Wondering what approaches other companies use to monitor the performance of Industry Regulators like OCC, FRB, etc. Clearly these are critical relationships and failure would lead to systemic failures, however getting their participation in monitoring activities like QBR's is a challenge. Insights and best practices are greatly appreciated.
For quite some time, excluding government agencies from your TPRM scope has generally been acceptable. Now that the new Interagency Guidance on Third-Party Relationships: Risk Management has been issued, it's reasonable to question whether regulators such as the OCC should be treated the same way as your other Third-Party Relationships. My answer is no.
The truth is organizations have limited practical options for managing risks associated with regulators (and similar government entities). This should, however, not be a great cause for concern.
Regulators are appointed by presidential administrations and governed under the oversight of Congress. Regulatory actions and agencies are subject to legal and legislative review. And while they serve an essential function in our government landscape, they should not necessarily be considered "critical" to your organization. Why? Your organization is held accountable for the third parties you choose to have a relationship with, and you have no choice regarding regulators. You also have no contractual relationship, no agreements regarding their performance, and no ability to influence their actions.
Interestingly enough, the OCC, for example, has listed a vulnerability disclosure policy https://www.occ.gov/about/policies/vulnerability-disclosure-policy.html that states, "We encourage security researchers to report potential vulnerabilities identified in OCC systems to us." And some other regulators post privacy policies on their websites. The point is, however, that these are not the same as actively participating in due diligence within your organization.
While Industry groups often work directly with elected officials and government committees to address their concerns over regulatory requirements or actions, it is not reasonable or practical to expect individual organizations to be responsible for regulatory agencies' safe and sound operations.
I recommend adding regulatory agencies to your inventory of third parties but excluding them from TPRM requirements as a rule. Focus your TPRM efforts on the third parties with whom your organization chooses to do business and where your time will be better spent managing the real risks to your organization and your customers. Those are my thoughts, but I would love to hear other members' thoughts.
Hilary, I would like to put a bit of a spin on your answer to see if you think it is the same.
The Fed now offers FedNow, a real time cash settlement service between participating financial institutions. This is elective and not required. I have read their circular on the product and they do not get into details of their data security, which is my biggest issue. Because we will be facilitating the movement of cash through an elective service offering from the Fed, should they now be treated as a true third-party?
VP, Third-Party Risk Management Officer
Original Message:Sent: 09-15-2023 12:44 PMFrom: Anonymous MemberSubject: Performance Monitoring for Industry RegulatorThis message was posted by a user wishing to remain anonymous
You bring up such a good point. Because the FedNow service is an elective specific service (cash settlement) then yes it should be treated as a third party. That means full due diligence and all. In my quick research, I couldn't find any substantial cybersecurity information either. You'll have to keep us posted if you are able to actually obtain evidence of those controls.
However, regarding a regulator that is operating in its typical oversight capacity I still maintain that there is little an organization can/should do regarding TPRM.
I am curious if other members have experience with products or services offered by the FED and how they conducted due diligence.
Original Message:Sent: 9/20/2023 12:40:00 PMFrom: Hilary JewhurstSubject: RE: Performance Monitoring for Industry Regulator
Our external ACH Audit firm recently asked about due diligence on Fedwire. I almost want to lump them into the Utilities providers since you really do not have a choice if you want to send wires. You could use a Correspondent, but then the Fed is the 4th Party. If the Wire system goes down it affects everyone similarly, just like when the power goes out. Doing nothing never seems to be the right answer in TPRM so we reached out to our Fed Rep and received the following:
On vendor due diligence, yes, we do, as follows.
The Fed does not use contracts, but rather service agreements. Financial institutions can modify, add, or cancel services at any time and the Fed's Service Fees (frbservices.org) are openly published. Further, when institutions are using Fed services, they are generally agreeing to abide by various Operating Circulars (frbservices.org) applicable to the services (agreement for use vs. contracts).
To support our role as a vendor, and your vendor due diligence needs, the Federal Reserve has placed some documentation behind the secured FedLine login, accessible to your FedLine End User Authorization Contacts (EUACs). We've found this information meets the needs of thousands of institutions using Federal Reserve services.
To access the documentation, your EUAC, after logging in to the FedLine secure site, can:
This document talks about information security, SOC info, that they will not provide and BCP. So we will gather this along with the Annual Fedline Assurance Document annually as our ongoing due diligence.
Jonathan, thank you so much for that. Its extremely helpful!