.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
This page is designed for desktop use and does not work on smaller devices.
Industry
Location
Regulator
Industry
The industry that must comply with the specific regulatory requirement
Location
The location where the regulation and regulatory agency is based
Regulation
The standard, regulation, framework, or law
Regulator
The primary regulator or agency behind the standard, regulation, framework, or law
About the Regulation
Key points of the regulation and specific compliance area highlights
Educational Resource
An additional related resource to guide your organization as it evaluates compliance
No Results Found
There are no results found matching the current filters. Consider adjusting any applied filters.
Can't find what you are looking for?
Banking
U.S.
The Act requires insured financial institutions to notify their appropriate federal banking agency in writing of contracts or relationships with third parties that provide certain services to the institution.
Banking
U.S.
This guidance addresses performing proper due diligence when selecting computer software or a service provider.
CHECKLIST
Banking
U.S.
This interpretative guidance addresses developing and implementing a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider.
Banking
U.S.
The guidance describes potential risks associated with relationships with entities that process payments for telemarketers and other merchant clients.
Banking
U.S.
This bulletin discusses considerations for banks with regard to confirming appraisal management companies registration as part of sound third-party risk management.
Banking
U.S.
Guidance on managing risks that may arise from relationships with foreign-based third parties.
INFOGRAPHIC
Banking
U.S.
This guidance outlines how banks should manage risks associated with third-party relationships.
Banking
U.S.
The guide covers six due diligence topics community banks can consider when evaluating fintech companies. Use of this guide is voluntary.
Banking
U.S.
This statement describes the elements of an effective country risk management process, including outsourcing to foreign third parties.
Banking and Financial Services
Canada
OSFI expects federally regulated financial institutions to manage the risks related to all third-party arrangements and emphasizes that the federally regulated financial institution retains accountability for business activities, functions and services outsourced to a third party.
Banking and Financial Services
EU
The guidelines set out specific provisions for these financial institutions’ governance frameworks with regard to their outsourcing arrangements and the related supervisory expectations and processes.
Banking and Financial Services
EU
Details how financial instiutions should manage the information and communication technology (ICT) and security risks they're exposed to, including outsourced third-party relationships.
CHECKLIST
Banking and Financial Services
EU
Establishes a unified approach and framework for managing information and communication technology third-party risk.
Credit Unions
U.S.
This provides a list of compliance risk indicators that are part of the NCUA's Risk-Focused Examination program.
Credit Unions
U.S.
The questionnaire NCUA field staff will use to complete the evaluation of credit union third party relationships.
Credit Unions
U.S.
Outlines expectations for third-party relationships, including planning, due diligence, and risk controls.
Credit Unions
U.S.
Requires credit unions to report cyber incidents within 72 hours of its discovery, including third-party incidents.
Credit Unions
U.S.
Provides clarity on the use of third-party providers by federally insured credit unions (FICUs).
Credit Unions
U.S.
A non-exhaustive list of minimum procedures a credit union should follow during a due diligence review.
CHECKLIST
Energy
North America
Describes how a NERC entity should develop a supply chain cybersecurity risk management plan that identifies, assesses, and mitigates cyber risks.
Energy
North America
Details how an entity can identify, assess, and mitigate vendor cybersecurity risks and document their vendor risk management program.
Energy
North America
Frameworks for energy and utility companies operating with the Bulk Electric System to protect cyber assets, including security controls for supply chain risk management.
Financial Services
Canada
Payment service providers must identiy critical third parties and manage operational risks.
Financial Services
U.S.
The guidance provides considerations for financial institutions on conducting risk assessments and crafting and evaluating policies and procedures regarding social media.
INFOGRAPHIC
Financial Services
U.S.
These procedures address outsourcing technology services and managing technology service providers.
Financial Services
U.S.
This requires member firms to have procedures like due diligence on third-party service provider arrangements.
INFOGRAPHIC AND MATRIX
Financial Services
U.S.
The notice reminds member firms to have procedures in place for supervising activities and functions performed by third-party vendors.
Financial Services
U.S.
Requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. This includes service providers.
Financial Services
U.S.
Requires protection of the privacy and security of customers' non-public personal information, including safeguards on third-party access to data
Financial Services
U.S.
Guidance to help public companies prepared to report material cybersecurity incidents, including those of third-party vendors.
Financial Services
U.S.
Requires public companies to report materical cybersecurity incidents, including those of third-party vendors.
Financial Services
U.S.
The SEC details its fiscal year priorities, including information security and operational resiliency.
Financial Services
U.S.
OCIE offers a framework for vendor management, incident response, and operational resiliency.
Financial Services
U.S.
The CFPB expects supervised banks and non-banks to oversee service provider relationships to ensure compliance with federal consumer financial law.
Financial Services
U.S.
Provides guidance to financial institutions when filing Suspicious Activity Reports (SARs) on activities related to third-party payment processors.
Financial Services
Australia
Requires identifying, assessing, and managing service provider risks, including a service provider management policy, formal agreements, and robust monitoring.
Financial Services
Australia
Outlines expectations for organizations to be resilient against information security incidents, including protecting data managed by third parties.
Financial Services
UK
Sets expectations for outsourcing and third-party risk management for financial market infrastructures.
Financial Services
UK
Expectations for how entities should manage third-party relationships and risks.
Financial Services
UK
Clarifies the requirements when outsourcing to the cloud and other third-party IT services.
Financial Services
UK
Provides a list of questions for a firm to consider as it prepares for the use of and evaluation of third-party technology providers.
EBOOK AND QUESTIONNAIRE
Financial Services
UK
Outlines requirements for mitigating critical third-party risks.
Financial Services
UK
Outlines requirements for due diligence, contracting, and managing third parties.
Financial Services
Singapore
Sets expectations for sound practices on risk management of outsourcing arrangements.
Financial Services
Singapore
Ensures financial institutions have controls in place to minimize operational disruptions, including third-party disruptions.
Financial Services
Singapore
Principles and best practices for the financial sector to manage technology risks and maintain cyber resilience, including managing third-party services.
Financial Services
Singapore
Requirements for banks on protecting the confidentiality of customer information in all outsourcing arrangements.
INFOGRAPHIC
Financial Services
Hong Kong - China
Guidelines for authorized institutions (Ais) on outsourcing arrangements, including contingency planning and data confidentiality.
Financial Services
India
Outlines how Regulated Entities (REs) should mitigate the risks of outsourcing IT services, including due diligence and outsourcing agreements.
DUE DILIGENCE
General
International
Security requirements for organizations that process, store, or transmit credit card information. Vendors that perform payment processing on your behalf will need to comply.
General
International
An international standard for information security management systems.
General
U.S.
Requires insurance companies to establish internal controls and procedures to ensure accuracy and reliability of financial statements, which include managing third-party risks.
General
EU
Organizations will be required to report Scope 3 emissions, which are indirect emissions in an organization's supply chain.
General
U.S.
Prohibits direct corrupt payments to a foreign official to obtain business and indirect corrupt payments through third parties.
CHECKLIST
General
Canada
Obligates certain government institutions and private-sector entities to report on the measures taken to prevent and reduce the risk of forced labor or child labor in supply chains.
General
UK
Addresses modern-day slavery in supply chains, including risk assessments on suppliers.
General
U.S. - California
Gives consumers more control over the personal information that organizations collect about them.
General
U.S. - California
Mandates organizations disclose how it verifies, audits, and certfies human trafficking and slavery risks in supply chains.
General
Singapore
Provides a baseline standard of protection for personal data in Singapore.
General
U.S.
Protects online privacy of children under 13, including standards for third-party websites or mobile apps.
General
U.S. - Colorado
Grants the right for Colorado consumers to access, delete, and correct their personal data, as well as opt out of the sale of their personal data.
General
U.S. - New York
Requires organizations develop, implement, and maintain safeguards to protect the security, confidentiality, and integrity of private information.
CHECKLIST
General
U.S. - New York
Details requirements on areas such as business continuity
and disaster recovery plans, cybersecurity incidents,
cybersecurity policies and procedures, and third-party cybersecurity.
General
U.S. - Utah
Provides Utah citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Virginia
Provides Virginia citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Connecticut
Provides Connecticut citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Delaware
Provides Delaware citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Indiana
Provides Indiana citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Iowa
Provides Iowa citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Kentucky
Provides Kentucky citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Maryland
Provides Maryland citizens' rights to their personal data and how it's used by organizations.
INFOGRAPHIC
General
U.S. - Montana
Provides Montana citizens' rights to their personal data and how it's used by organizations.
General
U.S. – Nebraska
Provides Nebraska citizens' rights to their personal data and how it's used by organizations
General
U.S. - New Hampshire
Provides New Hampshire citizens' rights to their personal data and how it's used by organizations.
General
U.S. - New Jersey
Provides New Jersey citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Oregon
Provides Oregon citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Tennessee
Provides Tennessee citizens' rights to their personal data and how it's used by organizations.
General
U.S. - Texas
Provides Texas citizens' rights to their personal data and how it's used by organizations.
General
UK
The UK's implementation of the General Data Protection Regulation. Outlines requirements for how organizations must protect personal data.
General
Australia
Regulates how government agencies and organizations handle personal information, including credit reporting, notifiable data breach schenes, health records.
General
South Africa
Guidelines on processing personal information in South Africa.
General
Canada
Governs how organizations can collect, use, and disclose personal information.
General
China
Regulatory framework for protecting personal informaiton in China.
General
China
Outlines the creation, use, storage, transfer, and exploitation of data in China.
CHECKLIST
General
Germany
Requires due diligence on suppliers, including a risk analysis and assessment and documentation and reporting.
General
UK
Holds large organisations accountable for specific fraud crimes that benefited the organisation and was committed by employees or third parties if reasonable fraud prevention procedures weren’t in place.
General
U.S.
Bans products from entering the United States if the products have any links to the Xinjiang Uyghur Autonomous Region.
General
U.S.
A comprehensive data privacy law to protect how the data of EU citizens is collected and used. Any organization, regardless of location, that targets or collects data from EU citizen must comply.
Government
U.S.
Provides guidance to government agencies to manage cybersecurity risks, including third-party cybersecurity risk.
Healthcare
Canada - Ontario
Regulates how personal health information (PHI) is collected, used, and disclosed in the healthcare industry.
Healthcare
U.S.
Requires safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures of it.
Healthcare
U.S.
Sets standards to protect individuals' electronic personal health information. Requires administrative, physical, and technical safeguards to protect data.