Vendor Management, Contract Negotiations and Contract Management - Links for Vendor Management

Members and Security Info

Vendor Management Links for Financial Institutions
- Interagency Guidance on Third-Party Relationships
  
  This is the new Interagency Guidance on Third Party Relationships: Risk Management - I'm linking to the FRB site, as their PDF is the best formatted (imo)
- Interagency Guidance on TPRM - PDF version from FRB
  
  This is the PDF of the new Interagency Guidance on Third Party Relationships: Risk Management - I pulled in the PDF from the FRB site hosted here... to ease of access
- RFC Proposed Guidance on Third Party Risk
- Proposed Interagency Guidance on Third Party Risk
  
  FRB and FDIC will adopt the OCC guidance
- OCC 2021-3 (Jan 14,2021)
  
  Computer-Security Incident Notification: Notice of Proposed Rulemaking
- 2020-12-15 Proposed Rule (Jan12-2021)
  
  It is a proposed rule Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
- OCC 2020-10 (March 5, 2020)
  
  Third Party Relationships FAQ Supplement 2013-29
- OCC 2017-43 (Oct 20, 2017)
  
  New, Modified, or Expanded Bank Products and Services: Risk Management Principles
- 2020-94 - Ops Risk (October 30-2020)
  
  Operational Risk: Sound Practices to Strengthen Operational Resilience
- Supervision of Technology Service Providers and Outsourcing Technology Services
  
  FIL-46-2012
- NY FRB 1999
  
  where it all started Oct 1999
- FDIC Technology Service Provider Contracts FIL 19-2019
- Proposed Interagency Guidance
  
  FRB and FDIC will adopt the OCC guidance
- Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29
- OCC 2017-21
  
  Frequently Asked Questions regarding OCC TPRM Guidance 2013-29
- OCC 2017-07
  
  Supplemental Examination Procedures for TPRM (Also See 2020-10)
- FDIC OIG Report Feb 2017
  
  Technology Contracts remain weak between FIs and vendors
- Revised IT Handbook (FFIEC)
  
  How IT Risk Management relates to Enterprise Risk Management
- Information Security FFIEC 2016
  
  See Page 42 specific to Third Party Service Providers
- CFPB Auto Finance Examination Procedures
  
  (make note of Module 2 'Compliance Management System")
- FFIEC Joint Statement on Cyber Attacks involving Extortion
- FFIEC Cybersecurity Assessment General Observations
  
  March 30, 2015
- FFIEC Executive Leadership of Cybersecurity
  
  Video (Jun 17, 2014)
- FFIEC Statement on Compromising Credentials
- FFIEC Statement on Destructive Malware
- External Dependencies Management DHS
  
  DHS March 19 2015 presentation to BITS Vendor Management SIG
- External Dependencies Management Assessment Fact Sheet from DHS
  
  Stakeholder Engagement and Cyber Infrastructure Resilience
- CERT Resilience Management Model Version 1.0
  
  May 2010 (PDF Hosted here)
- FRB 3rd Party Risk Management Guidance (PDF)
  
  (hosted in my storage)
- Appendix J: Business Continuity Planning Booklet
  
  releases Feb 6, 2015
- FDIC - Computer Software Due Diligence
- OCC 2013-29 Third Party Relationships / Vendor Management Guidance
  
  This replaces OCC 2001-47 (which OCC has removed from their site)
- BITS 12-11-13 OCC Third-Party Relationships
  
  Slides used on the 12/11/2013 call with OCC and FRB
- FDIC FIL-44-2008
  
  Guidance For Managing Third-Party Risk
- PDF of OCC 2013-29 3rd Party Relationship / Vendor Management Guidance
  
  PDF of OCC 2013-29
- FDIC FIL-50-2001
  
  Effective Practices for Selecting - Tools for Managing and Techniques for Multiple Service Providers
- Extension on RFC for Third Party Risk
- FRB 3rd Party Risk Management Guidance
- FFIEC Social Media Guidance
- FFIEC Vendor and Third-Party Management
- FFIEC IT Booklets
- FFIEC Outsourcing Technology Services
- CFPB 2012-03 Service Providers
- FFIEC Supervision of Technology Service Providers
- Guidance - Risk Management Outsource Tech Service
- Guidance - Outsourcing of Information and Transaction
- OCC Bulletins
  
  This is where the OCC updates all their bulletins.
- Example of a Quarterly Vendor Summary Report
  
  - Dashboard approach
- Computer-Security Incident Notification: Notice of Proposed Rulemaking
- Vendor Relationship Management ScoreCard Sample
- FFIEC Statement on Destructive Malware
- FFIEC Statement on Compromising Credentials
- Introduction to the FFIEC’s Cybersecurity Assessment
- Cybersecurity Brochure
- BITS Concentration Risk
  
  from 2010
- FDIC RFC Guidance on 3rd Party Lending
  
  comments due by 9/12/2016
- NIST Defines Cloud
- FDIC - GLBA VIII Priavacy
  
  Gramm-Leach-Bliley Act (Privacy of Consumer Financial Information)
Other Information
- Back to the Future: The CFPB's Arbitration Report Could Signal a Return to the Days Before Concepcion
  
  Is an Arbitration Clause in a Consumer Contract Useful? Enforceable?
Other Resources
Media

(Videos, PowerPoints, and other content)
- Hiperos Presentation (Business Case for TPRM)
  
  Making the Strategic Business Case for Third Party Risk Management
- Hiperos Presentation (Business Case for TPRM)
  
  Making the Strategic Business Case for Third Party Risk Management
BITS Advisory
- Advisory - TPRM - Assessing Law Firms

Copyright © 2011, Bradley Martin. All rights reserved.