Written by Supply Wisdom
It's important to remember that the primary objective of these regulatory bodies is to
ensure that you are effectively protecting your business and your customers from
unnecessary third-party risks. This approach aligns closely with third-party risk
management best practices.
Key Regulatory Bodies and Their Guidance
Office of the Comptroller of the Currency (OCC) The OCC's 2013-29 Bulletin outlines
essential principles for third-party risk management. Key areas of concern include:
Planning: Ensure you have a comprehensive plan to manage third-party relationships.
Due Diligence: Evaluate vendors against your organization’s risk tolerance before onboarding.
Contractual Expectations and Enforcement: Define and enforce your expectations to limit liability.
Ongoing Monitoring: Continuously monitor vendor performance and maintain accountability.
Roles and Responsibilities: Assign clear roles and responsibilities within a structured framework.
Reporting: Track and document third-party relationships for reporting and analysis.
Transitioning: Develop contingency plans for service disruptions and transitions.
Auditing: Utilize objective evaluations to assess your processes and tools.
Consumer Financial Protection Bureau (CFPB) The CFPB emphasizes protecting
consumer interests, with guidelines ensuring that financial institutions manage risks
effectively to avoid consumer harm.
Federal Deposit Insurance Corporation (FDIC) The FDIC's risk management guidance
focuses on maintaining the stability of the financial system. It requires banks to implement
robust third-party risk management practices.
Federal Financial Institutions Examination Council (FFIEC) The FFIEC provides a
framework for financial institutions to assess and manage third-party risks, ensuring
compliance and safeguarding operations.
Joint EU Supervisory Authorities, including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority oversee the operational resilience of EU financial sector. Together, these authorities oversee the Digital Operational Resilience Act (DORA), which mandates that firms:
Maintain Strong IT Systems: Ensure systems are resilient against cyber threats.
Regular Testing: Conduct regular tests to assess the effectiveness of their IT security
measures.
Incident Reporting: Implement procedures for reporting significant cyber incidents.
Third-Party Risk Management: Extend risk management practices to third-party Information and Communications Technology (ICT) service providers.
Implementing Effective Third-Party Risk Management
The scrutiny of the financial services industry, as well as many other industries, continues to
increase. It's not enough to simply have a supplier monitoring tool; you must have an
effective risk management process, framework, and reporting structure to manage third party
vendors throughout their lifecycle.
About Supply Wisdom:
Supply Wisdom provides real-time alerts and insights to help companies track and
mitigate supplier- and location-based risks. Our comprehensive solution supports TPRM processes, including streamlined compliance with regulatory requirements. Contact us for more information or to get started with a free trial. Let us help you develop robust strategies and plans for third-party oversight within your organization.
Comments