In our video on Monday, we provided a high-level summary of the expectations for ongoing monitoring contained in the new guidance. It is important that banking organizations understand these expectations, so let’s take a closer look.
The guidance states that effective third-party risk management includes ongoing monitoring throughout the duration of a third-party relationship, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party. Such ongoing monitoring allows the banking organization to:
- Confirm the quality and sustainability of a third-party’s controls and the ability to meet its contractual obligations,
- Escalate significant issues or concerns, such as material or repeat audit findings, financial deterioration, security breaches, data loss, compliance lapses, and other indicators of increased risk, and,
- Respond to any identified issues or concerns.
Additionally, the guidance explains ongoing monitoring may be conducted on a periodic or continuous basis, and more comprehensive or frequent monitoring is appropriate when a third-party relationship supports higher-risk activities, including critical activities. Because both the level and types of risks may change over the lifetime of third-party relationships, banking organizations may adapt their ongoing monitoring practices accordingly, including changes to the frequency or type of information used in such monitoring.
In conducting its monitoring, banking organizations should consider the following factors:
- The overall effectiveness of the third-party relationship, including its consistency with the banking organization’s strategic goals, business objectives, risk appetite, risk profile, and broader corporate policies,
- Changes to the third party’s business strategy and its agreements with other entities that may pose new or increased risks or impact the third party’s ability to meet contractual obligations,
- Changes in the third party’s financial condition, including its financial obligations to others,
- Changes to, or lapses in, the third party’s insurance coverage,
- Relevant audits, testing results, and other reports that address whether the third party remains capable of managing risks and meeting contractual obligations and regulatory requirements,
- The third party’s ongoing compliance with applicable laws and regulations and its performance as measured against contractual obligations,
- Changes in the third party’s key personnel involved in the activity,
- The third party’s reliance on, exposure to, and use of subcontractors, the location of subcontractors (and any related data), and the third party’s own risk management processes for monitoring subcontractors,
- Training provided to employees of the banking organization and the third party,
- The third party’s response to changing threats, new vulnerabilities, and incidents impacting the activity, including any resulting adjustments to the third party’s operations or controls,
- The third party’s ability to maintain the confidentiality, availability, and integrity of the banking organization’s systems, information, and data, as well as customer data, where applicable,
- The third party’s response to incidents, business continuity and resumption plans, and testing results to evaluate the third party’s ability to respond to and recover from service disruptions or degradations,
- Factors and conditions external to the third party that could affect its performance and financial and operational standing, such as changing laws, regulations, and economic conditions, and,
- The volume, nature, and trends of customer inquiries and complaints, the adequacy of the third party’s responses (if responsible for handling customer inquiries or complaints), and any resulting remediation.
It is important that banking organizations act now to ensure their third-party risk management programs align to the new guidance. In our next post, we will look at tools and best practices to help banking organizations do this.