Download ••• DOWNLOAD (Mirror #1)
RISK II – No Key Needed Download
validate policies and procedures. a third party does not need to be part of the bank’s information technology (it) environment to comply with the bank’s information security policies and procedures. however, for organizations such as the federal financial institutions examination council (ffiec), compliance with bank policies and procedures is mandatory and failure to comply with the ffiec’s rule on the management of third-party risks may result in the bank being denied the ability to contract with the third party.
limit outsourcing choices to those deemed appropriate. banks should limit outsourcing relationships to those deemed appropriate to avoid creating an extensive diversification of risk. for example, banks should avoid entering into leasing arrangements that may put leasing company and bank at risk. in addition, no bank should choose to outsource an entire service or a significant portion of a service, such as personnel services, without considering the consequences.
all relationships with third parties should be established and controlled from a “you” perspective. these relationships should be clearly defined, documented, and assigned responsibilities, particularly as they relate to specific activities. additionally, include clear procedures to obtain and consider information about the third party’s physical, financial, or operational performance, and clearly define the roles and responsibilities of the bank with respect to each activity.
develop an effective monitoring and reporting system. banks should develop an effective monitoring and reporting system to ensure that third parties are meeting their contractual obligations. this includes regular access to account receivables data. make sure that the reporting system is aligned to the bank’s risk appetite and the bank’s overall remit. a bank should review its reporting system at least annually in order to stay current with changes in the third party.
the bank should designate a senior management team member to serve as the primary individual who will manage any third-party relationships involving critical activities. the senior manager must have appropriate authority, and the bank should ensure that he or she is responsible for overseeing, monitoring, and reviewing such relationships in accordance with the bank’s third-party risk management program. the bank must ensure that it does not place any restrictions on or control the activities of any individual with primary responsibility for managing third-party relationships involving critical activities.
the bank should ensure that the contract stipulates the following conditions for each third party. the bank is in charge of design and modification work on controls, procedures, information technology assets, and general internal control. the bank is in charge of the design of preventative and corrective action procedures in place to detect a third-party breach in confidentiality and integrity, address breaches timely and appropriately, and notify the bank about breaches. the bank is in charge of preparing the budget for risk management, including budgeting for audits and reviews. the bank is responsible for writing audit and review policies and procedures to address requirements, including performance measures and treatment of particular situations. the bank is also responsible for monitoring the effectiveness of management controls and for assessing the adequacy of written policies and procedures. any subcontractor providing it services for the bank should be certified in accordance with relevant regulatory requirements. the bank is responsible for designating and monitoring the performance of the company that performs the subcontract. the third party must report all third-party breaches of confidentiality and integrity promptly to the bank. the bank is responsible for reviewing and approving information security policies and procedures, updating them as appropriate, ensuring that the third party has adequate technical controls in place to prevent unauthorized access to the bank’s resources, and monitoring the effectiveness of such technical controls, the third party’s business risk management and internal control environment, and the third party’s data and information security program. if, after performance of the services, the bank determines that the third party is not complying with applicable laws, regulations, or the contract, the bank will consider making adjustments in the scope or type of the services to align with the bank’s business risk. the bank should independently review the third party’s financial condition and integrity, scope, availability, and scalability of the information systems. upon completion of any contract, the third party and any subcontractors must demonstrate to the bank that they possess the requisite financial capability to perform. the bank should also evaluate the third party’s ability to maintain confidentiality of customer, employee, and proprietary information, provided the third party is required to maintain such confidentiality under contract. if the third party is required to meet enhanced physical security standards or other security requirements specified by the bank, the contract should stipulate that the third party will provide a detailed description of its security program and review process, including the third party’s technical controls in place to protect bank customers’ personal information. the bank should ensure that these controls include technical, physical, personnel, and administrative controls, and that the third party has an adequate program to protect sensitive information against loss, misuse, alteration, or unauthorized disclosure.