Some Good Guidance on Third-Party Risk
One of the nation’s top banking regulators just dropped some fresh guidance about third-party risk management, well worth any compliance professional’s time if you’re looking for advice on regulatory compliance or just good insight on third-party risk generally.
The Office of the Comptroller of the Currency, regulator for the country’s community banks, published the guidance on March 5. The document addresses everything from documentation of vendor relationships, to audits of vendors, to oversight of subcontractors working with your vendors, and much more. The guidance is also in Q&A format, easy to read even for a well-versed layman.
What’s interesting is that this guidance seems to be another step banking regulators are taking toward operational resilience — that is, a bank’s ability to withstand sudden disruptions, whether those disruptions come from cyber attacks, pandemics, natural disasters, or anything else. Vendor risk is very much a part of that potential threat, so as regulators keep pushing banks to do better at resilience, oversight of your vendors will keep becoming a higher priority.
For example, right at the top OCC warns readers: “Bank management should conduct in-depth due diligence and ongoing monitoring of each of the bank’s third-party service providers that support critical activities.”
Will you get all the information you want from those vendors? Of course not. In that case, however, OCC then expects banks to…
- Understand the risks their vendors pose;
- Develop mitigating controls to reduce those risks;
- Make thoughtful decisions that, yes, this vendor is the best provider we can find so we’re using ’em anyway, even if we can’t get all the data we want;
- And then document all your effort to obtain information relevant to the first three bullet points.
As daunting as those tasks sound, conceptually they aren’t much different than the third-party oversight duties compliance officers have been performing for FCPA compliance for years. All the points above, you can also find in the Justice Department’s guidance on FCPA compliance programs from 2012.
Nobody is reinventing the wheel here; OCC is just using that wheel to carry a different type of compliance burden.
A Word on Fourth Parties
Another useful portion of the guidance addressed subcontractors to your third parties. Those subcontractors are your fourth parties, and as every compliance officer already knows, good luck getting any decent amount of assurance over those folks. They’re just too far away from your operations.
So in that case, what are your duties to oversee that subcontractor risk?
During due diligence, bank management should evaluate the volume and types of subcontracted activities and the subcontractors’ geographic locations. Bank management should determine the third party’s ability to identify and control risks from its use of subcontractors and to determine if the subcontractor’s quality of operations is satisfactory…
In other words, the due diligence you perform on your third parties should include an assessment of how well those vendors perform due diligence on their third parties. For example, you could ask your third party for a SOC 1 Type II report, which is an independent audit of an organization’s ability to monitor subcontractors. (Don’t confuse this with a SOC 2 Type II report, which looks at a vendor’s data security controls.)
Your contracts with vendors should also include clauses requiring them to notify you about relationships with subcontractors that might be relevant to your relationship with the vendor. That could include…
- Any breaches a subcontractor suffers that includes your data.
- The location of subcontractors processing your data.
- The names of subcontractors that have access to your company’s confidential data.
- Whether subcontractors provide critical services to your vendor, especially if that vendor provides critical services to you.
The OCC material on fourth parties is good, practically a checklist of items that you should include in your third-party due diligence process. And yet again, all of this supports what I humbly call Kelly’s Law of Third Party Risk Management.
The better your firm is at managing third-party risk, the more attractive you become as a third party to others.
Because, really, this stuff is a pain in the neck. When you’re choosing between two vendors, and one of them makes fourth-party assurance easier, you’ll go with them. So be that vendor for the next person, too.
Roles and Responsibilities for a Program
The OCC guidance goes into detail about how you should manage your relationship with each vendor. What it doesn’t discuss is how you should conduct vendor risk management at scale, with thousands of vendors.
So one point compliance, audit, and risk professionals should ponder while reading this guidance is who does what — how you build a vendor risk management program and parcel out responsibility for it among various risk assurance teams; how you might use technology to execute the program in an efficient manner.
For example, your due diligence program should interface with the company’s accounting program, to block payments to vendors whose due diligence is incomplete. (I know, I know; we should also have world peace, but here we are.) You could also use contract management software to assure that vendor contracts include all the key clauses mentioned above.
There’s also the personnel question. For most issues — especially in the banking sector, but also for all companies pondering anti-corruption — written policies are the standard, and the compliance officer should take point on assuring that those policies get written. Internal audit teams can also go to town testing the many, many best practices recommended in the OCC guidance.
The sticking point for most companies will be who enforces vendor risk management. Who tells procurement to change their policies, or (if you have no procurement function) who tells operating units that their prior ways of picking up vendors will need to be much more rigorous.
I have no good answer for that, beyond the standard response that you need executive support to make these compliance and risk management ideas a reality.
In some cases, regulators do force the issue. For example, in the banking world, OCC rules do say the board of directors should approve contracts with vendors providing critical services to your firm. The SEC and Justice Department have also made it abundantly clear that the board bears ultimate responsibility for assuring that the company has some method to address FCPA risks.
The tricky part here is that lots of regulators talk about board-level responsibility for specific risks (anti-corruption, data security, liquidity, resiliency), including how vendors might contribute to those risks — but no regulator talks about vendor risk management as a single thing unto itself, that the board is responsible for getting done.
Hence we end up with these piecemeal efforts that frazzle everyone down to the nub, when the smartest approach would be to start with one holistic risk assessment and monitoring program. So that’s one more thing to solve in the 2020s.
But do read the OCC guidance. Whatever your industry, there’s stuff in there that’s worth your time.