Risk ManagementWhat the Recent OCC Bulletin Means For Your Risk Management Program

What the Recent OCC Bulletin Means For Your Risk Management Program

The Office of the Comptroller of the Currency recently produced a supplemental “Frequently Asked Questions” to Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance”  which was originally issued October 30, 2013. This bulletin provides guidance to banks for the assessment of risks and more broadly, managing risks associated with third-party relationships. The FAQs stress the importance of a sound risk management program and how banks can operationalize their assessment of third-party risk.

The OCC Bulletin 2013-29 defines a third-party relationship as any business arrangement between the bank and another entity, by contract or otherwise. Neither a written contract nor monetary exchange is necessary to establish a business arrangement. All that is necessary is an agreement between the bank and the third party. Once a business arrangement has been established, a bank should adopt risk management processes commensurate with the level of risk and complexity of the third-party relationships. This will require a bank to measure the risk of each of its business arrangements, and plan accordingly.  

The OCC requires an effective third-party risk management program that addresses the following:

Planning – develop a plan to manage the relationship.  When critical activities are involved, this is required; Conducting a thorough due diligence review prior to signing a contract;

Contract Negotiation – develop a contract that clearly defines the expectations and responsibilities of the third party; review the enforceability, limitations of liability and provisions addressing disputes about performance;

Termination – develop a contingency plan in the event the third-party does not deliver. This analysis should consider the process to transition to another third-party, bring in-house, or discontinue the service altogether;

Oversight and Accountability – a third-party risk management program should be integrated with the broader enterprise risk management framework;

Independent Reviews – management reviews of the effectiveness of the risk management process allow for overall assessments of whether the process aligns with the bank’s business objectives and strategy.

Practically speaking, bank management is often limited in its ability to conduct the type of due diligence, contract negotiation, and ongoing monitoring that it normally would, despite the critical nature of the service being provided. This could be for any number of reasons, including the third-party does not allow the bank to negotiate changes to their standard contract, or as a matter of policy, they do not share their disaster recovery and business continuity plans, also more commonly, they do not respond to a bank’s due diligence questionnaire. In these circumstances, bank management still needs to take steps to manage the risks presented. Despite these limits in its ability, banks should perform a “sound analysis” to support the decision that the third-party is still the most appropriate provider available and maintain supporting documentation to demonstrate the analysis. The OCC Bulletin 2013-29 (October, 2013) outlines the following suggested attributes related to due diligence a bank should incorporate:  strategies and goals, legal and regulatory compliance, financial condition, business experience and reputation, fee structures, personnel qualifications, internal risk management, information security, IT operational management, resilience, and incident reporting, physical security, HR management, reliance on sub-service providers, Insurance coverages, and conflicting contractual arrangements with other parties. Additional suggested attributes to be included in contracts is also outlined in the 2013-29 Bulletin.  

The risk management function may sit in different places depending on the bank and how it structures its risk management function. There is no one-size fits all. Regardless of the structure, the various business lines within the bank can provide valuable input into the third-party risk management process. They may for example complete risk assessments as it pertains to their function, review the due diligence questionnaires received from third-party entities, and ultimately provide feedback on the adequacy of the controls over the third-party relationship.  

The recent release of FAQ’s provides a significant amount of information for an organization and its journey toward managing third party risk. The complexity of the third-party relationship with a bank, the type of data handled, and overall risk presented, are just a few of attributes to be considered when evaluating the level of due diligence, and ongoing monitoring to be applied. For additional information and guidance on third party risk management, you can contact Beckage attorneys and risk professionals.  

Our team includes nationally-recognized leaders in data breach response and cybersecurity and privacy law, as well as former federal regulators, former in-house counsels of international companies, tech entrepreneurs, business owners and public–company executives. Our lawyers and technology specialists help you grow your business and achieve strategic objectives, adapt to new technologies and regulations, identify and reduce risk, and manage the response to data breaches, cybersecurity incidents, privacy matters and other crises.

*Attorney Advertising: Prior Results Do Not Guarantee a Similar Outcome

Subscribe to our newsletter.

Looking Back: Top Privacy and Cybersecurity Headlines from 2019Looking Back: Top Privacy and Cybersecurity Headlines from 2019

Looking Back: Top Privacy and Cybersecurity Headlines from 2019

In the fast-paced, ever-evolving world of privacy and cybersecurity law, gathering the biggest news from 2019 was no small feat – from new laws and landmark cases, to major technological developments and international guidelines, it was a busy year for anyone trying to stay up to date. But Beckage has narrowed down the top privacy and cybersecurity stories that shaped last year:

Read More
Yesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly ApproachesYesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly Approaches

Yesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly Approaches

With only a few months left before the landmark California Consumer Protection Act (CCPA) takes effect, yesterday the California Attorney General announced Proposed Regulations implementing the CCPA. By way of background, the CCPA comes into effect January 1, 2020 and will put some of the strictest guidelines the US has seen regarding the collection and processing of personal information of California residents. While the law addresses the processing of personal information of California residents, the CCPA is likely to have far reaching impacts on businesses across the nation, including New York-based businesses. The text of the CCPA can be found here.

Read More
circuit boardThe Importance of an Incident Response Plan

The Importance of an Incident Response Plan

As recent news headlines confirm, data breaches continue to be a threat to companies regardless of size. From reputational harm, disruption to your daily business, to significant monetary penalties and litigation, the potential consequences of a data breach are significant. It is more important than ever that companies evaluate their cybersecurity readiness plan, from policies and procedures to privacy concerns under the GDPR to ensure they are ready if a breach occur. While there is no one-size fits all approach to preventing data breaches, there are many best practices companies can employ to help minimize the risk of being breached. From regular conducting risk assessments and inventorying of the data that you collect to developing and testing your incident response plan, preparation is the name of the game. One component of your data security program, an Incident Response Plan, is an important step you should have in place to help mitigate and contain an incident if one occurs.

What is an Incident Response Plan?

An Incident Response Plan sets forth the company’s procedure for identifying, reporting and responding to an incident should one occur. It ensures that everyone is on the same page if a data breach happens. At a minimum, here are some key elements that an Incident Response Plan should include:  

   1) Policy scope and definitions.

   2) Identify Incident Response Team Members and outline roles for each.

   3) Outline procedures for identifying, reporting and responding to an incident.

   4) Set forth the legal obligations for reporting and notice to potentially impacted persons.

   5) Identify how often the Incident Response Plan will be reviewed and updated.

   6) Post-incident analysis procedures.

Developing an Incident Response Plan is not the end of the road, however. Your Incident Response Plan is a living and breathing document and the best way to know if it actually works is to test it consistently. Simulated cyber incidents that force your company to work through the procedures in your plan must be tested, gaps fixed, and improvements made. Simulated incidents with counsel are ideal to help identify legal risks along the way and help put the company in a legally defensible position.

It is very important to have your Incident Response Plan reviewed by Legal Counsel to ensure it satisfies your legal obligations under various state, federal and international laws. Beckage attorneys are fully equipped to help you navigate this process and help reduce your risk and exposure should a data breach occur.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.