I was at the NAFCU Conference and talked to quite a few risk managers during the time there. Nearly every one of them said they have had a major change of heart as to how closely they should be following the work and the guidance of the banking regulators.With the recent spate of enforcement actions and updated guidance from the OCC, it’s clear that all the regulators are taking a deeper dive on business practices, particularly as they all compare notes through the FFIEC.
Admittedly, it’s always been a best practice to look at what others are doing for the best way to grow and adapt your program, yet at the same time, the NCUA has not yet – key word being yet – made third party risk management the same laser focused topic as the banking regulators have. Well, that may be changing in short order.
Changes in Industry Guidance Seem to Be the Reason for the New Focus
The other regulators, particularly the OCC, FDIC and CFPB, have all pronounced and issued updated guidance or sweeping enforcement actions honed squarely on third party risk management. These include:
In addition, they’ve all admitted they need to step up their game in the face of the criticism by the Office of the Inspector General and know that the cybersecurity focus is challenged by the emergence of the new fintech companies. In the background, the OCC is battling the FDIC and the state agencies over their ideas for a fintech charter. Remember, these fintechs are your third parties in some cases.
If that’s not enough, the CFPB has reiterated its plans and begun taking action in direct oversight of third parties. That should send a shiver down your spine as you’d hardly want the CFPB to find something or reach a conclusion you had not already come to yourself about one of your critical third parties.
Examiners Do Cross Paths
Finally, if all that is not convincing enough, remember the examiners do compare notes and assist one another. Look at the FFIEC, the credit union regulatory authorities actively participate in that roundtable, so you can bet they are listening to what the other regulators have determined are sources of concerned.
Forewarned is forearmed. Time to make sure your third party practices are at the cutting edge.
OCC 2013-29 is what we call the, 'Golden Standard' for vendor risk management - download our guide now to ensure you're going above and beyond.