OCC: More Third-Party Risk GuidanceRegulator Outlines Steps to Mitigate Merchant Processing Risks
In keeping pace with increasing industry pressures to address third-party risks associated with payments breaches, yet another banking regulator has come out with revised guidance about what banking institutions should do to address risks associated with merchant processing.
The Office of the Comptroller of the Currency, the Federal Financial Institutions Examination Council's leading agency, has released an updated version of its Merchant Processing booklet, highlighting emerging concerns about high-risk merchants and the need for more due diligence when it comes to the management and risk assessment of third-party service providers.
The payments breach at retail giant Target Corp., which was the result of an attack against a vendor, as well as a breach at payments processor Fidelity National Information Services have pushed banking regulators to reiterate why banking institutions are responsible for mitigating third-party vulnerabilities.
The OCC booklet, which was first published in December 2001, provides updated guidance for examiners and banks about how they assess and manage risks associated with card-related payments processing. Additionally, the OCC has added supervision guidance for federal savings associations, which it says should now be treated like any other third party.
Also featured is updated guidance about technology service providers, Payment Card Industry data security standards for merchants and processors, and Bank Secrecy Act compliance programs and appropriate policies for anti-money-laundering controls.
Al Pascual, director of fraud and security at consultancy Javelin Strategy & Research, says the guidance is extremely relevant in the current security environment.
"This just further reinforces the fact that managing the risks associated with third-party providers has become an absolute necessity," he says. "The doors have been shut and the windows closed, so that in the event that a financial institution fails in their responsibility to vet these counterparties, then they have nowhere to go. There is no excuse."
Last month, the FDIC, another FFIEC agency, issued a statement to clarify third-party risks associated with payments processors and high-risk merchants (see FDIC Clarifies Third-Party Payments Risks).
And Aug. 7, the PCI Security Standards Council came out with new guidance to help merchants and banking institutions mitigate the ongoing risks posed by third parties that process and, in some cases, inadvertently store payment card data.
Increasing Third-Party Risks
More card breaches are being traced back to the breach of a third party, banking regulators and industry advisory boards say.
In early August, Troy Leach, chief technology officer of the PCI Council, in speaking about recently released version 3.0 of the PCI Data Security Standard, said recent research has shown that 65 percent of all data breaches involve a third party and 45 percent involved retailers.
"Many of the recommendations you will see here from the [PCI] council highlight the same types of requirements you are starting to see at the federal level, regarding what service-level requirements may be needed to ensure security with third parties," Leach says.
In April, Controller of the Currency Thomas Curry said ensuring due diligence and ongoing risk assessments of all third parties must be a part of every banking institution's vendor management program. He also noted banking institutions have to be responsible for monitoring and ensuring the ongoing security of the vendors with which they work, even if those vendors are subject to regulatory oversight (see OCC's Curry: Third-Party Risks Growing).
Late last year, the OCC became the first major U.S. banking regulator to issue updated guidance about third-party risks, noting eight specific areas where banks needed to make improvements to their vendor management programs related to third parties. Among those recommendations were guidelines related to how banking institutions should terminate relationships with third parties if certain security criteria are not met.
Honing in on Payments
Now the OCC is focusing attention on card-payments risks and the role third parties often play in the exposure of card data when it's being processed.
Paul Reymann, a compliance and risk-management professional of bank advisory firm McGovern Smith Advisors, says in the wake of the Target breach, banking regulators are clearly giving third-party risks more attention.
Reymann notes that banking institutions have about 122 pieces of regulation or guidance related to third-party risk management with which they are expected to comply or adhere. While that seems overwhelming, he points out that there is quite a bit of overlap among those regulations and guidelines. The Graham, Leach, Bliley Act, enacted way back in 1999, requires all banking institutions to protect the consumer information from "foreseeable threats in security and data integrity," he explains.
What's happening now, Reymann adds, is that banking regulators, such as the OCC, are merely reiterating why and how mitigating third-party risks must be a priority to ensure the integrity and security of financial and payments data.
"Kudos to the banking regulators for putting guidance out about how to manage third-party risks and asking the banking institutions to take a lead role in doing that," Reymann says. "We're expected to implement controls to identify and mitigate that kind of risk. What we need to think about going forward is, 'How do we get these non-regulated entities that are working with highly regulated financial institutions to be more proactive? How do we get the third parties themselves to be exam-ready, especially the critical vendors?"
Compliance and risk-management professional Paul Reymann of bank advisory firm McGovern Smith Advisors, on the challenges regulators face today when it comes to defining "critical vendors."
In its updated guidance, the OCC points out that banks are required to have GLBA compliance programs, as well as policies, procedures and processes in place to safeguard confidential customer information.
"The potential exists for legal liability related to customer privacy breaches," the guidance states. "The bank's GLBA risks when dealing with a third-party processor that possesses confidential customer information are the same as the risks when the bank possesses the information."
In fact, any card data that is stored or transmitted is at risk, OCC points out, and banks have to take the lead to ensure that data is protected.