top of page
Writer's pictureSupply Wisdom

Ensuring Compliance & Protecting Your Business: Navigating Risk Management Guidance from OCC, CFPB, FDIC, FFIEC, & DORA

Written by Supply Wisdom


gavel leaning against books

It's important to remember that the primary objective of these regulatory bodies is to

ensure that you are effectively protecting your business and your customers from

unnecessary third-party risks. This approach aligns closely with third-party risk

management best practices.


Key Regulatory Bodies and Their Guidance

Office of the Comptroller of the Currency (OCC) The OCC's 2013-29 Bulletin outlines

essential principles for third-party risk management. Key areas of concern include:


  1. Planning: Ensure you have a comprehensive plan to manage third-party relationships.

  2. Due Diligence: Evaluate vendors against your organization’s risk tolerance before onboarding.

  3. Contractual Expectations and Enforcement: Define and enforce your expectations to limit liability.

  4. Ongoing Monitoring: Continuously monitor vendor performance and maintain accountability.

  5. Roles and Responsibilities: Assign clear roles and responsibilities within a structured framework.

  6. Reporting: Track and document third-party relationships for reporting and analysis.

  7. Transitioning: Develop contingency plans for service disruptions and transitions.

  8. Auditing: Utilize objective evaluations to assess your processes and tools.


Consumer Financial Protection Bureau (CFPB) The CFPB emphasizes protecting

consumer interests, with guidelines ensuring that financial institutions manage risks

effectively to avoid consumer harm.


Federal Deposit Insurance Corporation (FDIC) The FDIC's risk management guidance

focuses on maintaining the stability of the financial system. It requires banks to implement

robust third-party risk management practices.


Federal Financial Institutions Examination Council (FFIEC) The FFIEC provides a

framework for financial institutions to assess and manage third-party risks, ensuring

compliance and safeguarding operations.


Joint EU Supervisory Authorities, including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority oversee the operational resilience of EU financial sector. Together, these authorities oversee the Digital Operational Resilience Act (DORA), which mandates that firms:

  1. Maintain Strong IT Systems: Ensure systems are resilient against cyber threats.

  2. Regular Testing: Conduct regular tests to assess the effectiveness of their IT security

    measures.

  3. Incident Reporting: Implement procedures for reporting significant cyber incidents.

  4. Third-Party Risk Management: Extend risk management practices to third-party Information and Communications Technology (ICT) service providers.


Implementing Effective Third-Party Risk Management

The scrutiny of the financial services industry, as well as many other industries, continues to

increase. It's not enough to simply have a supplier monitoring tool; you must have an

effective risk management process, framework, and reporting structure to manage third party

vendors throughout their lifecycle.


About Supply Wisdom:

Supply Wisdom provides real-time alerts and insights to help companies track and

mitigate supplier- and location-based risks. Our comprehensive solution supports TPRM processes, including streamlined compliance with regulatory requirements. Contact us for more information or to get started with a free trial. Let us help you develop robust strategies and plans for third-party oversight within your organization.

154 views0 comments

Comments


bottom of page