Posted on Aug 7, 2017
The Board of Governors of the Federal Reserve System’s most recent Supervisory Letter “Guidance on Managing Outsourcing Risk” (“Guidance”), released in December 5, 2013, distills the characteristics, governance, and operations required for a risk management program aimed at monitoring service providers of financial institutions. Specifically, the guidance lays on top of other regulatory guidance on third-party risk to clarify expectations around outsourcing, selection, and management of third party service providers.
Some of the of SR 13-19 requirements include:
The Guidance applies to all financial institutions and U.S. operations of foreign bank organizations that are supervised by the Board, no matter the size of the institution. The Board defines any third party or service provider as any outsourced party that has entered into a contractual relationship with any financial institution in order to provide said institution a business function or activity.
SR 13-19 expects financial institutions to develop and implement a risk management program for all third party providers that is “commensurate with the level of risk” depending on the financial institutions outsourcing activities.
The program must be established and approved by the institution's board of directors, executed, and reported on. In establishing the program, it is important for each financial institution to review and consider all possible risks - such as compliance, concentration, reputation, country, operational, legal, transaction, strategic, and credit risk- that may arise when partnering with each outsourcing relationship. Once partnered with the third party, it is equally, if not more, important to monitor those potential risks throughout the relationship.
Since this approach is dependent on complexity of the outsourced activities, the Guidance requires that the below elements be part of the financial institution's risk management program for each of its outsourced relationships:
With the increasing amount of regulation and guidance in the third party risk management space, it is more important than ever to understand the risk presented by the activities of vendors by developing a comprehensive and continuous risk management program.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.