reserve System (Fed), FDIC, and OCC released new, proposed guidance that would enhance that of the OCC from 2013.

This new unified guidance signals a need for harmonization in the financial services industry around managing third parties.

Why Now?

Well, the traditional outsourcing activities are continuing and on the rise, but now the banks are entering into new partnerships with fintech companies and introducing new risks into the financial system.

Existing, Disparate Infosec Standards

To understand the new interagency guidance proposal, we need to examine the regulations that have preceded it.

In 2008, the FDIC issued “Guidance for Managing Third-Party Risk,” which was followed in 2013 by “Guidance on Managing Outsourcing Risk” from the Federal Reserve and the OCC’s “Third-Party Relationships: Risk Management Guidance.”

Almost a decade later, the financial technology sector has exploded with innovation and added thousands of new innovative tech partners and vendors to the space. This has catalyzed the need for updated, harmonious regulations. But first, let’s understand what the landscape looks like today.

OCC 2013 Guidance

The 2013 guidance issued by the OCC outlined steps banks should take to secure their consumers’ data, protect their financial records, and create safeguards to guarantee the integrity and availability of services. They called for a risk-based approach to managing third parties and were very prescriptive in their expectations around managing the lifecycle of vendors – including vendor selection, ongoing monitoring, and management and termination.

All eyes are on the final draft of this new guidance and the regulators have requested comments from the industry.

Overview of the Proposed Regulation

These guidelines require bank executives and management to claim responsibility for risk associated with third-party service providers. While many financial services have existing vendor management and procurement processes, the new regulation requires these processes to exist inside a formal framework.

As with most issued guidance, the proposed shifts are small but mighty. The agencies primarily recognize the importance of regulating not only third parties but vendors that store or transfer your third-parties’ data as well. This ripple effect pulls fourth and fifth parties into scope when assessing information privacy and security.

Lack of Harmonization within the Industry

While Fed, OCC and FDIC have put forward security guidelines previously, this is the first time all three came together to condense and commit to one set of requirements. Not all financial institutions are regulated by the same regulators, but it is likely that vendors could sell into each industry and find the need to comply with all three slightly different compliance standards.

As the first unified guidance, we expect the reaction to amend existing disparities and lack of cohesiveness.

The hope: this isn’t just another standard. This will trickle down to small local banks and businesses, driving harmonization across the financial industry.

Taking a Risk-Based Approach

The document requires high-risk vendors providing critical services to be managed under the most stringent and comprehensive systems. The decision is largely left up to the banks to decide what determines criticality.

The draft also indicates that regulated banks should prepare to discuss and defend their risk-based approach when it departs from the guidance. For example, when assessing a third-party’s finances, the guidance states that the “analysis required may be as comprehensive as if it were extending credit to the third party.”

Though vague, the proposed guidance explicitly states that vendors must be managed based on risk and criticality. A lack of risk-based analysis has been deemed an unsafe or unsound process, exposing the regulated bank and their customers to breaches.

The document goes so far as to state that financial analysis should reach to credit-approval levels for high-risk vendors, and if an organization claims not to hold any relationships with critical vendors, they’ll need to explain that claim.

Expanding the Vendor Management Process

The governing bodies outlined six steps that banks should follow when managing vendors, which are largely in effect at most financial services currently. The process begins with scoping, detailing exactly how the bank will handle procurement; assessment, selection, and oversight of vendors; and followed by due diligence and procurement.

Most vendors and partners to the financial services firms are likely familiar with security questionnaires already, but this step asks banks to perform the appropriate due diligence to select vendors commensurate with the criticality of their service.

After procurement is satisfied, banks need to assign stakeholders to negotiate contracts and document any SLAs that determine the responsibilities of each party. The FDIC, OCC and Fed ask banks to define oversight and responsibilities of the stakeholders and processes responsible for vendor management. This should include their board of directors and management team, as well as documentation and independent reviews.

As we see the industry moving toward higher standards for continuous compliance, the interagency guidance calls for monitoring vendor activity and performance on an ongoing basis by the bank’s assigned stakeholders. And finally, the bank must develop a contingency plan for the termination of a third-party service provider relationship.

Differentiating the New Guidance

The most notable part of this new guidance is the triad of regulators presenting it. However, there are a number of other departures from the norm, like requiring the business to examine third-party’s diversity policies and hiring practices.

Importantly, the document defines a third-party entity, widening the scope of the term to include casual relationships with partners or vendors. Banking organizations will need to create a standard, internal definition of vendors and prepare to defend their classification. This becomes especially pertinent when including (or excluding) non-traditional vendors.

Industry Implications

For larger banking organizations that have mature third-party risk management programs following the OCC’s 2013 guidance, there should be minimal changes to existing programs. For smaller institutions currently subject to the Federal Reserve or FDIC Guidance, which is generally less prescriptive and detailed than the proposed guidance and the OCC Guidance on which it is based, the new document may represent a more meaningful change.

Service providers and fintechs can anticipate an increased level of rigor when selling into or partnering with banks, from the procurement processes to annual diligence to ongoing monitoring requirements.

Compliance Challenges for Growing Businesses

Finally, these large agencies seek to protect the banking system more broadly and regulate and protect consumers’ data and the availability of services especially due to ever-increasing cyberattacks and the introduction of new risks associated with new innovative technologies. These requirements do however pose a heavy burden on small, growing tech companies that don’t have the information security and compliance expertise and resources to maintain robust security and compliance programs.

The industry needs to provide a solution to support the cycle of innovation and make it easier for smaller tech companies to comply with this higher bar by being open to stage-appropriate solutions to secure information within startup environments and in a similar way, to examining criticality and closing gaps as the business scales.