Due Diligence and Ongoing Monitoring

Hi there,

For quite some time, excluding government agencies from your TPRM scope has generally been acceptable. Now that the new Interagency Guidance on Third-Party Relationships: Risk Management has been issued, it's reasonable to question whether regulators such as the OCC should be treated the same way as your other Third-Party Relationships. My answer is no.

The truth is organizations have limited practical options for managing risks associated with regulators (and similar government entities). This should, however, not be a great cause for concern.

Regulators are appointed by presidential administrations and governed under the oversight of Congress. Regulatory actions and agencies are subject to legal and legislative review. And while they serve an essential function in our government landscape, they should not necessarily be considered "critical" to your organization. Why? Your organization is held accountable for the third parties you choose to have a relationship with, and you have no choice regarding regulators. You also have no contractual relationship, no agreements regarding their performance, and no ability to influence their actions. 

Interestingly enough, the OCC, for example, has listed a vulnerability disclosure policy https://www.occ.gov/about/policies/vulnerability-disclosure-policy.html  that states, "We encourage security researchers to report potential vulnerabilities identified in OCC systems to us." And some other regulators post privacy policies on their websites. The point is, however, that these are not the same as actively participating in due diligence within your organization.

While Industry groups often work directly with elected officials and government committees to address their concerns over regulatory requirements or actions, it is not reasonable or practical to expect individual organizations to be responsible for regulatory agencies' safe and sound operations. 

I recommend adding regulatory agencies to your inventory of third parties but excluding them from TPRM requirements as a rule.  Focus your TPRM efforts on the third parties with whom your organization chooses to do business and where your time will be better spent managing the real risks to your organization and your customers. Those are my thoughts, but I would love to hear other members' thoughts.

Original Message:
Sent: 9/20/2023 12:40:00 PM
From: Hilary Jewhurst
Subject: RE: Performance Monitoring for Industry Regulator

Hi there,

For quite some time, excluding government agencies from your TPRM scope has generally been acceptable. Now that the new Interagency Guidance on Third-Party Relationships: Risk Management has been issued, it's reasonable to question whether regulators such as the OCC should be treated the same way as your other Third-Party Relationships. My answer is no.

The truth is organizations have limited practical options for managing risks associated with regulators (and similar government entities). This should, however, not be a great cause for concern.

Regulators are appointed by presidential administrations and governed under the oversight of Congress. Regulatory actions and agencies are subject to legal and legislative review. And while they serve an essential function in our government landscape, they should not necessarily be considered "critical" to your organization. Why? Your organization is held accountable for the third parties you choose to have a relationship with, and you have no choice regarding regulators. You also have no contractual relationship, no agreements regarding their performance, and no ability to influence their actions. 

Interestingly enough, the OCC, for example, has listed a vulnerability disclosure policy https://www.occ.gov/about/policies/vulnerability-disclosure-policy.html  that states, "We encourage security researchers to report potential vulnerabilities identified in OCC systems to us." And some other regulators post privacy policies on their websites. The point is, however, that these are not the same as actively participating in due diligence within your organization.

While Industry groups often work directly with elected officials and government committees to address their concerns over regulatory requirements or actions, it is not reasonable or practical to expect individual organizations to be responsible for regulatory agencies' safe and sound operations. 

I recommend adding regulatory agencies to your inventory of third parties but excluding them from TPRM requirements as a rule.  Focus your TPRM efforts on the third parties with whom your organization chooses to do business and where your time will be better spent managing the real risks to your organization and your customers. Those are my thoughts, but I would love to hear other members' thoughts.

Our external ACH Audit firm recently asked about due diligence on Fedwire.  I almost want to lump them into the Utilities providers since you really do not have a choice if you want to send wires.  You could use a Correspondent, but then the Fed is the 4th Party.  If the Wire system goes down it affects everyone similarly, just like when the power goes out.  Doing nothing never seems to be the right answer in TPRM so we reached out to our Fed Rep and received the following:

On vendor due diligence, yes, we do, as follows.

The Fed does not use contracts, but rather service agreements.  Financial institutions can modify, add, or cancel services at any time and the Fed's Service Fees (frbservices.org) are openly published.   Further, when institutions are using Fed services, they are generally agreeing to abide by various Operating Circulars (frbservices.org) applicable to the services (agreement for use vs. contracts).

To support our role as a vendor, and your vendor due diligence needs, the Federal Reserve has placed some documentation behind the secured FedLine login, accessible to your FedLine End User Authorization Contacts (EUACs).  We've found this information meets the needs of thousands of institutions using Federal Reserve services.  

To access the documentation, your EUAC, after logging in to the FedLine secure site, can:

• Go to the EUAC Center
• Then to Support
• Then FedLine Documentation
• Then Other Documents 
• In Other Documents, see Federal Reserve as a Service Provider

This document talks about information security, SOC info, that they will not provide and BCP.  So we will gather this along with the Annual Fedline Assurance Document annually as our ongoing due diligence.