FDIC guidance for managing third party risk

Regulators have been evaluating third party relationships within financial services organizations for several years; however, organizations lacked clear guidance on how to appease regulators. That changed this past June when the Federal Deposit Insurance Corporation (FDIC) released guidance for managing third party risk.

The FDIC has been active in reviewing financial service organizations risk management practices, along with third party risk, as part of their ongoing normal examination process. Their examination and focus on third party risk includes identifying how the organization assesses, measures, monitors, and controls risk in these extended enterprise relationship.

The common practice of assuring that an indemnity agreement is in place is clearly not enough. An indemnity agreement does not and cannot adequately cover an organizations strategic, operation, and reputation risks. Further, compliance risk is something that cannot be covered in an indemnity agreement. If a financial organization is out of compliance as the result of activities of a third party it is the financial service organization that is held accountable.

Responsibility for risk management is a top-down effort. The FDIC clearly states that responsibility falls on the shoulders of the executive management and board of directors.

The current guidance from the FDIC requires that financial organizations have a four-fold process in managing risks in third party relationships:

R

To read more you must become a member of SearchFinancialSecurity.com

As an existing member of the TechTarget network please provide your password to activate your account (Forgot your password?):

Password:

By joining SearchFinancialSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Social media: Risk management strategies for financial institutions Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Auditing, testing and assessment for financial services compliance Regulatory reform will require much work ahead Red Flags Rule compliance Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Federal examiners need to pay more attention to IT risks PCI certification isn't always the right answer Forensic accounting success depends on information security support The truth about vendor management Opinion: Why you should document your security policies Financial firms fight cyberthreats, brace for difficult year Business partner and vendor security issues Download presentations from Financial Information Security Decisions 2009 Advocacy group looks to foster trust in foreign service providers Shared Assessments aims to ease third-party security evaluations Security questions to ask SaaS vendors when outsourcing services Financial firms focus on internal threats, employee errors Credit unions, banks replace credit cards after Heartland breach Identity federation standards ease authentication pains Protecting partner processes State Street breach highlights encryption limits, vendor due diligence Missing backup tape prompts identity theft fears for JC Penney customers

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Common Vulnerabilities and Exposures  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

isk assessment: The financial organization is to have a defined approach and process for identifying risks in new and existing third party relationships.

Due diligence in selecting third party relationships: After identifying risk, the organization has to demonstrate that they have a due diligence process in place to select the right third party relationship that minimizes their exposure to risk.

Contract structuring and review: Further, financial organizations are to have a thorough contracting process in place to protect the organization from risk and ensure that the proper controls are in place in the relationship to manage risk and comply with regulations.

Oversight: Finally, the organization is to have board oversight of risk in third party relationships, as well as ongoing assurance by management that risk, controls, and compliance to contractual requirements is in place within these relationships.

Best practices for success
To meet these four requirements, here are some leading practices in financial services firms:

Adoption of a risk assessment methodology: The foundation for any risk management process is a sound risk assessment methodology that outlines the risk identification, assessment, measurement, and monitoring process. Some have turned to the COSO Enterprise Risk Management Framework (.PDF), but many find the approach to be confusing and difficult to apply. The Australia/New Zealand Risk Management Guideline 4360:2004 (.PDF) provides a very flexible risk framework that can be applied to a range of risk management areas -- it is also the basis for a new international ISO standard, ISO 31000, which will be released in draft form to the public in early 2009.

Application of a standard for measuring risk in third party relationships: Not all third party relationships have the same risk profile and impact on a financial organization operation. This requires that some process be in place for the financial service organization to measure the level of risk in proposed, new, and existing third party relationships.

Implement a software platform to manage risk: Managing risk across a web of business relationships is difficult and it is impossible without the use of technology. Leading organizations, within financial services and in other industry verticals, are adopting platforms to manage risk and compliance across their business relationships. Implementation of these platforms include the ability to communicate contracts, policies, procedures and controls; train third party personnel on requirements and expectations; provide a platform for third parties to conduct a self-assessment of their compliance to contracts; and, supply auditors the information they need to independently assess third party relationships. As business partner relationships exist in great numbers and diversity, one option is to implement Software as a Service (SaaS) platforms to manage risk and compliance in the extended enterprise.

Consider the BITS shared assessment program: Finally, financial service organizations should carefully evaluate the ability of BITS/Financial Services Roundtable shared assessment program to ease the burden of contractual and regulatory compliance audits on third party relationships.

About the author:
Michael Rasmussen (mrasmussen@corp-integrity.com) is with Corporate Integrity, LLC. Michael is the authority in understanding governance, risk and compliance (GRC). He is a sought-after keynote speaker, author and collaborator on GRC issues around the world and is noted for being the first analyst to define and model the GRC market for technology and professional services. Corporate Integrity, LLC is a strategy & research advisory firm providing education, research and analysis on enterprise governance, risk management and compliance.