Request for Information on Standard Setting and Voluntary Certification for Models and Third-Party Providers of Technology and Other Services, 44890-44894 [2020-16058]

Download as PDF 44890 Federal Register / Vol. 85, No. 143 / Friday, July 24, 2020 / Notices Please ensure that your comments are submitted within the specified comment period. Comments received after the close of the comment period will be marked ‘‘late.’’ EPA is not required to consider these late comments. Dated: July 20, 2020. Cindy S. Barger, Director, NEPA Compliance Division, Office of Federal Activities. [FR Doc. 2020–16055 Filed 7–23–20; 8:45 am] BILLING CODE 6560–50–P Gautam Srinivasan, Associate General Counsel. FEDERAL DEPOSIT INSURANCE CORPORATION [FR Doc. 2020–16112 Filed 7–23–20; 8:45 am] BILLING CODE P RIN 3064–ZA18 ENVIRONMENTAL PROTECTION AGENCY Request for Information on Standard Setting and Voluntary Certification for Models and Third-Party Providers of Technology and Other Services [ER–FRL–9051–9] jbell on DSKJLSW7X2PROD with NOTICES Responsible Agency: Office of Federal Activities, General Information 202– 564–5632 or https://www.epa.gov/nepa. Weekly receipt of Environmental Impact Statements (EIS) Filed July 13, 2020, 10 a.m. EST Through July 20, 2020, 10 a.m. EST Pursuant to 40 CFR 1506.9. Notice: Section 309(a) of the Clean Air Act requires that EPA make public its comments on EISs issued by other Federal agencies. EPA’s comment letters on EISs are available at: https:// cdxnodengn.epa.gov/cdx-enepa-public/ action/eis/search. EIS No. 20200146, Draft, USA, MD, Fort Davison Army Airfield Area Development Plan, Comment Period Ends: 09/08/2020, Contact: Fort Belvoir Directorate of Public Works, Environmental Division (DPW–ED) 703–806–0020. EIS No. 20200147, Final Supplement, NASA, CA, Final Supplemental Environmental Impact Statement for Soil Cleanup Activities at Santa Susana Field Laboratory, Review Period Ends: 08/24/2020, Contact: Peter Zorba, SSFL Project Director 202–714–0496. EIS No. 20200148, Final, USACE, AK, Pebble Mine, Review Period Ends: 08/ 24/2020, Contact: Shane McCoy 907– 753–2715. Amended Notice: EIS No. 20200060, Draft, FHWA, VA, Route 220 Martinsville Southern Connector, Comment Period Ends: 09/ 11/2020, Contact: Mack A Frost 804– 775–3352. Revision to FR Notice Published 06/19/2020; Extending the Comment Period from 7/24/2020 to 9/ 11/2020. VerDate Sep<11>2014 20:45 Jul 23, 2020 Jkt 250001 Federal Deposit Insurance Corporation (FDIC). ACTION: Notice and request for information. AGENCY: Environmental Impact Statements; Notice of Availability The FDIC is issuing this request for information (RFI) as part of its FDiTech initiative to promote the efficient and effective adoption of technology at FDIC-supervised banks and savings associations (financial institutions), particularly at community banks, and to facilitate the supervision of technology usage at these institutions without increasing costs or regulatory burden. The FDIC is committed to increasing transparency, improving supervisory and regulatory efficiency, supporting innovation in banking, and providing opportunities for public feedback. This RFI seeks input on whether a standard-setting and voluntary-certification program could be established to support financial institutions’ efforts to implement models and manage model risk by certifying or assessing certain aspects of the models themselves, and to conduct due diligence of third-party providers of technology and other services by certifying or assessing certain aspects of the third-party providers’ operations or condition. The FDIC is especially interested in information on models and technology services developed and provided by financial technology companies, sometimes referred to as ‘‘fintechs.’’ SUMMARY: Comments must be received by September 22, 2020. ADDRESSES: You may submit comments, identified by RIN 3064–ZA18, by any of the following methods: • Agency Website: https:// www.fdic.gov/regulations/laws/federal/. Follow the instructions for submitting comments on the agency website. • Email: Comments@fdic.gov. Include RIN 3064–ZA18 in the subject line of the message. DATES: PO 00000 Frm 00043 Fmt 4703 Sfmt 4703 • Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429. • Hand Delivery/Courier: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street NW building (located on F Street) on business days between 7:00 a.m. and 5:00 p.m. All comments received must include the agency name and RIN 3064–ZA18. Public Inspection: All comments received will be posted without change to https://www.fdic.gov/regulations/ laws/federal/—including any personal information provided—for public inspection. Paper copies of public comments may be ordered from the FDIC Public Information Center, 3501 North Fairfax Drive, Room E–1002, Arlington, VA 22226 by telephone at (877) 275–3342 or (703) 562–2200. FOR FURTHER INFORMATION CONTACT: Alexander LePore, Jr., Senior Policy Analyst, (202) 898–7203, alepore@ fdic.gov. SUPPLEMENTARY INFORMATION: The FDIC is an independent Federal agency with a mission of maintaining stability and public confidence in the nation’s financial system, in part by examining and supervising certain financial institutions, including for safety and soundness and consumer protection.1 The FDIC is the primary Federal banking supervisor for more than 3,000 state-chartered banks and savings associations that are not members of the Federal Reserve System, and it conducts regular examinations of these supervised institutions.2 Examinations include an assessment of how a financial institution manages the risks presented by its relationships with third parties. The FDIC reviews a financial institution’s management of significant third-party relationships in the context of the normal supervisory process. The FDIC examines the quality and effectiveness of an institution’s risk management program as it pertains to the safety and soundness and consumer 1 The FDIC also promotes stability and public confidence in the nation’s financial system by insuring deposits and resolving failed insured depository institutions, leading sound policy development, evaluating resolution plans of the largest of institutions, and monitoring and mitigating systemic risks in the banking sector and financial system as a whole. 2 The FDIC also has a back-up supervision and examination role with respect to approximately 2,000 insured depository institutions (pursuant to sections 8 and 10 of the Federal Deposit Insurance Act, 12 U.S.C. 1818, 1820) for which the Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System are the primary Federal regulators. E:\FR\FM\24JYN1.SGM 24JYN1 Federal Register / Vol. 85, No. 143 / Friday, July 24, 2020 / Notices jbell on DSKJLSW7X2PROD with NOTICES protection aspects of third-party arrangements. The FDIC also examines a financial institution to ensure that the products, services, and activities supported by a third party are safe and sound and comply with applicable laws and regulations, including those concerning consumer protection and civil rights. Reviews of third-party arrangements are also a critical area included in examinations of the trust and information technology functions. Financial institutions often establish relationships with third parties to provide certain functions that financial institutions do not perform or to meet short-term needs that they are unable to fulfill. Therefore, financial institutions rely on third-party relationships for many different aspects of their operations, including credit management, operational risk management, valuation, and stress testing. Management is responsible for identifying and controlling risks from activities conducted by or through its financial institution, whether these risks arise from internal business activities or through arrangements with a third party.3 These risks include those that arise from reliance on models, technologies, and other products or services provided by third parties. Model guidelines 4 describe risk management principles relating to financial institutions employing models, which are described as quantitative methods, systems, or approaches that apply statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.5 In general, model risk management should be commensurate with the financial institution’s overall use of models, the complexity and materiality of its models, and the size and complexity of the financial institution’s operations. Financial institutions also should be mindful of consumer protection risks when using third-party models or 3 Section 39 of the Federal Deposit Insurance Act requires the Federal Deposit Insurance Corporation to establish safety and soundness standards. 12 U.S.C. 1831p–1. These standards are set forth in part 364 of the FDIC Rules and Regulations. 12 CFR part 364. 4 See, e.g., Supervisory Guidance on Model Risk Management, FIL–22–2017 (June 7, 2017), Guidance for Managing Third-Party Risk, FIL–44–2008 (June 6, 2008), Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR part 364, appendix A, and Interagency Guidelines Establishing Information Security Standards, 12 CFR part 364, appendix B. 5 For example, financial institutions entering into a relationship with a third party to employ these models would also need to comply with section 5 of the Federal Trade Commission Act (15 U.S.C. 45) and ensure that lending practices that are not discriminatory in violation of the Equal Credit Opportunity Act (15 U.S.C. 1691–1691f). VerDate Sep<11>2014 20:45 Jul 23, 2020 Jkt 250001 technologies, to ensure they are developed and operated in compliance with applicable consumer protection laws and regulations, which may include, for example, fair lending laws, privacy laws, and prohibitions against unfair, deceptive, or abusive acts or practices.6 As the financial services industry evolves, more financial institutions are using third-party models and technologies for functions that either are new or had been performed in-house in the past. The FDIC recognizes that the use of such models and technologies can assist the financial institution in providing greater benefits to consumers and increasing financial inclusion. The use of third-party models and technologies may also give the financial institution access to greater expertise or efficiency in providing a particular product or service at lower cost. Many financial institutions, particularly community banks, have indicated to the FDIC that sometimes the costs and other resources associated with deploying models or technologies from third parties can be prohibitive. Vendors offer increasingly complex models with a range of features, and as a result, institutions may find it challenging to validate and assess such models. For example, an institution might conclude that it must hire new internal staff, retain consultants, or impose contractual obligations on the third party in order to conduct the model validation. In addition, for thirdparty outsourcing arrangements that support models, institutions conduct risk reviews on third-party providers. These risk reviews involve financial, operations, contract, and insurance assessments, along with assessment of other aspects of the outsourcing arrangements. Representatives of financial institutions have expressed concerns to the FDIC that the costs associated with the financial institutions’ review of both models and third-party providers of models can create barriers to entry, particularly in the community banking market, by limiting the institutions’ ability to effectively and timely on-board third parties and deploy new and innovative models. The FDIC recognizes the important role that technological innovations can 6 See, e.g., Equal Credit Opportunity Act, 15 U.S.C. 1691–1691f; Fair Credit Reporting Act, 15 U.S.C. 1681–1681x; Interagency Statement on the Use of Alternative Data in Credit Underwriting, FIL–82–2019 (Dec. 13, 2019); Interagency Fair Lending Examination Procedures (Aug. 2009); Policy Statement on Discrimination in Lending, FR Doc. No. 94–9214 (Apr. 15, 1994); Dodd-Frank Act, Title X, Subtitle C, Sec. 1036; Pub. L. 111–203 (July 21, 2010). PO 00000 Frm 00044 Fmt 4703 Sfmt 4703 44891 play in transforming the business of banking and enabling regulators to supervise more efficiently, thereby reducing regulatory burden while maintaining consumer protection and safety and soundness standards. Therefore, the FDIC is exploring opportunities to assist financial institutions in effectively complying with laws and regulations regarding management of third-party risks concerning the use of models, such as credit underwriting models. Among other things, the FDIC is considering the value of standards for assessing models. The development of relevant standards, along with the development and application of a voluntary certification process to ensure that models conform to those standards, could potentially allow for more financial institutions— particularly community banks—to engage with third parties, including fintechs; permit FDIC supervision resources to be used more efficiently and effectively; and reduce costs of doing business for financial institutions and providers of models. The FDIC also is considering whether a voluntary certification or assessment program could support financial institutions’ due diligence of third-party providers of a range of technology and other services by certifying or assessing certain aspects of the third-party providers’ operations or condition. The FDIC is interested in whether there are unique elements and challenges associated with financial institutions’ due diligence of third-party providers of technology and other services that would benefit from a voluntary certification or assessment program applicable to such providers. The FDIC is primarily interested in due diligence elements associated with third-party providers of technology and other services that support a financial institution’s financial and banking activities, such as deposit, lending, and payment functions. The FDIC also is interested in comments regarding due diligence for other types of third-party providers, such as those providers that support the financial institution’s corporate activities, including payroll and human resources. The FDIC also requests comments on what alternative steps the FDIC could pursue, other than a voluntary certification or assessment program, to support financial institutions’ efforts to assess risk efficiently and effectively when contemplating new or monitoring existing relationships with third-party providers. As part of this Request for Information, the FDIC is not considering substantive revisions to its existing E:\FR\FM\24JYN1.SGM 24JYN1 44892 Federal Register / Vol. 85, No. 143 / Friday, July 24, 2020 / Notices supervisory guidance with respect to model risk management or third-party provider risk management. However, the FDIC seeks comment on the possible changes to its supervisory guidance that would be appropriate to facilitate financial institutions’ use of a voluntary certification or assessment program for conducting due diligence and ongoing monitoring of third-party providers of technology and other services, or for reviewing models or other technologies. jbell on DSKJLSW7X2PROD with NOTICES Standard-Setting and Certification Programs Government and the private sector have worked together for more than a century to develop standards for use in private industry. The Federal Government has encouraged using standards developed by voluntary, consensus standard-setting bodies.7 The typical standard-setting process involves a standard-setting organization (SSO) working with stakeholders, including government agencies, to develop a standard for a particular industry or sector of the economy. The standard is established on a voluntary, consensus-driven basis and provides guidelines for engaging in a particular process or for offering a particular service or product. Categories of common standards include productbased standards, performance-based standards, management system standards, personnel certification standards, and construction standards. Once a standard is developed, application of a conformity assessment process provides assurance that processes, products, or services meet the requirements identified in the standard. This step is vital because creating a standard alone cannot promote (for voluntary standards) or guarantee (for mandatory standards) adherence to the standard. The conformity assessment can verify that processes, products, or services meet the specified level of quality, safety, or performance. Depending on the risks of nonconformance and the confidence level necessary, there are several ways to assess whether processes, products, or services meet a standard, from an entity’s self-declaration to third-party certification, validation, verification or auditing. Accreditation by an independent body of organizations that perform conformity assessment activities provides formal recognition 7 See, e.g., National Technology Transfer and Advancement Act of 1995, Public Law 104–113, section 12(d) (Mar. 7, 1996); OMB Circular No. A– 119 Revised, ‘‘Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities’’ (Feb. 10, 1998). VerDate Sep<11>2014 20:45 Jul 23, 2020 Jkt 250001 that the organization is competent, capable and impartial. In many ways, the assessment process is as important as setting the standard itself. The standard-setting system in the United States is based on globally accepted principles for standards development including transparency, openness, impartiality, effectiveness, and consensus. The standard-setting process assures that: • Information regarding standardization activities is accessible to all interested parties; • participation is open to all stakeholders; • all interests are balanced; • standards respond to regulatory and market needs; and • decisions are reached through consensus among those affected. SSOs also strive to make standards as flexible as possible, allowing for the use of different methodologies to meet the needs of different stakeholders. Good faith efforts are made to eliminate, or at least minimize, conflict with other existing standards or rules. SSOs often partner with government entities, academia, and industry to identify proposed solutions and work together toward a common goal. SSOs also involve consumers in the process so their needs are considered and addressed. This process results in standards that often balance regulatory and market needs, facilitate innovation, promote consumer protection, and strengthen competition. In applying this standard-setting framework to models and third-party providers of technology and other services, financial institutions would have the ability to rely on certifications related to the third-party provider or certified models or other technology products and services. Financial institutions would not be required to use only certified third parties, models, or technologies. Instead, financial institutions would retain the flexibility to require certified third parties to meet different requirements that the financial institutions viewed as appropriate. For example, financial institutions would retain the right to request that certified third parties submit additional information for purposes of on-boarding at that financial institution consistent with the financial institution’s unique use of the model or service, and consistent with applicable law and regulation. Request for Comment Given rapid technological developments and evolving consumer behaviors in banking, the FDIC seeks to learn more regarding the benefits and PO 00000 Frm 00045 Fmt 4703 Sfmt 4703 challenges of collaborating with an SSO and other stakeholders to create a standard-setting and a voluntary certification process. This certification process would potentially assist financial institutions in completing assessments or due diligence of: (1) Certain models, such as credit underwriting models, by certifying or assessing certain aspects of the models; and (2) third-party providers of technology and other services, by certifying or assessing certain aspects of the providers’ operations or condition. The FDIC is interested in comments regarding initial due diligence and ongoing monitoring elements associated with third-party providers of technology and other services that support the financial institution’s financial and banking activities, such as deposit, lending, and payment functions. The FDIC also is interested in comments regarding due diligence for other types of providers, such as third-party providers that support the financial institution’s corporate activities, such as payroll and human resources. Consistent with the collaborative approach to standard setting that government and the private sector have long taken, the FDIC envisions a collaboration among an SSO, the FDIC, and other stakeholders to set standards under an SSO, along with a voluntary conformity assessment process through accredited, independent certification organizations. The certification organizations would conduct conformity assessments of third-party providers that voluntarily submit required information regarding their products, services, models, or organization, with the task of determining conformance with the established standards. The FDIC is issuing this RFI to seek public input regarding all aspects of establishing an SSO, qualifying certification organizations, and implementing a voluntary conformity assessment process. The FDIC also is considering, and seeking comment on, whether and how the FDIC’s supervisory and examination efforts would need to be modified to facilitate a financial institution’s use of a certified model or a certified third party of outsourced technology services. The FDIC encourages comments from all interested parties, including but not limited to insured banks and savings associations, technology companies and fintechs, other third-party vendors and service providers, other financial institutions or companies, depositors and consumers, consumer groups, researchers, innovators, technologists, trade associations, and other members E:\FR\FM\24JYN1.SGM 24JYN1 Federal Register / Vol. 85, No. 143 / Friday, July 24, 2020 / Notices jbell on DSKJLSW7X2PROD with NOTICES of the financial services industry. The FDIC also encourages comments from standard-setters and participants in other industries using standardization and certification processes, whether voluntary or mandatory. The FDIC invites public comment on all aspects of the RFI, including the following questions. General Question 1: Are there currently operational, economic, marketplace, technological, regulatory, supervisory, or other factors that inhibit the adoption of technological innovations, or onboarding of third parties that provide technology and other services, by insured depository institutions (IDIs), particularly by community banks? Question 2: What are the advantages and disadvantages of establishing standard-setting and voluntary certification processes for either models or third-party providers? Question 3: What are the advantages and disadvantages to providers of models of participating in the standardsetting and voluntary certification process? What are the advantages and disadvantages to providers of technology and other services that support the IDI’s financial and banking activities of participating in the standard-setting and voluntary certification process? Question 4: What are the advantages and disadvantages to an IDI, particularly a community bank, of participating in the standard-setting and voluntary certification process? Question 5: Are there specific challenges related to an IDI’s relationships with third-party providers of models or providers of technology and other services that could be addressed through standard-setting and voluntary certification processes for such third parties? (1) Are there specific challenges related to due diligence and ongoing monitoring of such third-party providers? (2) Are there specific challenges related to the review and validation of models provided by such third parties? (3) Are there specific challenges related to information sharing or data protection? Questions 6: Would a voluntary certification process for certain model technologies or third-party providers of technology and other services meaningfully reduce the cost of due diligence and on-boarding for: (1) The certified third-party provider? (2) the certified technology? (3) potential IDI technology users, particularly community banks? VerDate Sep<11>2014 20:45 Jul 23, 2020 Jkt 250001 Question 7: What are the challenges, costs, and benefits of a voluntary certification program or other standardized approach to due diligence for third-party providers of technology and other services? How should the costs of operating the SSO and any associated COs be allocated (e.g., member fees for SSO participation, certification fees)? Question 8: Would a voluntary certification process undermine innovation by effectively limiting an IDI’s discretion regarding models or third-party providers of technology and other services, even if the use of certified third parties or models was not required? Would IDIs feel constrained to enter into relationships for the provision of models or services with only those third parties that are certified, even if the IDIs retained the flexibility to use third parties or models that were not certified? Question 9: What supervisory changes in the process of examining IDIs for safety and soundness or consumer protection would be necessary to encourage or facilitate the development of a certification program for models or third-party providers and an IDI’s use of such a program? Are there alternative approaches that would encourage or facilitate IDIs to use such programs? Question 10: What other supervisory, regulatory, or outreach efforts could the FDIC undertake to support the financial services industry’s development and usage of a standardized approach to the assessment of models or the due diligence of third-party providers of technology and other services? Scope Question 11: For which types of models, if any, should standards be established and a voluntary certification process be developed? For example, is the greatest interest or need with respect to: (1) Traditional quantitative models? (2) anti-money laundering (AML) transaction monitoring models? (3) customer service models? (4) business development models? (5) underwriting models? (6) fraud models? (7) other models? Question 12: Which technical and operational aspects of a model would be most appropriate for evaluation in a voluntary certification program? Question 13: What are the potential challenges or benefits to a voluntary certification program with respect to models that rely on artificial intelligence, machine learning, or big data processing? PO 00000 Frm 00046 Fmt 4703 Sfmt 4703 44893 Question 14: How can the FDIC identify those types of technology or other services, or those aspects of the third-party provider’s condition, that are best suited for a voluntary certification program or other standardized approach to due diligence? For example, should such a certification program include an assessment of financial condition, cyber security, operational resilience, or some other aspect of a third-party provider? SSO Question 15: If the FDIC partnered with an SSO to set standards for due diligence and assessments of models or third-party providers of technology and other services, what considerations should be made in choosing the SSO? What benefits or challenges would the introduction of an SSO into the standard-setting process provide to IDIs, third-party providers, or consumers? Question 16: To what extent would a standards-based approach for models or third-party providers of technology and other services be effective in an environment with rapidly developing technology systems, products, and platforms, especially given the potential need to reassess and reevaluate such systems, products, and platforms as technologies or circumstances change? Question 17: What current or draft industry standards or frameworks could serve as a basis for a standard-setting and voluntary certification program? What are the advantages and disadvantages of such standards or frameworks? Do standards and voluntary certifications already exist for use as described herein? Question 18: Given that adherence to SSO standards would be voluntary for third parties and for IDIs, what is the likelihood that third-party providers of models or services would acknowledge, support, and cooperate with an SSO in developing the standards necessary for the program? What challenges would hinder participation in that process? What method or approaches could be used to address those challenges? Question 19: What is the best way to structure an SSO (e.g., board, management, membership)? Alternatively, are there currently established SSOs with the expertise to set standards for models and third parties as described herein? Question 20: To what extent should the FDIC and other Federal/state regulators play a role, if any, in an SSO? Should the FDIC and other Federal/state regulators provide recommendations to an SSO? Should the FDIC and other Federal/state regulators provide oversight of an SSO, or should another entity provide such oversight? E:\FR\FM\24JYN1.SGM 24JYN1 jbell on DSKJLSW7X2PROD with NOTICES 44894 Federal Register / Vol. 85, No. 143 / Friday, July 24, 2020 / Notices Certification Organizations (COs) Question 21: What benefits and risks would COs provide to IDIs, third parties, and consumers? Question 22: To what extent would COs be effective in assessing compliance with applicable standards in an environment with rapidly developing technology systems, products, and platforms, especially given the potential need to reassess and reevaluate such systems, products, and platforms as technologies or circumstances change? Question 23: For model validation and testing, would COs evaluate a model based solely on reports, testing results, and other data provided by the third-party provider of the model? Or would the COs need to test the model and generate their own test results? What steps would the COs need to take to protect the intellectual property or other sensitive business data of the third party that has submitted its model to the validation process? Question 24: If COs receives derogatory information indicating that a certified third party or certified model or technology no longer meets applicable standards, should the COs develop a process for withdrawing a certification or reassessing the certification? (1) If so, what appeal rights should be available to the affected third party? (2) What notification requirements should COs have for financial institutions that have relied on a certification that was subsequently withdrawn? (3) Should the FDIC or Federal/state regulators enter information sharing agreements with COs to ensure that any derogatory information related to a certified third party or certified model or technology is appropriately shared with the COs? Question 25: Are there legal impediments, including issues related to liability or indemnification, to the implementation of a voluntary certification program that the FDIC, other Federal/state regulators, thirdparty providers, and IDIs should consider? Question 26: To what extent should the FDIC and other Federal/state regulators play a role, if any, in the identification and oversight of COs, including assessments of ongoing operations? Should the FDIC and other Federal/state regulators provide oversight of COs, or should another entity, such as an SSO, provide such oversight? Federal Deposit Insurance Corporation. VerDate Sep<11>2014 20:45 Jul 23, 2020 Jkt 250001 Dated at Washington, DC, on July 21, 2020. James P. Sheesley, Acting Assistant Executive Secretary. Authority: Section 494 of the Energy Independence and Security Act of 2007 (EISA, 42 U.S.C. 17123). [FR Doc. 2020–16058 Filed 7–23–20; 8:45 am] Kevin Kampschroer, Federal Director, Office of Federal HighPerformance Buildings, General Services Administration. BILLING CODE 6714–01–P [FR Doc. 2020–16067 Filed 7–23–20; 8:45 am] GENERAL SERVICES ADMINISTRATION BILLING CODE 6820–14–P [Notice–MG–2020–04; Docket No. 2020– 0002; Sequence No. 24] DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of Federal High-Performance Buildings; Green Building Advisory Committee; Updated Notification Extending Conference Calls Agency for Healthcare Research and Quality Office of Government-Wide Policy, General Services Administration (GSA). AGENCY: Updated notice extending biweekly conference calls. ACTION: The General Services Administration (GSA) Office of Federal High-Performance Buildings within the Office of Government-wide Policy is announcing an amendment to notice Notice–MG–2020–02, dated January 15, 2020. The recurring, biweekly conference calls of the Green Building Advisory Committee’s Embodied Energy Task Group will now be extended to last through November 18, 2020. SUMMARY: The recurring, biweekly conference calls of the Green Building Advisory Committee’s Embodied Energy Task Group will continue on Wednesdays from 1:00 p.m. to 2:00 p.m., ET through November 18, 2020. DATES: Mr. Michael Bloom, Office of Federal HighPerformance Buildings, Office of Government-wide Policy, General Services Administration, 1800 F Street NW, (Mail-code: MG), Washington, DC 20405, at 312–805–6799 or at michael.bloom@gsa.gov. Additional information about the Committee is available on-line at http://www.gsa.gov/ gbac. FOR FURTHER INFORMATION CONTACT: NoticeMG–2020–02, published at 85 FR 2425 (January 15, 2020). SUPPLEMENTARY INFORMATION: Procedures for Attendance Contact Mr. Michael Bloom at michael.bloom@gsa.gov to register to attend the remaining conference calls. To attend, submit your full name, organization, email address, and phone number. Requests to attend must be received by 5:00 p.m., ET, on August 3, 2020. PO 00000 Frm 00047 Fmt 4703 Sfmt 4703 Notice of Meeting Agency for Healthcare Research and Quality, HHS. ACTION: Notice. AGENCY: The Agency for Healthcare Research and Quality (AHRQ) announces a Special Emphasis Panel (SEP) meeting on ‘‘COVID–19 REVISION SUPPLEMENT APPLICATION ZHS1 HSR–0 (03) HEALTHCARE SYSTEMS & VALUE RESEARCH (HSVR).’’ This SEP meeting will be closed to the public. DATES: August 7, 2020. ADDRESSES: Agency for Healthcare Research and Quality, (Video Assisted Review), 5600 Fishers Lane, Rockville, Maryland 20850. FOR FURTHER INFORMATION CONTACT: Jenny Griffith, Committee Management Officer, Office of Extramural Research, Education and Priority Populations, Agency for Healthcare Research and Quality, (AHRQ), 5600 Fishers Lane, Rockville, Maryland 20850, Telephone: (301) 427–1557. SUPPLEMENTARY INFORMATION: A Special Emphasis Panel is a group of experts in fields related to health care research who are invited by the AHRQ, and agree to be available, to conduct on an as needed basis, scientific reviews of applications for AHRQ support. Individual members of the Panel do not attend regularly-scheduled meetings and do not serve for fixed terms or a long period of time. Rather, they are asked to participate in particular review meetings which require their type of expertise. The SEP meeting referenced above will be closed to the public in accordance with the provisions set forth in 5 U.S.C. App. 2, section 10(d), 5 U.S.C. 552b(c)(4), and 5 U.S.C. 552b(c)(6). Grant applications for the ‘‘COVID–19 REVISION SUPPLEMENT APPLICATION ZHS1 HSR–0 (03) HEALTHCARE SYSTEMS & VALUE SUMMARY: E:\FR\FM\24JYN1.SGM 24JYN1

Agencies

[Federal Register Volume 85, Number 143 (Friday, July 24, 2020)]
[Notices]
[Pages 44890-44894]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-16058]


=======================================================================
-----------------------------------------------------------------------

FEDERAL DEPOSIT INSURANCE CORPORATION

RIN 3064-ZA18


Request for Information on Standard Setting and Voluntary 
Certification for Models and Third-Party Providers of Technology and 
Other Services

AGENCY: Federal Deposit Insurance Corporation (FDIC).

ACTION: Notice and request for information.

-----------------------------------------------------------------------

SUMMARY: The FDIC is issuing this request for information (RFI) as part 
of its FDiTech initiative to promote the efficient and effective 
adoption of technology at FDIC-supervised banks and savings 
associations (financial institutions), particularly at community banks, 
and to facilitate the supervision of technology usage at these 
institutions without increasing costs or regulatory burden. The FDIC is 
committed to increasing transparency, improving supervisory and 
regulatory efficiency, supporting innovation in banking, and providing 
opportunities for public feedback. This RFI seeks input on whether a 
standard-setting and voluntary-certification program could be 
established to support financial institutions' efforts to implement 
models and manage model risk by certifying or assessing certain aspects 
of the models themselves, and to conduct due diligence of third-party 
providers of technology and other services by certifying or assessing 
certain aspects of the third-party providers' operations or condition. 
The FDIC is especially interested in information on models and 
technology services developed and provided by financial technology 
companies, sometimes referred to as ``fintechs.''

DATES: Comments must be received by September 22, 2020.

ADDRESSES: You may submit comments, identified by RIN 3064-ZA18, by any 
of the following methods:
     Agency Website: https://www.fdic.gov/regulations/laws/federal/. Follow the instructions for submitting comments on the agency 
website.
     Email: [email protected]. Include RIN 3064-ZA18 in the 
subject line of the message.
     Mail: Robert E. Feldman, Executive Secretary, Attention: 
Comments, Federal Deposit Insurance Corporation, 550 17th Street NW, 
Washington, DC 20429.
     Hand Delivery/Courier: Comments may be hand-delivered to 
the guard station at the rear of the 550 17th Street NW building 
(located on F Street) on business days between 7:00 a.m. and 5:00 p.m.
    All comments received must include the agency name and RIN 3064-
ZA18.
    Public Inspection: All comments received will be posted without 
change to https://www.fdic.gov/regulations/laws/federal/--including any 
personal information provided--for public inspection. Paper copies of 
public comments may be ordered from the FDIC Public Information Center, 
3501 North Fairfax Drive, Room E-1002, Arlington, VA 22226 by telephone 
at (877) 275-3342 or (703) 562-2200.

FOR FURTHER INFORMATION CONTACT: Alexander LePore, Jr., Senior Policy 
Analyst, (202) 898-7203, [email protected].

SUPPLEMENTARY INFORMATION: The FDIC is an independent Federal agency 
with a mission of maintaining stability and public confidence in the 
nation's financial system, in part by examining and supervising certain 
financial institutions, including for safety and soundness and consumer 
protection.\1\ The FDIC is the primary Federal banking supervisor for 
more than 3,000 state-chartered banks and savings associations that are 
not members of the Federal Reserve System, and it conducts regular 
examinations of these supervised institutions.\2\ Examinations include 
an assessment of how a financial institution manages the risks 
presented by its relationships with third parties.
---------------------------------------------------------------------------

    \1\ The FDIC also promotes stability and public confidence in 
the nation's financial system by insuring deposits and resolving 
failed insured depository institutions, leading sound policy 
development, evaluating resolution plans of the largest of 
institutions, and monitoring and mitigating systemic risks in the 
banking sector and financial system as a whole.
    \2\ The FDIC also has a back-up supervision and examination role 
with respect to approximately 2,000 insured depository institutions 
(pursuant to sections 8 and 10 of the Federal Deposit Insurance Act, 
12 U.S.C. 1818, 1820) for which the Office of the Comptroller of the 
Currency and the Board of Governors of the Federal Reserve System 
are the primary Federal regulators.
---------------------------------------------------------------------------

    The FDIC reviews a financial institution's management of 
significant third-party relationships in the context of the normal 
supervisory process. The FDIC examines the quality and effectiveness of 
an institution's risk management program as it pertains to the safety 
and soundness and consumer

[[Page 44891]]

protection aspects of third-party arrangements. The FDIC also examines 
a financial institution to ensure that the products, services, and 
activities supported by a third party are safe and sound and comply 
with applicable laws and regulations, including those concerning 
consumer protection and civil rights. Reviews of third-party 
arrangements are also a critical area included in examinations of the 
trust and information technology functions.
    Financial institutions often establish relationships with third 
parties to provide certain functions that financial institutions do not 
perform or to meet short-term needs that they are unable to fulfill. 
Therefore, financial institutions rely on third-party relationships for 
many different aspects of their operations, including credit 
management, operational risk management, valuation, and stress testing. 
Management is responsible for identifying and controlling risks from 
activities conducted by or through its financial institution, whether 
these risks arise from internal business activities or through 
arrangements with a third party.\3\ These risks include those that 
arise from reliance on models, technologies, and other products or 
services provided by third parties. Model guidelines \4\ describe risk 
management principles relating to financial institutions employing 
models, which are described as quantitative methods, systems, or 
approaches that apply statistical, economic, financial, or mathematical 
theories, techniques, and assumptions to process input data into 
quantitative estimates.\5\ In general, model risk management should be 
commensurate with the financial institution's overall use of models, 
the complexity and materiality of its models, and the size and 
complexity of the financial institution's operations. Financial 
institutions also should be mindful of consumer protection risks when 
using third-party models or technologies, to ensure they are developed 
and operated in compliance with applicable consumer protection laws and 
regulations, which may include, for example, fair lending laws, privacy 
laws, and prohibitions against unfair, deceptive, or abusive acts or 
practices.\6\
---------------------------------------------------------------------------

    \3\ Section 39 of the Federal Deposit Insurance Act requires the 
Federal Deposit Insurance Corporation to establish safety and 
soundness standards. 12 U.S.C. 1831p-1. These standards are set 
forth in part 364 of the FDIC Rules and Regulations. 12 CFR part 
364.
    \4\ See, e.g., Supervisory Guidance on Model Risk Management, 
FIL-22-2017 (June 7, 2017), Guidance for Managing Third-Party Risk, 
FIL-44-2008 (June 6, 2008), Interagency Guidelines Establishing 
Standards for Safety and Soundness, 12 CFR part 364, appendix A, and 
Interagency Guidelines Establishing Information Security Standards, 
12 CFR part 364, appendix B.
    \5\ For example, financial institutions entering into a 
relationship with a third party to employ these models would also 
need to comply with section 5 of the Federal Trade Commission Act 
(15 U.S.C. 45) and ensure that lending practices that are not 
discriminatory in violation of the Equal Credit Opportunity Act (15 
U.S.C. 1691-1691f).
    \6\ See, e.g., Equal Credit Opportunity Act, 15 U.S.C. 1691-
1691f; Fair Credit Reporting Act, 15 U.S.C. 1681-1681x; Interagency 
Statement on the Use of Alternative Data in Credit Underwriting, 
FIL-82-2019 (Dec. 13, 2019); Interagency Fair Lending Examination 
Procedures (Aug. 2009); Policy Statement on Discrimination in 
Lending, FR Doc. No. 94-9214 (Apr. 15, 1994); Dodd-Frank Act, Title 
X, Subtitle C, Sec. 1036; Pub. L. 111-203 (July 21, 2010).
---------------------------------------------------------------------------

    As the financial services industry evolves, more financial 
institutions are using third-party models and technologies for 
functions that either are new or had been performed in-house in the 
past. The FDIC recognizes that the use of such models and technologies 
can assist the financial institution in providing greater benefits to 
consumers and increasing financial inclusion. The use of third-party 
models and technologies may also give the financial institution access 
to greater expertise or efficiency in providing a particular product or 
service at lower cost.
    Many financial institutions, particularly community banks, have 
indicated to the FDIC that sometimes the costs and other resources 
associated with deploying models or technologies from third parties can 
be prohibitive. Vendors offer increasingly complex models with a range 
of features, and as a result, institutions may find it challenging to 
validate and assess such models. For example, an institution might 
conclude that it must hire new internal staff, retain consultants, or 
impose contractual obligations on the third party in order to conduct 
the model validation. In addition, for third-party outsourcing 
arrangements that support models, institutions conduct risk reviews on 
third-party providers. These risk reviews involve financial, 
operations, contract, and insurance assessments, along with assessment 
of other aspects of the outsourcing arrangements. Representatives of 
financial institutions have expressed concerns to the FDIC that the 
costs associated with the financial institutions' review of both models 
and third-party providers of models can create barriers to entry, 
particularly in the community banking market, by limiting the 
institutions' ability to effectively and timely on-board third parties 
and deploy new and innovative models.
    The FDIC recognizes the important role that technological 
innovations can play in transforming the business of banking and 
enabling regulators to supervise more efficiently, thereby reducing 
regulatory burden while maintaining consumer protection and safety and 
soundness standards. Therefore, the FDIC is exploring opportunities to 
assist financial institutions in effectively complying with laws and 
regulations regarding management of third-party risks concerning the 
use of models, such as credit underwriting models. Among other things, 
the FDIC is considering the value of standards for assessing models. 
The development of relevant standards, along with the development and 
application of a voluntary certification process to ensure that models 
conform to those standards, could potentially allow for more financial 
institutions--particularly community banks--to engage with third 
parties, including fintechs; permit FDIC supervision resources to be 
used more efficiently and effectively; and reduce costs of doing 
business for financial institutions and providers of models.
    The FDIC also is considering whether a voluntary certification or 
assessment program could support financial institutions' due diligence 
of third-party providers of a range of technology and other services by 
certifying or assessing certain aspects of the third-party providers' 
operations or condition. The FDIC is interested in whether there are 
unique elements and challenges associated with financial institutions' 
due diligence of third-party providers of technology and other services 
that would benefit from a voluntary certification or assessment program 
applicable to such providers. The FDIC is primarily interested in due 
diligence elements associated with third-party providers of technology 
and other services that support a financial institution's financial and 
banking activities, such as deposit, lending, and payment functions. 
The FDIC also is interested in comments regarding due diligence for 
other types of third-party providers, such as those providers that 
support the financial institution's corporate activities, including 
payroll and human resources. The FDIC also requests comments on what 
alternative steps the FDIC could pursue, other than a voluntary 
certification or assessment program, to support financial institutions' 
efforts to assess risk efficiently and effectively when contemplating 
new or monitoring existing relationships with third-party providers.
    As part of this Request for Information, the FDIC is not 
considering substantive revisions to its existing

[[Page 44892]]

supervisory guidance with respect to model risk management or third-
party provider risk management. However, the FDIC seeks comment on the 
possible changes to its supervisory guidance that would be appropriate 
to facilitate financial institutions' use of a voluntary certification 
or assessment program for conducting due diligence and ongoing 
monitoring of third-party providers of technology and other services, 
or for reviewing models or other technologies.

Standard-Setting and Certification Programs

    Government and the private sector have worked together for more 
than a century to develop standards for use in private industry. The 
Federal Government has encouraged using standards developed by 
voluntary, consensus standard-setting bodies.\7\ The typical standard-
setting process involves a standard-setting organization (SSO) working 
with stakeholders, including government agencies, to develop a standard 
for a particular industry or sector of the economy. The standard is 
established on a voluntary, consensus-driven basis and provides 
guidelines for engaging in a particular process or for offering a 
particular service or product. Categories of common standards include 
product-based standards, performance-based standards, management system 
standards, personnel certification standards, and construction 
standards.
---------------------------------------------------------------------------

    \7\ See, e.g., National Technology Transfer and Advancement Act 
of 1995, Public Law 104-113, section 12(d) (Mar. 7, 1996); OMB 
Circular No. A-119 Revised, ``Federal Participation in the 
Development and Use of Voluntary Consensus Standards and in 
Conformity Assessment Activities'' (Feb. 10, 1998).
---------------------------------------------------------------------------

    Once a standard is developed, application of a conformity 
assessment process provides assurance that processes, products, or 
services meet the requirements identified in the standard. This step is 
vital because creating a standard alone cannot promote (for voluntary 
standards) or guarantee (for mandatory standards) adherence to the 
standard. The conformity assessment can verify that processes, 
products, or services meet the specified level of quality, safety, or 
performance. Depending on the risks of nonconformance and the 
confidence level necessary, there are several ways to assess whether 
processes, products, or services meet a standard, from an entity's 
self-declaration to third-party certification, validation, verification 
or auditing. Accreditation by an independent body of organizations that 
perform conformity assessment activities provides formal recognition 
that the organization is competent, capable and impartial. In many 
ways, the assessment process is as important as setting the standard 
itself.
    The standard-setting system in the United States is based on 
globally accepted principles for standards development including 
transparency, openness, impartiality, effectiveness, and consensus. The 
standard-setting process assures that:
     Information regarding standardization activities is 
accessible to all interested parties;
     participation is open to all stakeholders;
     all interests are balanced;
     standards respond to regulatory and market needs; and
     decisions are reached through consensus among those 
affected.
    SSOs also strive to make standards as flexible as possible, 
allowing for the use of different methodologies to meet the needs of 
different stakeholders. Good faith efforts are made to eliminate, or at 
least minimize, conflict with other existing standards or rules.
    SSOs often partner with government entities, academia, and industry 
to identify proposed solutions and work together toward a common goal. 
SSOs also involve consumers in the process so their needs are 
considered and addressed. This process results in standards that often 
balance regulatory and market needs, facilitate innovation, promote 
consumer protection, and strengthen competition.
    In applying this standard-setting framework to models and third-
party providers of technology and other services, financial 
institutions would have the ability to rely on certifications related 
to the third-party provider or certified models or other technology 
products and services. Financial institutions would not be required to 
use only certified third parties, models, or technologies. Instead, 
financial institutions would retain the flexibility to require 
certified third parties to meet different requirements that the 
financial institutions viewed as appropriate. For example, financial 
institutions would retain the right to request that certified third 
parties submit additional information for purposes of on-boarding at 
that financial institution consistent with the financial institution's 
unique use of the model or service, and consistent with applicable law 
and regulation.

Request for Comment

    Given rapid technological developments and evolving consumer 
behaviors in banking, the FDIC seeks to learn more regarding the 
benefits and challenges of collaborating with an SSO and other 
stakeholders to create a standard-setting and a voluntary certification 
process. This certification process would potentially assist financial 
institutions in completing assessments or due diligence of: (1) Certain 
models, such as credit underwriting models, by certifying or assessing 
certain aspects of the models; and (2) third-party providers of 
technology and other services, by certifying or assessing certain 
aspects of the providers' operations or condition. The FDIC is 
interested in comments regarding initial due diligence and ongoing 
monitoring elements associated with third-party providers of technology 
and other services that support the financial institution's financial 
and banking activities, such as deposit, lending, and payment 
functions. The FDIC also is interested in comments regarding due 
diligence for other types of providers, such as third-party providers 
that support the financial institution's corporate activities, such as 
payroll and human resources.
    Consistent with the collaborative approach to standard setting that 
government and the private sector have long taken, the FDIC envisions a 
collaboration among an SSO, the FDIC, and other stakeholders to set 
standards under an SSO, along with a voluntary conformity assessment 
process through accredited, independent certification organizations. 
The certification organizations would conduct conformity assessments of 
third-party providers that voluntarily submit required information 
regarding their products, services, models, or organization, with the 
task of determining conformance with the established standards. The 
FDIC is issuing this RFI to seek public input regarding all aspects of 
establishing an SSO, qualifying certification organizations, and 
implementing a voluntary conformity assessment process.
    The FDIC also is considering, and seeking comment on, whether and 
how the FDIC's supervisory and examination efforts would need to be 
modified to facilitate a financial institution's use of a certified 
model or a certified third party of outsourced technology services.
    The FDIC encourages comments from all interested parties, including 
but not limited to insured banks and savings associations, technology 
companies and fintechs, other third-party vendors and service 
providers, other financial institutions or companies, depositors and 
consumers, consumer groups, researchers, innovators, technologists, 
trade associations, and other members

[[Page 44893]]

of the financial services industry. The FDIC also encourages comments 
from standard-setters and participants in other industries using 
standardization and certification processes, whether voluntary or 
mandatory.
    The FDIC invites public comment on all aspects of the RFI, 
including the following questions.

General

    Question 1: Are there currently operational, economic, marketplace, 
technological, regulatory, supervisory, or other factors that inhibit 
the adoption of technological innovations, or on-boarding of third 
parties that provide technology and other services, by insured 
depository institutions (IDIs), particularly by community banks?
    Question 2: What are the advantages and disadvantages of 
establishing standard-setting and voluntary certification processes for 
either models or third-party providers?
    Question 3: What are the advantages and disadvantages to providers 
of models of participating in the standard-setting and voluntary 
certification process? What are the advantages and disadvantages to 
providers of technology and other services that support the IDI's 
financial and banking activities of participating in the standard-
setting and voluntary certification process?
    Question 4: What are the advantages and disadvantages to an IDI, 
particularly a community bank, of participating in the standard-setting 
and voluntary certification process?
    Question 5: Are there specific challenges related to an IDI's 
relationships with third-party providers of models or providers of 
technology and other services that could be addressed through standard-
setting and voluntary certification processes for such third parties?
    (1) Are there specific challenges related to due diligence and 
ongoing monitoring of such third-party providers?
    (2) Are there specific challenges related to the review and 
validation of models provided by such third parties?
    (3) Are there specific challenges related to information sharing or 
data protection?
    Questions 6: Would a voluntary certification process for certain 
model technologies or third-party providers of technology and other 
services meaningfully reduce the cost of due diligence and on-boarding 
for:
    (1) The certified third-party provider?
    (2) the certified technology?
    (3) potential IDI technology users, particularly community banks?
    Question 7: What are the challenges, costs, and benefits of a 
voluntary certification program or other standardized approach to due 
diligence for third-party providers of technology and other services? 
How should the costs of operating the SSO and any associated COs be 
allocated (e.g., member fees for SSO participation, certification 
fees)?
    Question 8: Would a voluntary certification process undermine 
innovation by effectively limiting an IDI's discretion regarding models 
or third-party providers of technology and other services, even if the 
use of certified third parties or models was not required? Would IDIs 
feel constrained to enter into relationships for the provision of 
models or services with only those third parties that are certified, 
even if the IDIs retained the flexibility to use third parties or 
models that were not certified?
    Question 9: What supervisory changes in the process of examining 
IDIs for safety and soundness or consumer protection would be necessary 
to encourage or facilitate the development of a certification program 
for models or third-party providers and an IDI's use of such a program? 
Are there alternative approaches that would encourage or facilitate 
IDIs to use such programs?
    Question 10: What other supervisory, regulatory, or outreach 
efforts could the FDIC undertake to support the financial services 
industry's development and usage of a standardized approach to the 
assessment of models or the due diligence of third-party providers of 
technology and other services?

Scope

    Question 11: For which types of models, if any, should standards be 
established and a voluntary certification process be developed? For 
example, is the greatest interest or need with respect to:
    (1) Traditional quantitative models?
    (2) anti-money laundering (AML) transaction monitoring models?
    (3) customer service models?
    (4) business development models?
    (5) underwriting models?
    (6) fraud models?
    (7) other models?
    Question 12: Which technical and operational aspects of a model 
would be most appropriate for evaluation in a voluntary certification 
program?
    Question 13: What are the potential challenges or benefits to a 
voluntary certification program with respect to models that rely on 
artificial intelligence, machine learning, or big data processing?
    Question 14: How can the FDIC identify those types of technology or 
other services, or those aspects of the third-party provider's 
condition, that are best suited for a voluntary certification program 
or other standardized approach to due diligence? For example, should 
such a certification program include an assessment of financial 
condition, cyber security, operational resilience, or some other aspect 
of a third-party provider?

SSO

    Question 15: If the FDIC partnered with an SSO to set standards for 
due diligence and assessments of models or third-party providers of 
technology and other services, what considerations should be made in 
choosing the SSO? What benefits or challenges would the introduction of 
an SSO into the standard-setting process provide to IDIs, third-party 
providers, or consumers?
    Question 16: To what extent would a standards-based approach for 
models or third-party providers of technology and other services be 
effective in an environment with rapidly developing technology systems, 
products, and platforms, especially given the potential need to 
reassess and reevaluate such systems, products, and platforms as 
technologies or circumstances change?
    Question 17: What current or draft industry standards or frameworks 
could serve as a basis for a standard-setting and voluntary 
certification program? What are the advantages and disadvantages of 
such standards or frameworks? Do standards and voluntary certifications 
already exist for use as described herein?
    Question 18: Given that adherence to SSO standards would be 
voluntary for third parties and for IDIs, what is the likelihood that 
third-party providers of models or services would acknowledge, support, 
and cooperate with an SSO in developing the standards necessary for the 
program? What challenges would hinder participation in that process? 
What method or approaches could be used to address those challenges?
    Question 19: What is the best way to structure an SSO (e.g., board, 
management, membership)? Alternatively, are there currently established 
SSOs with the expertise to set standards for models and third parties 
as described herein?
    Question 20: To what extent should the FDIC and other Federal/state 
regulators play a role, if any, in an SSO? Should the FDIC and other 
Federal/state regulators provide recommendations to an SSO? Should the 
FDIC and other Federal/state regulators provide oversight of an SSO, or 
should another entity provide such oversight?

[[Page 44894]]

    Certification Organizations (COs)
    Question 21: What benefits and risks would COs provide to IDIs, 
third parties, and consumers?
    Question 22: To what extent would COs be effective in assessing 
compliance with applicable standards in an environment with rapidly 
developing technology systems, products, and platforms, especially 
given the potential need to reassess and reevaluate such systems, 
products, and platforms as technologies or circumstances change?
    Question 23: For model validation and testing, would COs evaluate a 
model based solely on reports, testing results, and other data provided 
by the third-party provider of the model? Or would the COs need to test 
the model and generate their own test results? What steps would the COs 
need to take to protect the intellectual property or other sensitive 
business data of the third party that has submitted its model to the 
validation process?
    Question 24: If COs receives derogatory information indicating that 
a certified third party or certified model or technology no longer 
meets applicable standards, should the COs develop a process for 
withdrawing a certification or reassessing the certification?
    (1) If so, what appeal rights should be available to the affected 
third party?
    (2) What notification requirements should COs have for financial 
institutions that have relied on a certification that was subsequently 
withdrawn?
    (3) Should the FDIC or Federal/state regulators enter information 
sharing agreements with COs to ensure that any derogatory information 
related to a certified third party or certified model or technology is 
appropriately shared with the COs?
    Question 25: Are there legal impediments, including issues related 
to liability or indemnification, to the implementation of a voluntary 
certification program that the FDIC, other Federal/state regulators, 
third-party providers, and IDIs should consider?
    Question 26: To what extent should the FDIC and other Federal/state 
regulators play a role, if any, in the identification and oversight of 
COs, including assessments of ongoing operations? Should the FDIC and 
other Federal/state regulators provide oversight of COs, or should 
another entity, such as an SSO, provide such oversight?

    Federal Deposit Insurance Corporation.

    Dated at Washington, DC, on July 21, 2020.
James P. Sheesley,
Acting Assistant Executive Secretary.
[FR Doc. 2020-16058 Filed 7-23-20; 8:45 am]
BILLING CODE 6714-01-P