You bring up such a good point. Because the FedNow service is an elective specific service (cash settlement) then yes it should be treated as a third party. That means full due diligence and all. In my quick research, I couldn't find any substantial cybersecurity information either. You'll have to keep us posted if you are able to actually obtain evidence of those controls.
However, regarding a regulator that is operating in its typical oversight capacity I still maintain that there is little an organization can/should do regarding TPRM.
I am curious if other members have experience with products or services offered by the FED and how they conducted due diligence.
Original Message:
Sent: 09-20-2023 02:47 PM
From: Gene Fox
Subject: Performance Monitoring for Industry Regulator
Hilary, I would like to put a bit of a spin on your answer to see if you think it is the same.
The Fed now offers FedNow, a real time cash settlement service between participating financial institutions. This is elective and not required. I have read their circular on the product and they do not get into details of their data security, which is my biggest issue. Because we will be facilitating the movement of cash through an elective service offering from the Fed, should they now be treated as a true third-party?
Gene Fox
VP, Third-Party Risk Management Officer
-------------------------------------------
Original Message:
Sent: 9/20/2023 12:40:00 PM
From: Hilary Jewhurst
Subject: RE: Performance Monitoring for Industry Regulator
Hi there,
For quite some time, excluding government agencies from your TPRM scope has generally been acceptable. Now that the new Interagency Guidance on Third-Party Relationships: Risk Management has been issued, it's reasonable to question whether regulators such as the OCC should be treated the same way as your other Third-Party Relationships. My answer is no.
The truth is organizations have limited practical options for managing risks associated with regulators (and similar government entities). This should, however, not be a great cause for concern.
Regulators are appointed by presidential administrations and governed under the oversight of Congress. Regulatory actions and agencies are subject to legal and legislative review. And while they serve an essential function in our government landscape, they should not necessarily be considered "critical" to your organization. Why? Your organization is held accountable for the third parties you choose to have a relationship with, and you have no choice regarding regulators. You also have no contractual relationship, no agreements regarding their performance, and no ability to influence their actions.
Interestingly enough, the OCC, for example, has listed a vulnerability disclosure policy https://www.occ.gov/about/policies/vulnerability-disclosure-policy.html that states, "We encourage security researchers to report potential vulnerabilities identified in OCC systems to us." And some other regulators post privacy policies on their websites. The point is, however, that these are not the same as actively participating in due diligence within your organization.
While Industry groups often work directly with elected officials and government committees to address their concerns over regulatory requirements or actions, it is not reasonable or practical to expect individual organizations to be responsible for regulatory agencies' safe and sound operations.
I recommend adding regulatory agencies to your inventory of third parties but excluding them from TPRM requirements as a rule. Focus your TPRM efforts on the third parties with whom your organization chooses to do business and where your time will be better spent managing the real risks to your organization and your customers. Those are my thoughts, but I would love to hear other members' thoughts.
Original Message:
Sent: 09-15-2023 12:44 PM
From: Anonymous Member
Subject: Performance Monitoring for Industry Regulator
This message was posted by a user wishing to remain anonymous
Wondering what approaches other companies use to monitor the performance of Industry Regulators like OCC, FRB, etc. Clearly these are critical relationships and failure would lead to systemic failures, however getting their participation in monitoring activities like QBR's is a challenge. Insights and best practices are greatly appreciated.