III.C.8 Third-Party Management
As part of a financial institution's third-party management program, management should ensure that third-party providers effectively provide support by doing the following:
- Negotiating clear and comprehensive contracts with appropriate terms that meet the institution's requirements.
- Ensuring receipt of audited financial statements from third-party providers at least annually.
- Reviewing results of independent audits of IT controls at third-party providers.
- Monitoring the responsiveness of third-party provider's customer service, including client user group support.
Financial institutions increasingly rely on third-party providers and software vendors. Larger or more complex institutions are more likely to have institution-wide third-party management programs that encompass all of these relationships. IT departments can contract with third-party providers for several services, including data processing, software development, equipment maintenance, business continuity, data storage, Internet access, and security management. In smaller or less complex institutions with less formal third-party management programs, the procurement of third-party services should be reviewed by institution staff familiar with the operational, financial, security, and compliance requirements for such relationships. The oversight of the relationship should be performed by staff with knowledge of the services provided.
The board of directors should hold senior management responsible for ensuring appropriate oversight of third-party relationships. Technology needed to support business objectives is often a critical factor in deciding to outsource. Managing such relationships is not just a technology issue; it is an enterprise-wide governance issue. An effective third-party management program should provide the framework for management to identify, measure, mitigate, monitor, and report risks associated with the use of third-party providers. Management should develop and implement enterprise-wide policies and procedures to govern the third-party management program, including establishing objectives and strategies, selecting a provider, negotiating the contract, and monitoring the outsourced relationship.
Management should evaluate the quality of service, control environment, and financial condition of the third parties providing the institution with critical IT services. Third parties can include financial institution affiliates, other financial institutions, and third-party service providers. As appropriate, these third parties should support the responsibilities of their financial institution clients to adhere to all applicable laws, regulations, and supervisory guidance. Financial institution management should expect third-party support at a level consistent with the criticality of the services provided to the institution. Refer to the IT Handbook's "Outsourcing Technology Services" booklet for more information.
When financial institution management contracts with third-party providers for some or all IT services, it should ensure that controls over outsourced activities provide the institution with the same level of assurance as controls over those activities performed in-house. Management should also consider additional oversight or controls over third-party providers that operate in foreign locations. Management should have mitigation strategies that address risks related to foreign-based third-party providers, if applicable. In the event that the financial institution locates any of its own operations offshore and develops third-party relationships at those locations, specific risk mitigation plans should be considered to address related foreign-based third-party risks.
Management should address exposures from third-party risks through an effective third-party management program. Some factors that management should consider or address include the following:
- Assessing whether each third-party relationship supports the institution's overall objectives and strategic plans.
- Evaluating prospective third-party providers based on the scope and importance of the services they provide.
- Tailoring the institution's third-party management program based on an initial and ongoing risk assessment of the institution's third parties and the services they provide.
The time and resources devoted to managing third-party relationships effectively depend on several factors, such as the critical nature of outsourced processes, staff knowledge, and complexity of systems. Refer to the IT Handbook's "Outsourcing Technology Services" booklet for more information. Additionally, some agencies have specific guidance on third-party relationships and managing third-party relationship risk. "Third Party Risk: Guidance for Managing Third Party Risk," FDIC FIL-44-2008, June 6, 2008; OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance," October 30, 2013; Federal Reserve Board Supervision and Regulation Letter 13-19 "Guidance on Managing Outsourcing Risk," December 5, 2013.
Refer to the IT Handbook's "Audit" booklet for more information on independent reviews of third-party providers and to the "Business Continuity Planning" booklet, appendix J, "Strengthening the Resilience of Outsourced Technology Services," for guidance focusing on cyber resilience.
III.D Monitoring and Reporting