Staying On Top of Vendor Risk Management News: Week of November 5

We’ve had a little bit of everything as far as third party risk news this week – from new FFIEC information, cyber issues and, oh yes, an election causing gridlock. Read those articles and more below. 

Industry News for the Week of November 5

FDIC chief warns fintech companies to expect same level of regulatory scrutiny as banks: Read here

Drop in enforcement actions: Read here

ICBA warns core processors to keep up with consumer demands: Read here

FFIEC Releases Statement on OFAC Cyber-Related Sanctions

The Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement alerting financial institutions to recent actions taken by the Department of Treasury’s Office of Foreign Asset Control (OFAC) under their Cyber-Related Sanctions Program and to the potential impact it may have on financial institutions’ risk-management programs.

The statement describes the issues a financial institution should consider regarding the effect of sanctions on the operations of the financial institution and the implications of the continued use of products or services provided by a sanctioned entity.

Since the program’s inception, OFAC has issued sanctions against entities that are responsible for, are complicit in, or that have engaged in, certain malicious cyber-enabled activities, and providing material and technological support to malicious cyber actors that have targeted U.S. organizations. Some sanctioned entities may offer services to financial institutions that operate in the United States. As a result of OFAC’s sanctions, all property and interests in property of the designated persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.

Financial institutions should refer to OFAC resources or the FFIEC’s Information Technology Examination handbook for information on requirements and expectations regarding OFAC-related compliance and operational risk management.

New rules for third parties in Massachusetts?: Read here

Make guidance into regulations?: Read here

This is important – cost and compliance: Read here

Managing Risk Under OFAC’s Cyber-Related Sanctions Program

Posted: 07 Nov 2018 02:00 AM PST
Written by Shari R. Pogach, NAFCU Regulatory Paralegal

Yesterday, members of the Federal Financial Institutions Examination Council (FFIEC) (including the National Credit Union Administration and the Bureau of Consumer Financial Protection) released a joint statement on actions taken by Treasury’s Office of Foreign Assets Control (OFAC) under its Cyber-Related Sanctions Program.  The statement notes these sanctions might impact a financial institution’s information technology and other operations, including the use of services of a sanctioned entity. 

OFAC’s program was implemented on April 1, 2015, due to the threat to the U.S. national security, foreign policy and economy from malicious cyber-related activities originated or directed by parties outside of the U.S. Since its inception, OFAC has issued sanctions against a number of entities either involved in or responsible for malicious cyber-enabled activities by providing material and technological support to parties targeting U.S. organizations.  Some of these sanctioned entities claim they are U.S. based and offer services to financial institutions.  If an institution continues to use products or services from a sanctioned entity, whether directly or indirectly through a service provider, it risks increased operational and OFAC compliance risk that may result in violations of law, civil money penalties, enforcement actions, and reputational damage.

In order to mitigate its risk, a financial institution should ensure its OFAC compliance and risk management processes can identify, assess and mitigate any risks resulting from possible interactions with a sanctioned entity.  OFAC compliance, fraud, security, IT, third-party risk management and risk functions within the institution should collaborate to assess any potential risk.  An institution’s sanctions screening system should be updated and its processes and procedures should be in place in order to comply with these sanctions.

According to the joint statement, prohibited transactions include trade or financial transactions and other dealings, which may be broadly interpreted to include technical transactions such as downloading a software patch from a sanctioned entity.  Continued use of software and technical services from a sanctioned entity may also increase cybersecurity risk for an institution.  An institution’s third-party service provider may have used, or continue to use, products and services of a sanctioned entity on its behalf.  In some cases, the sanctioned entity might be providing a critical service or control that cannot be immediately discontinued.  In such instances, an institution should identify and implement an alternative solution as quickly as possible. 

Due to the complexities of some third-party relationships and transactions relative to the sanctions or for any operational issues presented by the sanctions deadlines, impacted financial institutions are encouraged to contact OFAC, their legal counsel and/or their security offices for additional guidance. A financial institution may contact OFAC on its telephone hotline at 1-800-540-6322 or by email at ofac_feedback@treasury.gov.

The following additional resources are also available:

• OFAC Cyber-Related Sanctions Program
  
• OFAC FAQs: General Questions
  
• OFAC - Sanctions Programs and Information 
  
• Sanctions Related to Significant Malicious Cyber-Enabled Activities 
  
• FFIEC Information Technology Examination Handbook
  
• Outsourcing Technology Services Booklet
  
• FFIEC Information Technology Examination Handbook, Information Security Booklet

1.4 million records breached in HSBC cyber incident: Read here

Gridlock: Read here 

Minimize vendor risk with these 24 best practices - download our infographic now.