Banking regulators may make their requirements governing banks’ use of vendors for services and products a little easier if proposed risk management guidance is approved.
The guidance “harmonizes” Vendor Management requirements among the Federal Reserve Board (Board), Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC). Currently all three regulators have their own requirements for Vendor Management.
“While existing agency guidance materials generally address similar issues, there is divergence in the approach and focus of each agency, which often creates confusion and difficulties for vendors and FinTechs working with multiple banks,” reports JDSupra. “The agencies are using the OCC’s risk management guidance as the baseline to create a single, harmonized guidance document that will be applicable to all insured depository institutions (except credit unions).”
The National Credit Union Administration didn’t join the other three regulatory agencies in the proposal, so the guidance doesn’t apply to credit unions.
The proposed alignment starts with the OCC’s requirements, but also adds updates to the eight-year-old regulations. It also suggests that a bank’s risk management procedures apply to all its vendor relationships, from its janitorial service to law firms – with an eye to allowing the management to be proportional to the risk of the vendor relationship.
The proposal also includes measures to assess a vendor’s data security posture, including whether the third party uses multi-factor authentication, end-to-end encryption, and secured source code management, and the vendor’s ability to remain up-to-date in technology for long-term viability.
The full proposal can be found on the Federal Register here. The proposal is in a public comment period which closes Sept. 17, 2021.
If your firm works with banks and you’d like an assessment of whether this proposal will impact your relationship with them, contact us.