Third-Party Risk Management Highlights From the FFIEC Development, Acquisition, and Maintenance Booklet

The Federal Financial Institutions Examination Council’s (FFIEC) Development and Acquisition booklet within the Information Technology Examination Handbook was updated recently, 20 years after its original release. The new booklet, “Development, Acquisition, and Maintenance,” is a lengthy read, at more than 200 pages long, but a highly valuable resource for third-party risk managers who want a better understanding of examination procedures.

Your organization should read through the booklet to identify which areas are most applicable to your organization and how you can implement these concepts within your third-party risk management (TPRM) program. Let’s look at TPRM highlights from this new booklet and questions to consider that can help gauge your readiness for an examination. 

Note: Text taken directly from the booklet is noted in italics.

An Overview of the FFIEC Development, Acquisition, and Maintenance Booklet 

The FFIEC is composed of financial regulators, including the Federal Reserve, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and the State Liaison Committee. The council developed the IT Examination Handbook for use by examiners, which includes the Development, Acquisition, and Maintenance booklet. Each FFIEC member agency uses the principles in the booklet for examinations. 

The Development, Acquisition, and Maintenance booklet addresses key risk management practices when developing, acquiring, or maintaining systems and components. This includes the system development lifecycle and supply chain risk management. The booklet doesn’t impose any new requirements on organizations, but instead describes the principles and practices that examiners can use when assessing an entity’s system development, acquisition, and maintenance activities.

Third-Party Risk Management Highlights From the FFIEC Development, Acquisition, and Maintenance Booklet 

Procurement managers and third-party risk managers are expected to have important roles in the acquisition of IT products and services. These acquisition roles are primarily responsible for evaluating supply chain risks related to third parties. Responsibilities include developing procurement policies and procedures, pre-contract due diligence, monitoring third-party contracts, and ongoing oversight of the third-party relationship. 

Section IV.P focuses on third-party risk management and covers the following three concepts: 

• Planning – An effective planning strategy includes evaluating how to manage third-party risk before entering the relationship. Critical and high-risk third-party relationships require more planning to ensure proper risk mitigation, the details of which can be found in the Interagency Guidance on Third-Party Relationships and the FFIEC’s booklet Outsourcing Technology Services.
• Due Diligence and Third-Party Selection – Organizations should perform risk-based due diligence before third-party selection and contracting during the onboarding phase. The FFIEC acknowledges that comprehensive due diligence isn’t always possible, but it’s still important to document those limitations, understand the risks, and consider alternatives. Senior management should also evaluate those due diligence efforts in combination with the organization’s unique circumstances.
• Contract Negotiation – Third-party contracts should typically be reviewed and approved by senior management to ensure they meet the organization’s requirements and goals. Contract provisions should also be considered and negotiated, as needed. Critical and high-risk third-party contracts should be brought to the attention of the board of directors, who may need to approve or delegate approval. 

In addition to these TPRM concepts, the booklet also contains a dedicated section on supply chains. Section IV.Q.1 covers supply chain risk management and describes multiple topics, including:

• Policies and procedures – These should outline due diligence for new third-party vendors, identify security standards for purchased products, and include requirements about data retention and disposal.
• Controls and processes – These should be based on the vendor’s risk assessment and designed to promote confidentiality, integrity, availability, and resilience throughout the organization’s supply chain. During an exam, management should provide evidence of data protection in transit and at rest, controls for logging, disparate data correlation and alerts, logical and physical access controls, monitoring tools, and more.
• Considerations for resilience – Organizations should have plans in place to support its supply chain’s operational resilience. Plans should address scenarios like an unplanned failure of a system or component, planned replacement, and a disruption to the product or service. 
• Practices for assessments and reviews – Assessing and reviewing supply chain partners should include several due diligence practices, such as determining the potential for foreign ownership and checking OFAC lists, evaluating oversight of fourth parties, and validating that the third-party supplier has performed testing on its system and components. 
• Internal audit and assurance – The booklet suggests several audit and assurance activities that an organization can perform internally, which can validate its assessment of supply chain risks. Organizations can review items such as their service level agreement (SLA) tracking reports, use of SOC reports and other independent reports during due diligence, use of tools and techniques to detect malware, and verification of ongoing training that ensures awareness of supply chain risks. 

Evaluating Compliance in Your Third-Party Risk Management Program 

The FFIEC’s Development, Acquisition, and Maintenance booklet is essentially a guide to understanding how examiners will assess your TPRM program. Asking the following questions can help determine whether your program is likely to meet regulatory expectations during an exam:

• Is our TPRM program aligned with the Interagency Guidance? Now is a good time to ensure your TPRM program follows the principles outlined in the 2023 Interagency Guidance on Third-Party Relationships, as this publication is referenced many times throughout the FFIEC booklet. Take some time to review the Interagency Guidance and identify any deficiencies within your TPRM program for remediation. Document your plan with a timeline and progress updates so examiners can see evidence of your program’s compliance.
• Do we need to update our governance documents? TPRM policies, program documents, and procedures are all items that may be reviewed during an exam. Remember that governance documents should reflect your organization’s actual activities, rather than future goals. For example, maybe your current risk assessment process is missing a few elements and you’re currently figuring out how to implement them. Your documentation should still describe your current process.
• Do we have appropriate oversight on our critical third parties? As with many TPRM regulations and guidelines, critical third-party vendors typically undergo the most scrutiny. It’s important to establish clear criteria for identifying your critical vendors and appropriate oversight activities, like increased performance monitoring and due diligence and developing an exit strategy during onboarding. Critical third parties should also be included in an organization’s incident response testing, when appropriate. 

Reading through a 217-page booklet can be intimidating but remember that many of the concepts included in these publications are simply best practices and common sense. If your TPRM program is well-developed to meet regulatory standards and you continuously engage qualified subject matter experts to assess various risk domains, your organization is likely already meeting many of these expectations.