INDUSTRY ADVISORY: Regulators Escalate Calls for Third-Party Oversight
Curt Buerling, David Everest, and April A. Breslaw
Ever since 2013, when the Office of the Comptroller of the Currency (OCC) issued what was considered the most comprehensive federal guidance ever on third-party oversight,(1) blogs, journals, and conference panels have pored over growing compliance obligations and related multimillion-dollar enforcements across the regulatory spectrum, at financial institutions large and small.
A spate of recent developments only adds grist to the mill, including:
The Federal Deposit Insurance Corporation’s Office of Inspector General (FDIC OIG) in February released “Technology Service Provider Contracts with FDIC-Supervised Institutions,” an evaluation of banks’ third-party oversight along with recommendations.(2)
The New York State Department of Financial Services’ self-proclaimed “first-in-the-nation”
cybersecurity regulation went into effect in March, with extensive provisions addressing third parties.(3)
The Justice Department’s Fraud Section recently published its “Evaluation of Corporate Compliance Programs” methodology, which also includes significant third-party management considerations including risk-based processes, appropriate controls, relationship management, and “real actions and consequences” for compliance issues.(4)
The Federal Financial Institutions Examination Council (FFIEC) has revamped the system used by its members to assign consumer compliance ratings.(5) Among other provisions, the revised rating system requires examiners to consider whether companies conduct adequate due diligence and oversight of third parties. This means that companies’ consumer compliance ratings may be adversely affected if they fail to adequately manage the risks associated with outsourcing. The agencies that participate in the FFIEC will begin by April to use the new rating system in examinations. These include the Board of Governors of the Federal Reserve, FDIC, OCC, Consumer Financial Protection Bureau (CFPB), and states that assign consumer compliance ratings.
The OCC updated its examination procedures for third-party relationships in January.(6)
At the Federal Trade Commission, some see the writing on the wall for financial services companies and their third-party service providers, as the agency has stepped up its enforcement of consumer data security and privacy across the electronics, healthcare, and other industries.
Examples of related enforcement, meanwhile, include CFPB and OCC consent orders holding major banks responsible for service provider misrepresentations to consumers and unfair billing practices in connection with credit card add- on products. The orders required hundreds of millions of dollars in consumer relief, including two over $700 million. Notably, the agencies found that the banks had not effectively managed their service providers. As a result, all were required to improve their oversight of third parties. Both the CFPB and the OCC also imposed substantial penalties against the banks.
FDIC OIG Findings Underscore Today’s Level of Scrutiny
Many banks’ outsourcing arrangements with third-parties such as technology service providers still lack necessary protections for business continuity, cybersecurity, and customer data privacy, according to the FDIC OIG’s February findings.
Bankers are well aware of the issues. Last year, less than a third of businesses rated their risk management programs as highly effective in the “Data Risk in the Third-Party Ecosystem” survey, conducted by the Ponemon Institute and commissioned by Treliant Risk Advisors and the Buckley Sandler law firm.(7) More than a third of survey respondents said they did not even believe their primary third-party vendor would notify them in the event of a data breach involving sensitive and confidential information.
It is now clearer than ever that time is not on the financial services industry’s side. FDIC supervision is escalating its calls for greater alignment of risk assessments, contract due diligence, and monitoring of third-party technology and service companies with guidance it has given over the past two years. The agency will revisit the matter in October
2018 with a “full horizontal review,” across several financial services companies, of the effectiveness of their third- party contracts. The review will then form the basis of any further action it deems necessary. In the meantime, the FDIC promised ongoing supervisory attention to the matter.
For its recent evaluation, the FDIC OIG sampled 48 critical or high-risk contracts and concluded that many agreements between financial services companies and their third-party providers predate its guidance. While not asking financial institutions to renegotiate current third-party contracts solely in response to its guidelines, the agency is encouraging clearer communications with third parties on business continuity and incident response concepts, guidance, and expectations. It warned against transferring ultimate responsibility for continuity and information security to third parties. And it suggested that many financial services companies may need to improve their contract management skills and focus.
The Final Analysis
The FDIC example above, and the several other regulatory campaigns now focusing on third parties, come at an interesting time. With the new presidential administration in office, talk has focused on overturning regulations. In early February, President Trump met with advisors to roll back “core principles” related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, which could remove numerous restraints on the financial services industry.
Financial institutions should not lose focus, however. Regardless of the rise and fall of regulatory drivers in Washington, third-party oversight is a sound business practice and a strong risk management tool. The combination of comprehensive due diligence, clear contracts, and ongoing oversight provides the best insurance to protect the viability and profitability of any enterprise.
This Advisory was provided by Curt Buerling, David Everest, and April A. Breslaw.
• Curt Buerling, Manager
, has nearly 30 years of experience specializing in information security, cybersecurity, privacy, compliance, operational risk, and enterprise infrastructure and operations for clients in financial services and other industries. firstname.lastname@example.org
• David Everest, Senior Manager
, is an experienced professional specializing in process improvements, third-party oversight program development, information security, model risk, and operational risk. email@example.com
• April Breslaw, Senior Advisor
, has held multiple leadership positions at federal financial regulatory agencies, including Deputy Assistant Director, Office of Supervision Policy, at the Consumer Financial Protection Bureau, which she joined as it was being built in 2010. She is deeply knowledgeable and well-positioned to assist financial services companies in addressing compliance risks and responding to regulatory, supervisory, and enforcement concerns. firstname.lastname@example.org
1 “Third-Party Relationships: Risk Management Guidance,” Office of the Comptroller of the Currency; https://www.occ.gov/news- issuances/bulletins/2013/bulletin-2013-29.html
2 “Technology Service Provider Contracts with FDIC-Supervised Institutions,” Federal Deposit Insurance Corporation, Office of
Inspector General; https://www.fdicig.gov/reports17/17-004EV.pdf
3 “Cybersecurity Requirements for Financial Services Companies,” New York State Department of Financial Services; http://www. dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
4 “Evaluation of Corporate Compliance Programs,” Justice Department, Criminal Division, Fraud Section; https://www.justice. gov/criminal-fraud/page/file/937501/download
5 “FFIEC Issues Uniform Interagency Consumer Compliance Rating System,” Federal Financial Institutions Examination Council;
6 “Third-Party Relationships: Supplemental Examination Procedures,” Office of the Comptroller of the Currency; https://www. occ.gov/news-issuances/bulletins/2017/bulletin-2017-7.html
7 “Data Risk in the Third-Party Ecosystem, Ponemon Institute, BuckleySandler and Treliant; https://buckleysandler.com/