It’s been an exciting week in the 3rd party oversight arena, first with the OCC’s revised third party guidance released on October 31st and then, on November 7th, the formal release of the latest PCI DSS, version 3.0. As expected, both the OCC’s guidance and the latest PCI data security standard release will have a significant impact on third party security related governance, process, and evaluation, and that’s a very good thing. And as we’ve said before updates to both releases – at a high level – are designed to move the industry toward a much more purposeful focus on third party risks and security related process (including governance) and assuredness. Said another way, in terms of the Shared Assessments Vendor Risk Management Maturity Model, the OCC is pushing the industry to levels 4 and 5 performance.
The OCC’s updated guidance contains newly enhanced prescriptive guidance on the roles and responsibilities of three bank cohort groups (the board of directors, bank senior management, and bank employees who directly manage third party relationships – see Appendix. It’s worth focusing here on Board responsibilities for two reasons: first, the depth of roles as defined by the OCC for this activity is unusual, giving the board of directors in practice an ongoing management role at a level not previously seen, and second, because it would seem in today’s climate that boards would be unwise to “delegate” these responsibilities to senior management even in part, which might have been common at another time. The OCC is clearly trying to influence “tone at the top,” which is essential if the industry is to make step function strides in third party risk management.
Three board level responsibilities are particularly interesting, and let’s digest them one by one. First, the new guidance requires that boards review summaries of due diligence results and management’s recommendations to use third parties that involve critical bank activities. For third parties supporting those critical bank activities, boards will need to understand what management found when reviewing the third party’s hygiene in all relevant respects, as well as the economic and practical case for outsourcing those activities in the first place. That’s critical for the board to have the information required to approve these contracts, which is also a requirement. That process should lead to less rubber-stamping of management requests.
The new guidance also emphasizes the ongoing nature of third party due diligence, with the pace of periodic review intervals tied to the relative risk of the outsourced activity. Senior management is responsible for evaluating the results of those ongoing reviews with the board on an ongoing basis, thereby keeping the board focused on the relative risk associated with those critical activities and the company’s effectiveness in mitigating those risks.
And perhaps the most striking responsibility of them all is the expectation that boards will review the results of periodic and newly prescribed independent reviews of the bank’s third-party risk management process. The OCC now expects that banks will initiate regular third party reviews of their own third party risk management process, with board level review, and that is an enormously significant obligation. This new provision takes third party risk related full circle at the board level, anticipating external reviews of this critical risk mitigation activity, presumably even incorporating the board’s effectiveness in this revised role.
For years the industry has done a good job describing the characteristics of a properly functioning, mature corporate risk control environment (for example COSO Integrated Risk Management, COBIT, and others). With the latest OCC guidance, the industry should – at last – move at a much faster pace toward vendor risk management proficiency.
OCC’s Third Party Relationship Roles and Responsibilities
OCC’s Third Party Relationships Guidance, October 30, 2013
For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.