NCC Group has responded to newly proposed guidance from The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) on third-party risk management.

The proposed guidance offers a framework of risk management principles to assist banking organisations in managing the risks associated with third-party relationships. The guidance also ensures that a banking organisation's use of third parties does not diminish its responsibility to adhere to existing guidelines and ensures they can use third parties without affecting operational resilience.

The guidance makes recommendations based on the level of risk, complexity, and size of the organisation, as well as the nature of the third-party relationship, and would replace each agency's existing guidance on this topic. The proposed guidance is directed to all banking organisations supervised by agencies.

We welcome the encouragement within existing guidance for organisations to establish escrow agreements where they purchase software, and provide access to source code and programmes under certain conditions.

However, we believe that the regulation should be adapted in line with the changing needs of organisations and expand to instances where banking organizations "develop, purchase, invest in, license and subscribe to" software.

We also argue that there are additional elements of third-party risk management that warrant explicit recognition of the benefit and value of cloud, software and technology escrow agreements - for example, in relation to:

  • The continuation of business functions where problems affect third-party operations, such as provisions for transferring data to other third parties;
  • Potential issues regarding end-of-life issues with software programming languages, computer platforms or data storage technologies that may impact operational resilience;
  • Means to transition services in a timely manner, including handling of intellectual property.

Daniel Liptrott, General Manager, NCC Group Software Resilience, North America said: "We're delighted to have the opportunity to respond to this proposed guidance, and commend the agencies' intent to promote consistency and assist regulated banking organisations in identifying, assessing and managing third party risks.

"We thoroughly hope that once finalised, this guidance will recognise the importance of cloud computing and the availability of cloud resilience solutions, to enable organisations to innovate with confidence and embrace new technologies.

"We fully agree that banking organisations' expanded use of third parties for core banking services, improved functionality of services, and platforms to provide services adds complexity, and requires sound risk management. We therefore hope that this guidance can add stability and reassurance for organisations within this sector."

Attachments

  • Original document
  • Permalink

Disclaimer

NCC Group plc published this content on 20 September 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 20 September 2021 20:41:09 UTC.