Prepare Your TPRM Program for the New SEC Cybersecurity Disclosure Rules

Ashley: Uh, also can’t forget about some introductions. My name is Ashley. I work in business development over here at Prevalent. And today we are joined with some very special guests. Uh, retired chief privacy officer, Joseph Martinez. Hi, Joseph.

Joseph Martinez: Procurement.

Ashley: Oh, procurement. I’m so sorry. Um, chief procurement officer. And our very own VP of product marketing, Scott Lang. Hey, Scott.

Scott Lang: Hey, Ashley.

Ashley: Uh, just a little bit of housekeeping. This webinar is being recorded and we will be sending out the recording along with the presentation slides shortly after the webinar. Uh you’re all currently muted, but we do encourage participation. So, please put any questions that you may have in our Q&A box so we can go over them at the end of the webinar. Uh today, Joseph will be going over the US financial inter agency guidance for third party relations. So, Joseph, I’ll go ahead hand the reigns over to you and let you get started.

Joseph Martinez: Thank you. Thank you very much. You know, I want to start by by thanking Prevalent and the Prevalent team for inviting me to speak with you today on this long awaited and much anticipated uh topic. You know, this is crucial to all of us that are in financial services and and we’ve all been anticipating the release of the final inter agency guidance on thirdparty relationships uh for for about two years now. I think it was in July of 2021 when they were first published for um for comment. That comment period got extended and and finally, you know, lo and behold, over two years later, here we are. So, let’s just say that, you know, many of us, myself included, We’re diligently checking the Federal Register, you know, often in anticipation of the issuance of this final guideline. So, um, you know, let’s let’s go ahead and get started. So, when we take a look at the agenda here, you know, we have a lot to cover today. And, you know, uh, when you look at the guidance, the guidance are close to 70 pages, right? And I want to leave time for our for for to answer your questions, but if we cannot get to all of your questions in this session, we’re going to be conducting a second uh, part two session in the next few weeks to ensure that you know, we’re pro providing you with all the information that you need uh in your program development because the changes to to the uh compliance and to be in compliance with the uh the final inter agency guidelines for third party risk management um you know are are pretty crucial and so it’s really important that we kind of get some deep dive. Um typically I’m not somebody who likes to have a lot of graphics but what you’re going to find is there’s going to be a lot of I mean, I like to have a lot of graphics and a lot lot of narrative, but in this case, I’ve had to actually have a lot of narrative for your education so that we can make sure that we’re going through the guidelines appropriately. So, we really want to cover four areas. One is to provide an overview of the US financial inter agency guidance. uh to second is to define the stages of third party life cycle as defined by by the board the FDIC and the OTC. uh and then we also want to examine the requirements that organizations are going to need to address each stage in that life cycle and then recognize the best practices uh that not not just financial services but all industries can kind of follow. So that if we could get to the next slide. Next slide, please. I still see the agenda. I’m not sure the rest of you are seeing that. So, Scott, uh,

Scott Lang: no, I’m on the, uh, I’m on the agencies involved slide with the three logos for the Fed, the FDIC, and the OC. Are you not seeing that?

Joseph Martinez: One more slide please. There we go. So, you know, let’s start with an explanation. Agencies are involved. Okay. So, the board of the FDIC knows that’s the right slide. No, that’s the right slide. Now, it just took a while that decided that they really wanted to kind of come together and wanted to really think through about how to actually align in terms of what their guidance was going to be. And you know, when we think about it, they’re looking at it from slightly different lenses. So, so the board of governors uh of the Federal Reserve Board um you know, they’re responsible for regulating and supervising bank holding companies uh and foreign banking organiz ganizations operating in the United States. So they have their constituencies, the FDIC or the Federal Deposit Insurance Corporation, they’re providing deposit insurance for banks uh and and promoting sound um banking practices. Now um when we think about this, they oversee um state chartered banks, okay? And that are not members of the Federal Reserve system and they act as the primary uh uh federal regulator for many community banks, right? And then we have the office of the OC, which is the office of the control of currency. And this is an independent bureau within the US Department of Treasury and it’s regulating national banks and Federal Savings Association. So all of these kind of play with each other and so it really made a lot of sense for folks to kind of for them to come together and think through how they’re actually going to have guidance that is going to be uh consistent as opposed to have slightly different nuances as they were going through that. So if we could get to the next slide, please. So, so the fi the final uh um guidance you know from the agencies and we’re going to refer to them as the agencies uh they issued the guidance to promote you know um sound thirdparty risk management practices. Now again the final guidance offers views on risk management principles uh for banks when developing and implementing the risk management practices at all stages in the life cycle of thirdparty relationships. Now this final uh guidance also states that sound thirdparty risk management takes into account the level of risk complexity and the size of the banking organization and the nature of the third party relationship. Now, that’s that’s pretty critical because taking into account the size of the banking organization is really going to be helpful in terms of how they’re actually complying with what’s going on. So, the agencies issued this joint guidance to promote the consistency in their supervisory approaches and it’s replacing each agency’s existing general guidelines on the topic and it’s directed at all banks that are supervised by all of these agencies. So, you know, to be clear, guys, banking organizations use third parties. Do not, you know, by by using a third party, you’re not removing the responsibility that the bank has in terms of how they’re actually going to be operating. And so, uh, it’s really important that we think about what’s going on there. And, um, you know, again, the use of a third party is not going to diminish or remove the banking organization’s responsibilities to ensure that the activities are performed in a safe and sound manner and in compliance with the applicable laws and regulations. And you know what what’s also happening is they are rescending and replacing all of these guidelines that you see here, the board’s 2013 guidelines, the FDIC’s 2008 guidelines and the OC 213-29 uh and the 2020 frequently asked questions. All of those have been rescended and are now uh as of the 6th of June. uh are the final um inter agency guidelines have been posted. So we’re we’re a little over a month into this which is which is good and this is why it’s so timely for us to kind of have this conversation. We could go to the next slide.

Ashley: Hey Joseph Ashley here. Um

Ashley: so you know the agency uh issued the joint guidelines to promote consistency in terms of their approach. So this guidance is you know it’s addressing the key principles which which banks can leverage when developing and implementing the risk management processes and and and these units really Hey, Joseph, do you mind turning your camera off? It looks like your signal is a little spotty. Can you guys hear me?

Joseph Martinez: I apologize. Technical difficulties.

Joseph Martinez: Let’s try um doing it with the camera off and maybe it’ll fix the uh quality. Hopefully that’s Yeah, I have plenty of bandwidth. I’m actually in on a very fast generousness, so I’m not sure what’s going on, but uh let’s let’s go ahead and um and continue. Right. When we look at this, you know, the guidance is really kind of taking into account what companies need to that banks need to be following. And you know, you need to understand that it’s guidance. It’s really not necessarily a law that’s coming into place. And so, you know, um also, if you’re using a third party, your responsibility as a bank is not being removed. You you still have that requirement to be able to ensure that what you’re doing is actually, you know, consistent with what we’re what we’re looking at. If we could go to the next slide. So, you know, when when we’re looking at the guidance that that it’s addressing, it’s it’s really looking at, you know, how banking organizations may form the third party relationships. And, you know, all we all know that there’s a whole bunch of new types of suppliers that are coming up and new types of firms that the banks are starting to work within the fintech areas. Right? So, it’s important for us to kind of think through what’s going on. And that second bullet point is really really important where you know a third party relationship exists despite the lack of a contract or renumeration. That that is something that is really I think important for us to be thinking about because of the way things are being uh historically we were taking a look at it from a contract perspective. We were looking at it terms of what that third party is. Now, we’re really looking at it, I think, in a slightly broader avenue. And I think that that the principles that that they’re setting forth are are really important for us to think about. So, um again, you know, a bank can be exposed to adverse uh impacts including substantial financial loss and operational disruption if it fails to appropriately manage the risks associated with the third parties. And so, this is why this guidance is so important. So, you know, it’s important for the bank to identify, assess, monitor, and control the risk related to the third party.

Joseph Martinez: relationships. So this is something that that is, you know, a key principle that is being set forth uh in order for us to be able to kind of think through. If we could go to the next slide, please. So again, not all relationships uh present the same level of risk, right? So the agencies have clarified and streamlined the guidance and they’ve removed details that were duplicative in some instances as not useful or that could be interpreted as being overly prescri descriptive, right? And so by doing this, they’re they’re wanting us to kind of think through, you know, and think, you know, an activity that is critical to one banking organization may not be critical to the other. And this goes back to where I earlier said, you know, they’re taking into consideration the size of the bank. And so now they’re not they’re not looking with one lens on everybody. They’re looking at it based on what is appropriate for your organization. And so it’s really important that that we think through uh what’s happening there. And again, it’s up to each banking organization to identify its critical activities and its third party relationships uh that support those critical activities because it’s going to be different based on the risk appetite, the risk methodology that is being employed by that bank. And so I think it’s it’s a good clarification point that we needed to kind of look through. And if we could go to the next slide. So the agencies also wanted to reiterate that the guidance was created in is it’s principles-based, right? So when they say the guidance was created on a principles based, what they mean is that the guidance is based on a set of fundamental norms, rules or values that provide a framework for decision-m and actions. So instead of giving detailed prescriptive rules and instructions, the regulators are kind of laying down a set of principles that the organizations must adhere to, right?

Joseph Martinez: And so again, when we take a look at these, these these are high level views in terms of what they’re what they’re talking about, but you know, the agencies are really trying to say, okay, you you guys got to support a risk-based approach to your banking organizations to assess the risk posed by your third parties and then you got to tailor your third party management process accordingly so that what you’re doing is you’re actually putting this in the right context for what you’re doing and it’s almost like solving a Rubik’s cube, right? So it’s important to involve staff with the requisite knowledge and skills in each stage of the management of this life cycle. So what they’re telling you to do is you you need to really involve the experts across multiple disciplines in your organiz ation you know whether that’s legal counsel whether it’s uh you know looking at having risk compliance you know the seeso out of technology etc so bringing the experts across multiple disciplines I think is is really important and you know really kind of to understand that that that a bank uses third party assessment service which is you know there their there um assessment services out there like trusite as an example um that they’re using as utility so so it it has if your bank is using one of these as a business arrangement that arrangement should be incorporated into the bank’s uh third party risk management process. So just because you’re actually outsourcing something doesn’t mean that you don’t need to look at it appropriately through your own lens right and so so it’s really critical u to identify the activities that the third party relationship support and then notably that activity that is critical for one banking organization may not be critical for another. So all of this is important for us to be thinking about. If we could get to the next slide please. So now we want to talk about defining the stages of the third party life cycle. All of us who have been in doing this for more than a year probably understand what that is, but we’re going to go over it now because now there’s an alignment across the agencies in terms of what that is.

Joseph Martinez: So if we could go to the next slide and you know when you take a look at this, this is an old slide, but this is actually taken directly from the new guidance. Okay, originally this was published by the OC. But now it’s been modified and it’s been it’s been adapted by both the board, the FDIC and the OCC as the stages from the risk of management life cycle. So you know you you have planning, due diligence and third party selection, you have contract negotiation, ongoing monitoring and and and obviously you know termination at the end of that process. So so this means that we now have a standard repeatable process you know qualitative and quantitative evaluations you know that we have a consistent risk treat and and we need to right size our workload to engage the right people at the right time if if we’re going to be in compliance with the new regulation and so uh I’m glad that they actually have kind of come together and they’ve adopted a specific uh view because I think that that’s really important for us to kind of think about that and so why don’t we go ahead and go to the next slide so you know we want to examine the requirements that the organizations need to address at each stage of the life cycle and they’ve been very good in terms of providing that guidance. Again, it’s not prescriptive, but believe me, they’re going to come in and they’re going to want to take a look at that. So, as we get to the next slide, let’s start with that whole with that process of planning. Okay? So, when we start to think about planning, and I was very prescriptive in going into the actual regulation and um guidance and actually pulling in the information for you. So, don’t want to go through every one of these in detail because you are going to get a copy of the deck, but I want you to be able to actually understand that this is what’s actually in that uh document, right? And so uh so the guidance, you know, it really addresses how you’re going to be thinking about planning and you know what you need to be considering and how you’re going to be managing that.

Joseph Martinez: And so you know when they talk about understanding the strategic p purpose of the business arrangement, you know, you need to be understanding and how the arrangement aligns with the organization’s overall strategic goals, the objectives, the risk appetite, the risk profile and the broader corporate policies. A lot of lot of information to unpack there, but that’s what they’re trying you get you to kind of think about, you know, they’re wanting you when you’re identifying and assessing the benefits and the risks associated with the business arrangement, they’re wanting you to determine how appropriately to manage those identified risks. So, it’s not it’s not good enough just to identify the risks. You need to either accept them or mitigate them. And so, they’re wanting you to be thinking about that. So, so as you’re kind of considering uh the nature of the business arrangement, you know, they want you to be thinking about this holistically and they want you to think about it in terms of where the activity is actually happening, right? Because again, when when you when you take a look at what they’re talking about, they’re wanting you to really think through how you’re actually putting your program in place and how that place where it’s actually uh the work is being conducted and then if there are local or global regulatory requirements that are being pushed on on this. So, so when you’re seeing on number three when it says consider the nature of the business arrangements such as the volume of activity, use of subcontractors, techn technology needed, interaction with customers, and the use of foreignbased third parties. That that’s new and that’s critical, right? So when when they’re talking about foreignbased third parties, they’re referring to third parties who are servicing your operations and are located in a foreign country, offshore, nearshore, right? And are subject to the laws and the jurisdictions of that country. So so, so this this term does not include a US-based subsidiary of a foreign firm. because there are servicing operations that are subject to US laws. So, they’re really wanting to kind to think through that as to how they’re actually doing that.

Joseph Martinez: And I think that it that it’s really important. And again, when when we look at how we’re evaluating how the third party relationship could affect the banking organization’s employee employees, including dual employees, you know, and what the transition steps are needed for the bank uh to manage the impacts when the activities currently conducted are, you know, currently conducted. internally are outsourced, right? So, they want you to be thinking about these things and showing that you have a tangible plan, that you have the right level of training, you have the right level of due diligence on the individual as well as on on the the service as well as on the company. So, you know, they’re they’re they’re becoming, I think, I think really good in terms of laying out the framework. Then you need to actually take that framework and translate that into into your into your program. Next slide, please. So, kind of continuing on with this theme in terms of the uh the degree of risk and complexity. You know, again, assessing a potential third party’s impact on it customers, right? Well, this is including access to and the use of the customer’s information, third party interaction with customers, your call centers, etc. Uh potential for consumer harm and handling of the customer complaints and inquiries. So, they’re wanting you to think about that. It’s a you know, again, very high level point number six, but it requires a lot of of under um a lot of implementation. complexity, right? And when we say that we’re understanding the potential information or security implement uh implications, right? This is including access to the bank to the bank’s systems, right? And to confidential information. And this this is real critical especially with a lot of the data breaches that we’re seeing now and that we’re and we’re seeing a lot of those have actually originated in the supply chain as opposed to the actual organization. So, you know, they’re wanting us to think about that.

Joseph Martinez: Number eight is pretty critical when you think about understanding the potential physical security implications and and this is you know they got to think about are they going to have access to the bank’s facilities are they going to be coming on site and I know that this has changed a little bit since uh since co but you know we still have third parties that ha in order to be able to produce the goods that and services that they’re providing us have to come on site uh when we take a look as an example at number 10 determining the bank’s organization’s ability to provide adequate oversight and management of the proposed third party relationship on an ongoing basis. Well, you know, this is including whether the staffing levels and the expertise or or the risk management and the the compliance management systems are all adhered to, right? They want to make sure that that that you have the right level of internal controls for your systems. You know, that you are effectively um addressing the business arrangement that’s been reduced to writing in the contract and that you’re actually monitoring it appropriately. So, again, all of this is part of the planning. You got to be thinking about this before you actually move forward uh if you’re if you’re going to be successful in what you’re doing. If we could go to the next slide, please. So, you know, when we think about the due diligence, which you know, you have planning, then you have to the due diligence. Okay, this is uh you know, conducting due diligence on your third parties before selecting and entering into a third party relationship. It’s an important and you know, it’s a critical part of sound risk management. Okay. And so, the due diligence process is is providing uh the you know, the bank with the information needed to evaluate whether it can uh appropriately identify, monitor, and control the risks associated with whatever that relationship is that they’re entering into. And this due diligence includes, you know, assessing the third party’s ability to perform the activity as expected.

Joseph Martinez: You know, adhere to the banking or um you know, policies um you know, if they’re able to comply with the applicable laws, regulations, conduct activity in a safe and sound manner. It’s taking a look at their financial viability. It’s taking a look at, you know, their their their sock profiles etc. So it’s really kind of thinking through you know and so the agencies do not believe that it would be appropriate for for a bank to conduct reduced due diligence solely on the third party’s entity type. Uh there were a lot of comments that were put in the comment period around that where based on some of these comments people were wanting to actually say how do we actually uh potentially reduce the amount of the burden of due diligence based on the type of third party entity that we were dealing with and that was really as you can see not accepted right and so um you know the the when when you’re taking a look at the the guidance also states that when assessing the risk of a third party relationship a bank may consider information available from various sources right so they’re telling you you know don’t just rely on what you can do internally take a look at what you have out there but when you’re looking at things out there you you’ve got to make sure that you’re that you’re really understanding you know and taking that information. But by taking that outside information, it’s not reducing your uh responsibility as an organization to to make sure that you’re that you’re really doing the correct level of due diligence and that the information that you’re bringing in is, you know, is is really the responsibility of your organization to manage in order for for for it to be to to to be available. So so you know, the guidance is providing um provides that in certain circumstances the banks should consider taking steps to mitigate the risks or if the risks cannot be mitigated they need to determine whether the residual risks are accepted which means that you need to have a risk methodology that is sound and that you have the ability to tangibly demonstrate to them that you have control over what you’re doing. So it it’s really I think um important for us to be thinking as to why the agencies are doing this.

Joseph Martinez: They’re doing this because looking back from 2008 to now there have been a lot of various uh issues with third parties and so they want to make sure that they’re taking the knowledge that they’ve been able to glean uh over this last you know period of time and incorporate it into the guidance so that what they’re doing is they’re providing a level and a framework that we should be able to then take and operationalize right and so I think it’s extremely important for us to be thinking about why we’re doing this and how this is happen And one of the things that the guidance did was it actually took into consideration some of the concepts that were in the OC frequently asked questions. Okay. And so they then took those and they tried to actually inculcate them into into the different parts, you know, whether it was the planning, the due diligence, etc. Right? And so um you know the the guidance um is really something that’s incorporating a lot of those frequently asked questions. into the process so that what you’re doing now is rather than having to go to multiple documents, you have a clear and consistent guideline that is helping you to actually see what’s going on. But at the end of the day, you know, the guidance is emphasizing that it’s the responsibility of the bank to identify and to evaluate the risks associated with each of their third parties and to tailor the risk management practice, you know, again, to the size of the organization, the complexity of the organization, the risk profile that you have and and and and obviously the nature of the third party relationships that you’re entering into. But the agencies have not excluded any specific third party relationships from the scope of the guidance. And so that was one of the things that was being asked for where they were saying, okay, you know, can can we exclude banktobank? Can we can can we exclude affiliates, etc? They’re saying we are not excluding any specific third party relationships from the scope of the guidance. If we could go to the next slide, please.

Joseph Martinez: So when you’re looking at due diligence, scope and the degree of the due diligence should be consem identify and document any limitations of its due diligence and understand the risks of such limitations consider alternatives to how they might mitigate that risk including potentially looking at a different source. Right? So, so due diligence does include in assessing the third party ability to perform the activity expected adherence to the banking organization’s policies and related activity and to comply with all applicable laws and regulations and to conduct that activity in a safe and sound manner. I’m I put this in here and I’m reiterating this because again this is coming directly from the guidance and it’s something that all of us who have done third party risk management for more than a day know that this is kind of the core foundation of what you’re doing when you start to look at it from a due diligence perspective. But this is something that they you know, re-emphasized, they’ve reinculcated into what’s going on. And and I think that it’s really important for us to be kind of thinking about how that that that actually works. So, if we could go to the next slide, please. So, when you look at this, there are 14 different areas of focus and due diligence that they’ve that they published. And they they they’ve actually put quite a bit of information beneath each one of these. Now, I put them up here because I think that it’s important for us to kind of think about what was that that they wanted us to think about and and what is the review that we need to go through. And so when you think about this, if your current programs aren’t actually in the due diligence phase addressing each of these 14 areas, you probably are going to have an issue. You’re probably going to get an, you know, an MRA or an MIR, etc. And so, so it’s important for you to be thinking about this and then how to actually implement it, right?

Joseph Martinez: Because when when when you when you take a look at at each of these things, It’s it’s quite important if you take a look at as an example the uh the financial condition which you’ve seen you know this is really you know an assessment of the third party’s financial uh viability right and so taking this information from financial statements or annual reports or you know filings with the securities exchange commission and others all of these are used to help evaluate the financial capability and the stability of the supplier that you’re working on and so you know there’s there’s a great deal of effort that’s going to need to go in be beneath each one of these. And I would encourage you all to kind of go in there and think through how your current program is addressing these. And if it isn’t addressing it in a robust enough manner, I would I would encourage you to think about how how how to actually, you know, look at that. And then as you’re looking at the tools that are supporting your program, make sure that you can actually say, okay, how do I track and report with my tool on these areas? Because I think it’s really important for us to be thinking about that, right? Um and and some of this is is going to be done offline. A lot of this can be done through the tools, but but I think it’s really important. I think one of the areas that they’re really emphasizing now are on the if you look at number E, the qualifications and backgrounds of the key personnel and other human resources considerations broad statement, but what they’re wanting to do is they’re wanting to look at the qualifications and experience of the third party’s principles and other key personnel. So now that’s a double click that they’re asking us to do, right? And so they’re they’re asking us to to really look at indepth analysis of who you’re at of of the um personnel that you’re actually engaging with within that third party, right? And so so um you know, if you’re not doing that today, it’s probably an area that you need to really address, right? And so um another consideration is whether the third party has the training to ensure that its employees understand their duties and responsibilities.

Joseph Martinez: And then knowledge about the applicable laws and regulations that as they apply to what they’re performing on your part, right? And so I I think that we need to be really rethinking the what we’ve done historically I think has been great. This is actually taking it and double clicking and there are some uh institutions that really have only had a nominal impact by their regulator in terms of what they’ve had to do from the third party. So a lot of this is going to be kind of really new to them. A lot of this is going to be like oh my god How am I going to do the workflow around this? How am I going to be able to tangibly demonstrate that? Well, again, these things are guidelines. These guidelines are again being put out so that what we’re able to do is we’re able to to think through how we can actually in a very cogent and concise manner put a program together and that program is going to have to flow all the way down from the board of of each of these organizations. So, you know, a a lot of work that’s going on in there uh when you think about this and so um I would encourage you to kind of think through each one of these areas. Go into the actual guidance and you know it’s important to review and understand what is being asked and and and you know when when you’re doing this you know what can you use from a technology perspective in order to be able to enable this to be much more um you know resilient and much more uh ease of use and and make sure that you have the ability to actually comp ly with what these guidelines are about. So if we could go to the next slide. So now we kind of move from the d we had planning we went to the due diligence now we’re going into the contracts negotiation right and again if you can kind of take a look at it these are a lot of standard information that has they’ve taken from various uh reviews that they’ve done over the years uh from the input that they got from the comments from the the uh various uh inspections that they’ve done and all of this is done to to basically help them say, “Okay, these are kind of what we think you need to be thinking about.

Joseph Martinez: Now, we’re going to measure you against it, right?” So, so in negotiating a contract, you know, it’s helpful for a bank to clarify and identify the rights and responsibilities of each party, you know, and you’ve got to make sure that you’re actually doing that. So, having a standard MSA is going to be important or master purchase agreement, etc., right? And making sure that you actually have um performance measurements benchmark marks in there is is is going to be important. Um so you know you have to clearly define the performance measures so that you can you know really evaluate the performance of the third party and then this is critical around service level agreements between the bank and the third party where where you really got to be able to to show them you know these are the measures and the expectations that we have for both parties and then we need to be able to then tangibly demonstrate that we’re we’re including you know performance uh conformance with policies and procedures, compliance with applicable laws, and these are all flowed down through that process. Later on, when you get to ongoing monitoring, all of this will then be realized. But if you’re not thinking about it and putting it into the contract, it’s going to be difficult for you to be able to uh get the right level of compliance from your third parties, right, as as you’re going through it? So, again, it’s it’s important to consider the contract provi provisions that specify that the third party’s obligation for what it is that you need them to do, when you need them to do, how you need them to report to you, and then what rights do you have as a bank to go in and, you know, monitor their risk, monitor their performance, and address things that that that they need to be able to provide to you in terms of of reports, in terms of data, in terms of access. Uh, you know, all of the things that that you’re going to need in order to have a successful program. If you don’t inculcate them into your contract, it’s going to be very difficult for you to be able to kind of do that. And when the regulators come in and they look at that, they’re going to Well, this is interesting.

Joseph Martinez: You’re telling me that you doing this, but you can’t show me how you’re actually doing it from an you don’t have an audit provision as an example within your within your contract. So, it it it’s really important to help, you know, make sure that you’re monitoring this performance, that you’re um putting it in writing, that you’re also um you know, including provisions for independent audits that you can have in there or uh if they have subcontractors that you have the ability to kind of go in and take a look at what they’re doing. So, as you go through all of this. This is really, you know, a lot of information that is that is going in there. I’ve summarized it up into these bullet points, but behind each of these bullet points, again, there are pages and pages inside the actual regulation. Uh, you know, and and and essentially, you know, where where you need to actually go in and understand, you know, when you look at the cost and compensation, right? You know, the contracts that clearly describe all costs and compos compensation arrangements help to reduce misunderstandings and disputes over buildings. and help to ensure that all compensation agreements are consistent with the sound bank practices and applicable laws. Right? So, you can go on and on in terms of what it is that they want you to think through, but it’s it’s important for you to be looking at these as a as a quick guideline and say, “Okay, do my contract master templates address these?” And if the answer is no, you probably need to have a conversation about what you’re going to do. But again, don’t just look at it from a superficial perspective. You need to kind of go down and deep and understand, you know, what is the guidelines that they’re putting in place because that’s the minimum expectation that they have relative to what they want you to be thinking about. And you know, it’s it’s really important that these provisions are are really sound and are uh again they’re going to take a look at what was your master agreement and then what was the actual executed agreement.

Joseph Martinez: So they want to take a look at yeah you tell me that you had um you know a subcontracting provision in there but when I look at the executed agreement that was actually negotiated away. Okay. So again, this is this is a team sport. It’s not just the third encumbent upon the third party risk management team. It’s not just incumbent about the business, not just encumbent upon the procurement organization or legal. There are lots of players that need to be actually addressing this to make sure that what we’re doing is is really making sure that these contract provisions are being adhered to and are being put into the contracts and that we’re able to actually then demonstrate them. Uh as as we move forward, a key area that that they’ll be looking at and they have for many years. I used to actually run uh corporate insurance is an area that they really want to take a look at, right? And they want to understand, you know, what the requirements that you’re flowing down to your third parties to maintain the specified types and amounts of insurance, right? And they they also want to make sure that, you know, that you know, are you being named as an additional insured? And if you’re not, okay, why not, right? And so so so you need to think through it’s not just about having a high revision is how do you actually operationalize that in order for for you to be able to kind of get through there and you know a particular area that they’re going to be very focused on is on subcontracting because they want to understand what you’re flowing down to those other organizations um because there there’s there’s a lot of work that needs to go on. Uh for the sake of time let’s let’s jump to the next slide please. Okay. And so you know what what the agencies are trying to do here is they’re not encouraging a specific approach to ongoing monitoring, but rather the guidance is is try trying to get banks to kind of think about ongoing monitoring uh like any other third party risk management process. So, so they want you to be kind of thinking about how this relates into your program and the complexity of your organization and the risk profile of your organization, right?

Joseph Martinez: And by by doing this, they want you to be thinking about ongoing monitoring can be conducted on a periodic or on a continuous basis. They’re not saying either. or they’ve seen you could do it both ways and and a more uh comprehensive or frequent monitoring is appropriate when the third party relationship supports a higher risk activities. So again, you have to have a methodology so you can tease out what the actual criticality is of the activity and then what the criticality is of the supplier so that you know your ongoing monitoring is is basically going to be um built upon that level of risk because again if you have a critical thing you’re going to probably have a much more indepth uh view in terms of what it is that you want to manage from an ongoing monitoring perspective. If it’s a lowrisk item, it’s going to be, you know, varying differences and they’re giving you that latitude in order to make sure that, you know, if you actually have the right level of methodology and if you have a stated risk appetite, they want to make sure that anything that is above your risk appetite is being monitored significantly different than anything that is within the risk appetite or below it. So, if we could go to the next slide, please. This is just kind of a continuation of ongoing monitoring. And again, when when you’re looking at this, this is just telling you what they’re what they believe that you should be thinking about as as you’re going through this. And again, the guidance states that the banking organizations, you know, they can consider collaborative arrangements or the use of external parties to kind of help supplement the ongoing monitoring. So, this is this is kind of new in terms of the fact that you can actually use a third party to help you through that process. But again, you got to make sure that that third party is actually living up to the standards that you have. Right?

Joseph Martinez: Because um when when you take a look at um you know what what it is that the ongoing monitoring is enabling the bank to do okay you know they need to look at you know both the level and the types of risks because that may change over the lifetime of the of the relationship right and so you may need to adapt um you know your ongoing monitoring practices accordingly. So so so you may have changes that are going to happen in frequency or the type of information or the level of monitoring that you’re doing based on the nature of the evolution of that uh third party relationship that you that you have. And so uh if we go to the next slide, please. So you can start to kind of see some of the uh uh risk complexity and and what they’re trying to kind of drive there, right? And so so you know, when when you’re starting to kind of look at reviews as to what’s happening, they want you to be able to actually gain some efficiencies, but they’re also wanting to make sure that what what you’re doing is uh following a process that is that is really going to help uh ensure that you’re in compliance, right? So so they’re they’re laying it out here very effectively. Changes in the third party’s financial condition, including the financial obligations to others. Again, you can prove that with your with your financial viability risk assessment. Uh if you do that on a periodic basis, just don’t do it at the beginning when you’re doing it in the due diligence phase. You need to have that on an ongoing basis, right? Or relevant audits, testing results, and other reports that address whether the third party remains capable of managing risks and meeting contractual obligations and regulatory requirements. Right? So, you got to think about how do you actually prove to the regulator, prove to the board what it is that you that that you’re trying to do because this this compliance is is really important. And again, they’re laying it out not in a prescriptive manner, but in a general manner that makes logical sense. And then it’s up to you to take that within your program and translate that into actions and activities and reports in order to be able to to show and again it comes down to the level of complexity that you have.

Joseph Martinez: It comes down to to what are the factors that you’re going to be considering as you’re doing that. Let’s go to the next slide please. So you know again all of this is just a continuation of what I was just talking about and you know making sure that you have the the appropriate level of train you know if if what you’re saying is the training provided to the employees of the of the banking organization and the third party. Well, how do you prove it? Can you show me that it’s actually happening? Right? You know, again, do you have non-disclosure provisions? Do you have flow downs that that are happening with that third party? Right? You know, what happens to the third party’s response to incidents, you know, or business continuity, you know, this is really important because anything that is going to create a jeopardy to the operations of your organization needs to be you can’t just say, well, you know, we thought they had a uh a business continuity plan, but we never actually tested it. Well, you know, in my career, I’ve seen going back many, many years, I’ve seen where you had beautiful business continuity plans, but they actually had nothing behind them. They were great powerpoints at the time, but when when floods came, when when earthquakes happened, third parties kind of kind of left you kind of hanging because they didn’t really have the level of of um plans and details that actually were actionable. And that’s why having these inculcated in writing, going in and monitoring them on a regular basis, going in on site and and ensuring that that you have them is is really important. So, as we continue to the next slide, you you’ll start to see that, you know, given the broad principles approach that the guidance has, the agencies have not revised the guidance to address specific topics or types of relationships. Okay, that’s important to note. So, so, so separate guidance on certain topics or relationships already exist, right, in other guidelines? And these uh types of specific guidance issues are uh unless expressly rescended remain unaffected by this new guidance.

Joseph Martinez: So if they have something out there relative to what’s happening with with cyber security that’s that’s referred to it’s not inculcated in here those things are still are still there. So again these are are just looking at what you need to be thinking about from a from an ongoing monitoring perspective. Now as we come to the the fifth portion on the next slide of the life cycle. It’s termination, right? And you know, I always like to think about it. It’s either termination or termination renewal, right? So, so, so um you know, a bank may terminate a relationship for various reasons. You know, you could have you come to the natural end and you have the expiry of the contract. You could have a breach of contract. You could have the third party fail fa fail to comply with the applicable laws or regulations or, you know, or you may want to find a different supplier for whatever the reason might be. Or you might actually want to bring that activity in house or in some instances discontinue that activity. Right? So, so when this occurs, it’s important for um the management you know of the organization to terminate the relationships in an efficient and effective manner whether the activities are transitioned to another third party or brought in house or discontinued. You need to be thinking about all of these and these are why they’ve kind of laid out you know what are the costs and fees associated with that termination. You know you know how are you going to handle the the joint intellectual property is So you got to think about these things in the contract phase, but ultimately they’re going to get executed in the termination phase. And so it’s really important for us to kind of think about that. Let’s go ahead and jump to the next slide, please. And I know that we’re running out of time. So you know, let’s at a high level. And again, we’re going to do a deeper dive in a couple of weeks on on this at a more of a doubleclick level, but but now we want to recommend some best practices that the organizations industries can can be following, right?

Joseph Martinez: And When when you think about this, you know, there are several best practices that that organizations in all industries can follow related to third-party risk management, right? And so, you know, one of those is actually, you know, know who your third parties are, right? You you got to know that you got to prioritize who your vendors are, right? You you need to make sure that you have uh you’re monitoring your your vendors on a continuous basis and you know, and h how do you actually get that done? Uh you need to automate your processes, right? And so, Regardless of how the banking organization structures the process, you know, these practices that I’m talking about are ubiquitous and need to be thought through oversight and accountability, independent reviews, documentation, and reporting. And that that that will then kind of allay us into what it is that we’re that we’re that we’re thinking about, right? And so there there are varying ways that uh the organizations can actually uh do this with their uh with their process. So so you know, so the accountability relies with the the business line and you know from a first line of defense perspective but the banking organiza you know the I’ve seen it where where banks have uh centralized this process and sometimes it’s in compliance sometimes it’s for information security sometimes it’s in procurement sometimes it’s in other risk functions but again having that program mature having that program actually established and having that program so that itself is auditable is really important for us to kind of think about. And so, um, if we go to the next slide, this starts at the board, right? And at the end of the day, the board is responsible for actually setting what that vision is going to look like, right? And so, so, so the relationships that they have are really important for us to think about, right? So, proper oversight and accountability are important aspects of any program, whether it’s third-party risk management or not, right? And so, um, the the the bank’s board of directors have that ultimate responsibility and then what they do is they’re going to hold management accountable for this. Right?

Joseph Martinez: So so the board is going to provide the clear guidance and they’re going to you know help you set what that acceptable risk appetite is and they’re going to approve the policies and they’re going to ensure that the appropriate procedures and practices are established. But you know at the end of the day they are looking at things at a at a high enough level with enough level of independence to help steer the ship as to where it needs to go. So in carrying out its responsibilities, you know, the board or its designated committee, you know, are typically going to be considering a lot of these factors that you’re seeing there. You know, whether the third party relationship is managed in a manner that is consistent with the bank’s um strategic goals or or visions, etc. So, so they’re laying out this is what our vision is and this is how it needs to be looked at. And if you go to the next slide, please, you’ll see that then management actually has to operationalize that, right? And so, management really has that governance and oversight accountability and it’s really important for for them to be and I’ve listed these things down again you guys are getting a copy of this I don’t want to go through everyone specifically but it’s important that you have something like a third party risk management committee that you know you’re you’re integrating third-party risk management into the bank’s organization overall risk management process that you’re providing um the contracts with the third parties um are appropriately reviewed and approved and executed so it’s not just somebody signing need a piece of paper. There’s actually a thought based on the level of risk, based on the dollar size, based on the complexity. And so, so what you’re doing is, you know, management is responsible for creating this process to make sure that it works. Um, and then if we go look at slide the next slide, please, this is when you start to think about independent reviews, right? And so it’s it’s important for banking organization to conduct periodic independent reviews to assess the adequacy of its third party management processes. And you know, this is really where the rubber meets the road because your third line of defense is coming in.

Joseph Martinez: They’re taking a look at how your organization is really establishing and and in compliance with what you know are you doing what you say you’re going to do and are you doing it well and are you doing it to the level of sophistication that is not just going to meet the minimum requirements but is actually going to have a program that is actually going to help you to reduce and understand the risks that that you have. So you know management is going to use the results of these independent review used to determine whether and how to adjust their third party risk management process and program. You know, do we need to make shifts in our policies? What about our reporting? You know, do we have the right level of resources with the right level of expertise? Do we have the right level of controls? You know, and so it’s important that management respond promptly and thoroughly to any issues or concerns that are identified and then escalate them to the board as appropriate. So, again, there’s a lot of detail behind this, but I wanted to make sure that I was kind of calling it out uh for us to think about. And by the way, This goes across industry. This isn’t just for banks. You know, this is this this is sound practice. And then if we go to the next slide, you know, we we think about the documentation and reporting, right? There’s a lot of stuff that’s here, but documentation, reporting really are the key elements that assist, you know, those within and outside of of an organization to conduct the and control activities. So, so, you know, depending on the risk and complexity of of third party relationships, you’re going to have a lot of different um activities that need happen. So when you when we talk about uh current inventory of all third party relationships, well you know that that’s really helping us to clearly identify those relationships that are associated with higher risk activities including critical activities.

Joseph Martinez: So if you don’t have a way to actually tangibly demonstrate what your inventory is and that you have that in that inventory is then run against your methodology in order to be able to tease out, you know, through through your risk assessment process whether or not you have something that’s above your risk appetite. You know, it’s it’s it’s going to probably not end well for what for for for for the for the group. Um you know also reporting to the board is is important right periodic reporting to the board. Uh and this is applicable for you know any dependencies that you have on a single provider. If if there are multiple activities with a provider that’s having financial troubles. Um you know if any of your pri uh providers have had as an example um um cyber attacks and those types of things, right? So it’s really important for you to kind of think through how you have the right level of remediation plans, you know, who’s who’s on point for the types of reports that are that are happening, you know, from from third parties, etc. And um you know, if if we take a look at the next slide please. So so real really you know each agency will review its supervised banking organizations risk management and third-party relationships as part of it standard process, right? So the supervisory reviews will evaluate the risks and the effectiveness of your risk management. management uh and determine whether your activities are conducted in a safe and sound manner and are you actually living up to the applicable laws or regulations that they have? So their evaluations um are really going to be considering you know what what are you doing in engaging a diverse set of third parties you know because not all third party relationships present the same risks and do you actually understand how to tailor your practices to the risks that are presented and do you actually have have a program that you know that’s tangible, measurable, and repeatable? Right? So, um you know, I know that we’re running out of time. Let’s let’s let’s jump to the next slide, please. Can you guys hear me?

Scott Lang: Yeah, we can hear you, Joe.

Joseph Martinez: Good. Good. Yeah. So, uh you know, one of the things that I think that we should think about is um As you’re looking into reviewing your your risk management processes and and and and you’re evaluating them, you need to make sure that everything you’re doing is helping to not just fulfill the obligation for how you’re managing on behalf of your company, but also on behalf of your client, right? And how are you actually designing your process to protect your customers and to provide fair, you know, access to your your financial services? So, it’s not just about being prescriptive. It’s about actually how does this actually enable you to make money? How does this enable you to have a better customer experience? I I know that we’re running short on time. Uh why don’t we jump to the next slide, please? So, you know, I wanted you to kind of think about some of the best practices that that that people need to be thinking about. And one one of those is, you know, how do you actually put the right level of framework in place? So, where you have the right oversight and governance, you have the tools and controls, and you have the analytics and actionable reporting, right? How do you kind of lay that out in order for it to be to be appropriate? I do want to get to some question. So, why don’t we jump to the next slide? This here is really kind of talking about the three lines of defense. If you’ve been in banking for more than a day, you’re probably aware of this, but let’s go ahead and um and I put this in here because I think it’s important for us to be thinking about that framework. We’ll do more of a deeper dive in our next session. Next slide. This here is just kind of some recommended best practices uh that organizations in all industries can follow around kind of look here’s here’s a high level operating framework. Here are kind of the the the risks that we’re looking at. Here are the objectives and then you know here’s a third party risk assessment and here’s the engagements in that risk assessment and how we actually can kind of drive through that. And if we could go to the next slide please and this right here is just kind of leveraging the foundation in order for us to actually think about that. And that second point I put a box around it is you know segment segmentation and onboarding is critical right because the classification of who your partners are and how you’re actually putting that methodology in place is really going to be foundational to how you’re actually going to be able to do the management and oversight across that entire life cycle. Uh, next slide. So, we got to be thinking beyond just the regulatory requirements because it’s this isn’t the check the box exercise, right? So, so you know, you need to think about how do you protect your organization’s knowledge and expertise. You know, you know, have you created any dependencies with a third party that now is becoming an issue for you if something happens to that third party, right? You know, is the quality of your service consistent end to end with your third parties, right? And have you evaluated the total cost? You know, are there any additional or hidden costs that you need to be thinking about because there’s what you’ve put in contractually and what you’ve agreed to, but then as you start to come back and you’re starting to to to put your program in place, you’re going to see that your suppliers are going to push back on that. And then did you take into consideration the increase in operational risks, right? Because all all of that is is just like really important for us to be thinking about because um If we don’t think about it outside of the regulator regulatory requirement, if we don’t think about that in terms of how do we actually put a program together, what we end up doing is we end up increasing our risk. We we fail in terms of our compliance to the guidelines and and basically this will impact our earnings per share and this will impact our reputational uh reputation in the industry. So why don’t we take some qu go to the next slide. Let’s get some questions and answers. I know I went kind of fast through a number of these slides. We wanted to take a second session where we’re going to do more of a deep dive, but there were there was a tremendous amount that I wanted to kind of cover through, make sure that you guys had the ability to see because it’s really important for us to be thinking about this. Uh because these new guidelines just came out and so as you know, once the guidelines come out, that’s in in in a short period of time, they’re going to start coming out and starting to see how you’re addressing the program to the new guidelines. So, uh with that, do we have any questions?

Ashley: Hey, thanks Joseph. Uh Scott, do you have any closing thoughts on this? I’m sorry, guys. I know we didn’t really have any time for questions, but uh Joseph will be doing a part two in an upcoming webinar, and we’ll be able to address some more of this information there. Scott,.

Scott Lang: uh no, nothing else for me. We can uh we can move on.

Ashley: All right. Well, thank you guys so much for attending. I hope you have a great rest of your day and a great upcoming weekend and look forward to seeing you at the next webinar. Cheers.