On October 15, 2021, the OCC released its 2022 Bank Supervision Operating Plan that instructed OCC examiners to determine whether banks are providing oversight of their significant third party relationships.
In relevant part, the OCC’s Bank Supervisions Operating Plan for 2022 says: “Third parties and related concentrations: Examiners should determine whether banks are providing proper oversight of their significant third-party relationships, including partnerships. Examiners should identify where those relationships are critical to bank operations and understand whether they represent significant concentrations or impact resiliency. Examiners should also be aware of the cyber-related risks emanating from third parties and evaluate the bank assessments of the third party’s cybersecurity risk management and resilience capabilities.”
It was no surprise that the OCC set a regulatory priority around think party risk management. In January, the OCC, Fed, and FDIC released proposed regulations require third parties give immediate notice of qualifying business disruptions and cybersecurity events. https://www.federalregister.gov/documents/2021/01/12/2020-28498/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank. Then in October, the OCC, Fed, and FDIC released proposed guidance that updates regulators’ advice and expectations when banks contract with third party service providers to provide products and services to banks and indirectly to banks’ customers. https://www.federalregister.gov/documents/2021/07/19/2021-15308/proposed-interagency-guidance-on-third-party-relationships-risk-management
“The regulators have built the case that banks should understand and mitigate the risks of outsourcing. They are in the midst of communicating their expectations of how banks should deal with these risks and will back those expectations with examinations around these important issues, ” said Jim Freis, Chairman and Chief Strategy Officer of CRINDATA.
About Jim Freis:
Jim has devoted his career to promoting the integrity of the global financial markets. He is best known in the United States as the longest-serving Director (2007 to 2012) of the United States Treasury Department’s Financial Crimes Enforcement Network (FinCEN), overseeing regulations covering the broadest range of financial institutions in coordination with their primary licensing authorities, and for applying data-driven efforts to combat fraud exposed through the Global Financial Crisis. After FinCEN, Jim was based in Frankfurt, Germany with the Deutsche Börse Group, Europe’s largest provider of systemically significant financial market infrastructures, responsible for overseeing compliance and relations with global regulators including in the implementation of a holistic internal control system approach among Risk, Compliance, Information Security and Outsourcing oversight functions.
About CRINDATA:
CRINDATA, LLC (www.CRINDATA.com) offers unique cloud-based solutions to financial institutions who must actively manage their critical third-party relationships (including their indirect relationships with subcontractors) and must prepare for and mitigate business disruptions management and cybersecurity events originating anywhere in the chain of service providers and subcontractors. Concurrently, CRINDATA helps third party service providers like core systems, payments providers, transaction motoring solutions, banker’s banks, and corporate credit unions, by substantially simplifying the due diligence interactions with financial service companies and by providing a complaint, common platform to manage business disruptions and cybersecurity events when they occur.
Reach CRINDATA at info@crindata.com
202.990.6990
