NCC Group welcomes consultation on US Interagency Guidance for Third Party Risk Management
NCC Group has responded to newly proposed guidance from The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) on third-party risk management.
The proposed guidance offers a framework of risk management principles to assist banking organizations in managing the risks associated with third-party relationships. The guidance also ensures that a banking organization's use of third parties does not diminish its responsibility to adhere to existing guidelines and ensures they can use third parties without affecting operational resilience.
The guidance makes recommendations based on the level of risk, complexity, and size of the organization, as well as the nature of the third-party relationship, and would replace each agency’s existing guidance on this topic. The proposed guidance is directed to all banking organizations supervised by agencies.
We welcome the encouragement within existing guidance for organizations to establish escrow agreements where they purchase software, and provide access to source code and programs under certain conditions.
However, we believe that the regulation should be adapted in line with the changing needs of organizations and expand to instances where banking organizations “develop, purchase, invest in, license and subscribe to” software.
We also argue that there are additional elements of third-party risk management that warrant explicit recognition of the benefit and value of cloud, software and technology escrow agreements – for example, in relation to:
- The continuation of business functions where problems affect third-party operations, such as provisions for transferring data to other third parties;
- Potential issues regarding end-of-life issues with software programming languages, computer platforms or data storage technologies that may impact operational resilience;
- Means to transition services in a timely manner, including handling of intellectual property.
Daniel Liptrott, General Manager, NCC Group Software Resilience, North America said: “We’re delighted to have the opportunity to respond to this proposed guidance, and commend the agencies’ intent to promote consistency and assist regulated banking organizations in identifying, assessing and managing third party risks.
“We thoroughly hope that once finalized, this guidance will recognize the importance of cloud computing and the availability of cloud resilience solutions, to enable organizations to innovate with confidence and embrace new technologies.
“We fully agree that banking organizations' expanded use of third parties for core banking services, improved functionality of services, and platforms to provide services adds complexity, and requires sound risk management. We therefore hope that this guidance can add stability and reassurance for organizations within this sector.”