News -

NCC Group welcomes consultation on US Interagency Guidance for Third Party Risk Management

NCC Group has responded to newly proposed guidance from The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) on third-party risk management.

The proposed guidance offers a framework of risk management principles to assist banking organizations in managing the risks associated with third-party relationships. The guidance also ensures that a banking organization's use of third parties does not diminish its responsibility to adhere to existing guidelines and ensures they can use third parties without affecting operational resilience.

The guidance makes recommendations based on the level of risk, complexity, and size of the organization, as well as the nature of the third-party relationship, and would replace each agency’s existing guidance on this topic. The proposed guidance is directed to all banking organizations supervised by agencies.

We welcome the encouragement within existing guidance for organizations to establish escrow agreements where they purchase software, and provide access to source code and programs under certain conditions.

However, we believe that the regulation should be adapted in line with the changing needs of organizations and expand to instances where banking organizations “develop, purchase, invest in, license and subscribe to” software.

We also argue that there are additional elements of third-party risk management that warrant explicit recognition of the benefit and value of cloud, software and technology escrow agreements – for example, in relation to:

  • The continuation of business functions where problems affect third-party operations, such as provisions for transferring data to other third parties;
  • Potential issues regarding end-of-life issues with software programming languages, computer platforms or data storage technologies that may impact operational resilience;
  • Means to transition services in a timely manner, including handling of intellectual property.

Daniel Liptrott, General Manager, NCC Group Software Resilience, North America said: “We’re delighted to have the opportunity to respond to this proposed guidance, and commend the agencies’ intent to promote consistency and assist regulated banking organizations in identifying, assessing and managing third party risks.

“We thoroughly hope that once finalized, this guidance will recognize the importance of cloud computing and the availability of cloud resilience solutions, to enable organizations to innovate with confidence and embrace new technologies.

“We fully agree that banking organizations' expanded use of third parties for core banking services, improved functionality of services, and platforms to provide services adds complexity, and requires sound risk management. We therefore hope that this guidance can add stability and reassurance for organizations within this sector.”

Topics

  • Technology, general

Categories

  • increasing regulatory & legislative requirements

Contacts

Related content

  • Spotlight on the Monetary Authority of Singapore’s Technology Risk Management Guidelines

    As part of our ‘Spotlight on’ series, we have been delving into the topic of operational resilience and third-party risk management within financial institutions. In this installment, Simon Fieldhouse, global managing director – Software Resilience, offers his insight into the latest version of the Monetary Authority of Singapore’s Technology Risk Management (TRM) guidelines.

  • Spotlight on the EU’s Digital Operational Resilience Act (DORA)

    The EU Commission is currently developing the Digital Operational Resilience Act (DORA) – new legislation aimed at financial entities at EU level. But what does it mean and what should businesses do now to prepare? Simon Fieldhouse, global managing director – Software Resilience at NCC Group, breaks this down in our latest ‘Spotlight on’ piece.

  • Spotlight on the UK’s new operational resilience regulation

    After years of consultation, the UK’s Prudential Regulation Authority (PRA) is set to publish new rules on outsourcing and third-party risk management this month. In our ‘Spotlight on’ series, Simon Fieldhouse explores what this means for the sector, its resilience, and the pace of digital transformation.