The Office of the Comptroller of the Currency (OCC) recently assessed a $60 million civil money penalty for a bank's failure to exercise proper oversight of the 2016 decommissioning of two U.S. wealth management business data centers.
Among other things, the bank failed to:
- Effectively assess or address risks associated with decommissioning its hardware
- Adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance
- Maintain appropriate inventory of customer data stored on the decommissioned hardware devices
In 2019, the bank experienced similar vendor management control deficiencies in connection with decommissioning other network devices that stored customer data. The OCC found the noted deficiencies constitute unsafe or unsound practices that resulted in noncompliance with 12 CFR Part 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards."
Regulatory Focus on Third-Party Risk
The OCC, the Securities and Exchange Commission (SEC), and other regulatory agencies are continuing to focus attention on third-party risk management and increasing the penalties for program deficiencies. The agencies are demonstrating a lower tolerance for insufficient programs to control and manage these critical risk areas.
The Department of Justice (DOJ) has also recently released updated prosecution guidelines related to corporate compliance programs, in which they include significant references to third-party risk management, noting the need for robust programs that effectively manage risk throughout the lifecycle and not just upfront due diligence. The DOJ guidance directs prosecutors to examine if firms are documenting the business rationale for engaging third-parties and if they are assessing the risk of the relationship, including determining if the third-party has any relationships with foreign officials. The DOJ guidance also stresses the importance of documenting and maintaining a comprehensive set of processes and controls that support the ongoing monitoring of third parties, which includes proper termination of services.
Firms are continuing to expand the use of third-party services, and these arrangements continue to grow in complexity. There is a rising need for robust and effective third-party risk management programs. The following outlines best practices to consider for your program.
- Planning: Ensure the firm has a documented and consistent process to assess the need for third-party relationships prior to contracting. Is the service and provider aligned to your strategic plans? Are they able to support the service to the levels the firm requires? How will the firm transition the service in the event of a failure?
- Due Diligence: Categorize third-party services in tiers by risk so it is easier to target higher risk services for deeper inspection and increase ongoing monitoring and governance activities. Conduct risk-based assessments of third-parties to validate the presence of effective controls to manage risks from cybersecurity, business continuity, technology management, privacy, financials, reputational, and other domains as needed.
- Contracting: Develop strong contracts with key clauses such as the “right to audit,” performance/SLA expectations, data protection and data breach notification requirements, insurance and liability limits, and language to enforce remediation of control deficiencies identified in the due diligence process. Requiring notification on the use of sub-contractors (4th parties) and restricting the changing of subcontractors without written approval are also important clauses to include in the contract.
- Ongoing Monitoring: Define ongoing due diligence review cadences based on risk tier, establish performance/SLA tracking and reporting requirements for service owners and regular checkpoints with third parties, and identify and evaluate operational issues during service delivery. Data management activities, including data flow diagrams and data protection controls, should be established to limit access to sensitive information.
- Termination: Document exit/transition plans for critical services, and establish requirements for asset retrieval (physical and virtual), including data destruction or retention plans. Implement controls to ensure the effective termination of user ids and physical access to facilities.
- Governance and Reporting: Establish appropriate levels of governance, e.g. require board or executive management review and approval of critical services for the firm. Provide transparent reporting that highlights areas of risk in the third-party portfolio and steps taken to remediate issues or transition services.
How We Help
ACA can provide expert resources to guide the development and implementation of a third-party risk program for your firm. We also provide due diligence outsourcing services to reduce the internal resource needs when executing this key component of the program.
ACA also provides bank asset management groups engaged in trust, custody, and investment management activities with risk, compliance and internal audit consulting services leveraging techniques used by banking regulators and industry leaders. Our consultants have expertise at all levels of the firm including prior regulatory experience at agencies like the OCC, DOL and SEC.
For More Information
For more information about this penalty, or to find out more about ACA's services, please reach out to your regular consultant or contact us here.