Regulatory Mandate: Third-Party Risk Management

QUESTION 

I am the Compliance Manager of a bank. We have a mortgage banking platform. I handle our legal and regulatory compliance. Our new Chief Risk Officer wants to review our Third-Party Risk Management policy and procedures. The problem is that we do not have such a policy and procedures. 

We have vendor management procedures, which our regulator has accepted. Like me, the CRO is an attorney but he can’t fathom how we could have functioned for so long without this policy, irrespective of the regulator’s evaluation. I respect his view, and he has discussed case law and regulatory requirements with me. But, the fact is, we simply have never created a comprehensive policy just for third-party risk management. 

I understand now that a policy for Third-Party Risk Management is an essential requirement that must be drafted and ratified by our Board. The policy must extend to other banks and nonbanks with which we do business. We need some guidance in drafting this policy. The CRO follows your articles, and he asked me to write to you. I have subscribed and encouraged our staff to subscribe. 

What are some key features of a policy focused on Third-Party Risk Management? 

COMPLIANCE SOLUTION 

TPRM Tune-up®

Third-Party Risk Management

Policy and Procedures 

ANSWER 

Thank you for subscribing, and I appreciate your Chief Risk Officer reading our articles. We have been publishing these articles for many years, and it is humbling when our subscribers express their gratitude. 

Our research of public enforcement actions shows that approximately 25% of them - that’s one in four enforcement actions! - against banks and nonbanks have specifically noted deficiencies in how the target institution managed third-party service provider risks. 

If any financial institution does not have a Third-Party Risk Management policy and procedures, it is surely currying legal and regulatory risk. Your CRO is correct! 

One other point before I proceed. When a company official tells me that their regulator has never mentioned a particular regulatory violation, though it is a regulatory violation, and thus they intimate that what they’re doing must be ‘acceptable to the regulator,’ the alarms go off. If an institution wants to wait for a regulator to find its policies skimpy, defective, sketchy, inadequate, incomplete, fragmentary, insufficient, and deficient, it will find itself in the midst of a very unpleasant, belated attempt at remediation and possibly even an administrative action. 

And remember to implement the procedures and monitor the implementation. A bank examiner will not only review the policy but also determine if the procedures are implemented. 

_____________________________________________________________ 

TPRM Tune-up® 

When we conduct our TPRM Tune-up®, which is a review of a company’s third-party risk management structure, we work with a set of audit tools that help us evaluate regulatory compliance, offer recommendations, and provide a risk rating. The TPRM Tune-up® is often in demand because third-party risk management is central to safety and soundness criteria. Contact us here, and we’ll send you the presentation.  

_____________________________________________________________ 

Board and Management Responsibility 

Financial institutions are still ultimately responsible for managing their third-party service provider relationships, activities, and associated risks. They must ultimately ensure that all of their operations, in-house or outsourced, are conducted safely and soundly and in compliance with applicable legal and regulatory requirements, including consumer protection and financial crimes laws and regulations, just as if the institution were performing the activities itself. 

Regulators look to the company’s Board of Directors as ultimately responsible for providing oversight for third-party risk management and holding management accountable for its role. Management is responsible for developing and implementing third-party risk management policies, procedures, and practices commensurate with the institution’s risk appetite and the level of risk and complexity of its third-party relationships. Internal controls, independent reviews, and documentation are critical components. 

Third-Party Risk Management POLICY 

There are essential requirements for a Third-Party Risk Management policy (“TPRM Policy”). 

The TPRM policy has four principal requirements, which I will outline below. It will be up to you to draft the policy language. Each requirement can have its section and subsections. I will offer some guidance to help with your considerations. 

The four TRPM Policy requirements can be elucidated as follows: 

1.       Risk Management 

2.       Third-Party Relationship Life Cycle 

3.       Governance 

4.       Appendix 

TPRM Policy Sections 

1. Risk Management 

Not all third-party relationships present the same level of risk. Indeed, not all such relationships require the same level of oversight. However, a financial institution should apply rigorous risk management practices throughout the third-party relationship life cycle for third parties that support higher-risk activities, including critical activities. 

An institution may adjust and update its third-party risk-management practices commensurate with its size, complexity, and risk profile by periodically analyzing the risks associated with each third-party relationship. It is important to involve knowledgeable and skilled staff in each stage of the risk management life cycle. 

Therefore, your company would apply risk management practices in different stages of the third-party relationship life cycle. For instance, an important initial step is identifying third-party relationships that support higher-risk activities, including critical activities. 

Generally, to determine if an activity is higher risk, a company would assess various factors, such as if the third party has access to sensitive data (including customer data), processes transactions, or provides essential technology and business services. 

2. Third-Party Relationship Life Cycle 

Effective third-party risk management generally follows a continuous life cycle for third-party relationships. There are five stages of the TPRM life cycle, all responsive to governance in terms of  Oversight and Accountability, Independent Reviews, and Documentation and Reporting. 

Here is an outline of the five stages of the TPRM life cycle. 

Stage 1: Planning 

Careful planning enables a community bank to consider potential risks in the proposed third-party relationship. Managing third-party relationships allows the company to evaluate the extent of risk management resources and practices for effective oversight of the proposed third-party relationship throughout the subsequent stages of the third-party relationship life cycle. 

Stage 2: Due Diligence (Selecting the Third Party) 

Due diligence is the process by which a company assesses, prior to entering into a third-party relationship, a particular third party’s ability to, among other things, perform the activity as expected, adhere to company policies, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner.

 

The guidelines to develop in the policy is a clear definition of effective due diligence. We define effective due diligence as assistance with the selection of capable and reliable third parties to perform activities for, through, or on behalf of the company. If the company cannot obtain desired due diligence information from the third party, it will have to consider alternative information, details, controls, and monitoring; otherwise, it should consider abandoning the use of the third party.

 

Conducting due diligence on third parties before selecting and entering into third-party relationships is an important part of sound risk management. It provides management with the information needed about potential third parties to determine if a relationship would help achieve an organization’s strategic and financial goals. The due diligence process also provides the banking organization with the information needed to evaluate whether it can appropriately identify, monitor, and control risks associated with the particular third-party relationship. 

Stage 3: Contract Negotiation

 

Before entering into a contractual relationship with a third party, an institution should consider contract provisions that meet its business objectives, regulatory obligations, and risk management policies and procedures. If a company has limited negotiating power, management needs to understand any resulting limitations and consequent risks. It comes down to risk tolerance, such as whether the contract can still meet the company’s needs, whether the contract would result in increased risk to the company, and whether residual risks are acceptable.

Stage 4: Monitoring 

Monitoring cannot be overemphasized when managing third-party risk. A company’s ongoing monitoring of the third party’s performance enables management to determine if the third party is performing as required for the duration of the contract. Our clients use the results of monitoring to use the derived information to adapt and refine their risk management practices.

 

There are three aspects of this stage in the life cycle, whereby monitoring:

 

1)   Confirms the quality and sustainability of a third party’s controls and ability to meet contractual obligations;

2)   Escalates significant issues or concerns (i.e., material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and

3)   Responds to such significant issues or concerns when and where identified. 

Stage 5: Termination 

Ending a relationship with a third party occurs for a variety of reasons, such as expiration or breach of the contract, the third party’s failure to comply with applicable laws or regulations, or a desire to seek an alternate third party, bringing the activity in-house, or discontinuing the activity. It is important for management to terminate relationships efficiently, whether the activities are transitioned to another third party, brought in-house, or discontinued. 

3. Governance 

As I noted above, the life cycle is governed by tripartite activities: Oversight and Accountability, Independent Reviews, and Documentation and Reporting. Here are some tips for each activity. 

(A) Oversight and Accountability

 

The Board of Directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable. The management is responsible for developing and implementing third-party risk management policies, procedures, and practices commensurate with the company’s risk appetite and the level of risk and complexity of its third-party relationships.

 

(B) Independent Review

 

The company must conduct periodic independent reviews to assess the adequacy of its third-party risk management processes. An institution may use the results of independent reviews to determine whether and how to adjust its third-party risk management process, including its policies, reporting, resources, expertise, and controls.

 

(C) Documentation and Reporting

 

Documentation and reporting, key elements that assist those within or outside the company who conduct control activities, will vary among financial institutions depending on the risk and complexity of their third-party relationships.

4. Appendix 

Consider including an appendix that lists resources. The resources do not have to be comprehensive. Keep adding to the Appendix as you come across resources that help to manage third-party risk management. Of course, there are Acts, regulations, and rules. However, other sources of information may be available, particularly on specific topics.

The use of third parties, especially those using new technologies, may present elevated risks to a financial institution and its customers, including operational, compliance, and strategic risks. Importantly, the use of third parties does not diminish or remove the institution's responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.

Request Information: TPRM Tune-up®.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

Online Data Collection Challenge

QUESTION 

Most of our business is from originating mortgages. Recently, we started originating Buy-Now-Pay-Later loans. I know you specialize in mortgage banking. And these are not mortgage loans. However, they are available online just like we offer our mortgages online. 

Our attorney told us that getting a customer's social security number for online Buy-Now-Pay-Later loans poses consumer privacy and information security risks. She says we could collect partial SSN information directly from the customer and then use a third party source to obtain the full SSN before opening the account. 

This is not a practical solution. As the sales manager, I am trying to find some kind of workaround. We need the SSN when the loan comes in online. Processing begins immediately and includes our CIP filters. However, if we use a third party to handle the BSA requirement, there could be a processing delay. 

Hopefully, you can shed some light on how to resolve this situation. Our attorney reads your articles and often sends them to us. So, I'm sure she will read your view on getting online SSN information. 

Can you explain why our attorney is concerned about our online CIP data collection involving Buy-Now-Pay-Later loans? 

COMPLIANCE SOLUTION 

Website Compliance Review 

Policies and Procedures

ANSWER 

Since 2006, Lenders Compliance Group has offered mortgage banking compliance. We do not provide compliance guidance for Buy-Now-Pay-Later (BNPL) loans. The BNPL loan is an installment loan that typically allows a customer to purchase something immediately with little or no initial payment and pay off the balance over four or fewer payments.[i] 

I will answer your question because you have an online origination platform that is used to originate mortgage loan products, where you have now introduced the origination of BNPL loans. 

You do not state if your company is contemplating partnering with a nonbank third party service provider to facilitate BNPL loan originations. 

Read on to find out why that information is a critical compliance element. 

I think there are more reasons for your attorney's directive than is described in your question. Given that you are marketing mortgage and non-mortgage products online, the online platform should be evaluated for its overall compliance with CIP requirements, among other things. Depending on the online consumer disclosures, product and service array, origination technology, and other factors, I think her concern is warranted. 

Please ask your attorney to contact me here. We'll discuss and resolve the situation. 

Your question comes as FinCEN is evaluating, via a Request for Information (RFI), existing requirements for banks under the Customer Identification Program Rule ("CIP Rule") to collect a taxpayer identification number (TIN) from a customer before opening an account. I'll provide a bird's-eye view of the anticipated plans, which may be responsive to your attorney's concerns. 

Generally, banks and nonbanks ("financial institution(s)" or "institution(s)") must collect a full Social Security Number (SSN) from a customer who is an individual and a U.S. person. The RFI, mentioned above, is being issued in consultation with staff at the OCC, FDIC, NCUA, and the Federal Reserve System (collectively, the "Agencies"). 

FinCEN is looking for feedback to understand the potential risks, benefits, and safeguards that could be established if financial institutions were permitted to collect partial SSN information directly from the customer for U.S. individuals and subsequently use reputable third party sources to obtain the full SSN before account opening. So, FinCEN's inquiry seems to align with your attorney's suggestion. Agencies usually issue an RFI because they want certain information to evaluate practices and, in this case, a better understanding of current industry practices and perspectives related to the CIP Rule's TIN collection requirement. So, their inquiry is based on wanting to assess the potential risks and benefits associated with a change to that requirement. 

From the start of anti-money laundering compliance, financial institutions have collected identifying information from a customer before opening an account. FinCEN, in consultation with staff at the Agencies, seeks information and comments from interested parties regarding the CIP Rule requirement for financial institutions to collect a taxpayer identification number (TIN) and other information from a customer who is a U.S. person before opening an account. 

There are minimum standards[ii] for such information collection, including, among other things, reasonable procedures[iii] for 

(1) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; and 

(2) maintaining records of the information used to verify a person's identity, including name, address, and other identifying information.  

It is, therefore, a given that, to satisfy the CIP Rule's TIN collection requirement for a U.S. individual, a financial institution must collect the full SSN from the customer before opening an account. While an institution's procedures for verifying a customer's identity may be risk-based and may vary among institutions, the CIP Rule makes clear that the collection of certain identifying information is a minimum requirement, and such information must be collected directly from the customer before opening an account, except concerning credit card accounts. 

That said, the CIP Rule generally does not allow a financial institution to collect an individual's SSN from a person other than the customer (i.e., a third party service provider). 

When the CIP Rule was adopted, institutions were exempted from the requirement for credit card accounts to collect identifying information directly from the customer, including an identification number. Rather, financial institutions may collect the customer's identifying information, such as the SSN, for credit card accounts, from a third party source before extending credit to the customer. The agency saw at that time that without this exception, the CIP Rule would change an institution's business practices by mandating information beyond what was already obtained directly from a customer who opened a credit card account at the point of sale or by phone. 

Concerns were raised during the proposed CIP Rule's comment period that, for instance, a person applying for a credit card account would be hesitant to provide their SSN, especially through non-face-to-face means, because of consumer privacy and security concerns. 

It seems clear that FinCEN saw requiring a bank to collect a customer's identifying information from the customer in every case, including over the phone, would likely alter how they do business. Consequently, credit card accounts were exempted from the CIP Rule's information collection requirements, allowing banks and nonbanks to obtain, for these purposes, a customer's identifying information from a third party source, such as a credit bureau, before an extension of credit. In its issuances, FinCEN considered this practice an efficient and effective means of extending credit with little risk that an institution did not know the borrower's identity. 

Since the CIP Rule was adopted in 2003, FinCEN has become aware that there has been significant innovation in how customers interact with financial institutions and receive financial services, and in CIP data collection and verification tools available to financial institutions. 

So, here's the crux of the matter: some banks partner with nonbank third party service providers to facilitate new financial products and services. A Buy-Now-Pay-Later loan product is an example of a nonbank financial institution, a third party service provider, that enables such financial products and services by extending credit to customers at the point of sale. 

These products and services operate in a similar manner to credit cards but may be offered by nonbank financial institutions that may or may not be subject to the Bank Secrecy Act (BSA) and its implementing regulations or other comparable regulatory requirements.[iv] Even so, institutions that do not comply with the CIP Rule may face supervisory action, particularly if a nonbank with which a bank has partnered does not collect the customer's identifying information directly from the customer, as required by the CIP Rule. 

The RFI[v] will presumably inform FinCEN's understanding in this area and help the agency evaluate the risks, benefits, and potential safeguards related to certain CIP Rule requirements applicable to financial institutions. Specifically, FinCEN is seeking input from institutions and other interested parties regarding the Rule's SSN collection requirement. The results may allow financial institutions to collect partial SSN information from the customer and use a third party source to collect the full SSN. Partial SSN collection is when a bank collects a certain part of the SSN from individuals who are customers (i.e., the last four digits of an individual's SSN) and then obtains the full SSN from a reputable third party service provider. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] What is a Buy Now, Pay Later (BNPL) Loan?, Consumer Financial Protection Bureau, Issuance (Last Reviewed: December 2, 2021), https://www.consumerfinance.gov/ask-cfpb/what-is-a-buy-now-pay-later-bnpl-loan-en-2119/ 

[ii] Section 326 of the USA Patriot Act amended the BSA to require, inter alia, the Secretary to prescribe regulations "setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution." 

[iii] 13 CFR Part 103, Financial Crimes Enforcement Network; Customer Identification Programs for Certain Banks (Credit Unions, Private Banks and Trust Companies, That do not Have a Federal Functional Regulator, Department of the Treasury

[iv] An example of a nonbank financial institution that is a third-party service provider used to facilitate new financial products and services would be one that provides BNPL loans that extend credit at the point of sale to customers.

[v] The RFI supports FinCEN's ongoing efforts to implement Section 6216 of the Anti-Money Laundering Act of 2020, which requires the agency to, inter alia, identify regulations and guidance that may be outdated, redundant, or otherwise do not promote risk-based AML’s requirements for CFT, the acronym for combating the financing of terrorism.

Business Continuity Plan: Insufficient Recovery

QUESTION 

According to the bank examiner, our Business Continuity Plan does not provide “sufficient recovery and resolution planning requirements” to manage stresses caused by system failures during a disaster. The problem is that they did not give us guidelines to determine what constitutes sufficient recovery procedures. 

As a result, I am not sure we will satisfy their expectations. I have had our compliance department and lawyers come up with an outline of procedures, but they keep giving me scenarios, and I am not convinced that just listing scenarios is the way to go. I am our company’s founder and president. I will tell you we have never had a catastrophic system failure caused by a disaster. That’s not to say it can’t happen. And I get it! We need to be ready at all times. 

But I don’t want to go out with only scenarios. I am concerned that this approach is not comprehensive, and, more to the point, I think it will annoy the examiner. I need something that the whole company can integrate into operations. 

I hope you can provide a management approach I can implement in all our departments and divisions. Each department will then work to comply with management’s requirements. I will ask our compliance people to ensure companywide oversight of those requirements. 

What are some steps, an outline, toward managing business continuity during disasters? 

COMPLIANCE SOLUTION 

Business Continuity and Disaster Recovery Plan 

BCP Tune-up

ANSWER 

A credible Business Continuity Plan[i] must consider market and companywide stresses and idiosyncratic risks that can imperil the continuity of a financial institution’s critical operations and core business lines. Indeed, proper planning can reduce the adverse broader impact on the financial system. 

With our BCP Tune-up, we have reviewed the Business Continuity Plans of many companies, So, I believe we have a unique perspective on regulatory expectations. Many clients use the BCP Tune-up as a self-assessment tool. Self-assessment is an essential Best Practice encouraged by most banking departments. Our review is cost-effective and we provide a report that describes current risks as well as recommendations that help to meet regulatory scrutiny.

Business continuity is inherently linked to disaster recovery. Your company must develop the ability to prepare for, adapt to, and withstand or recover from disruptions. Disruptions may result from external events like natural disasters, malicious actors, pandemics, global conflicts, or weak internal systems, controls, or risk management. Adapting is essential. For instance, we revised our Business Continuity Plan during the pandemic to add an entire section for Pandemic and Epidemic Response. 

Obviously, disruptions may impede the provision of services, such as payments and clearing and settlement, or adversely impact systems or corrupt data. 

However, the current focus of many banking departments is on exploring baseline “operational resilience” requirements with respect to critical operations, including third-party service providers. 

Such baseline requirements often include the following: 

·       Establishing clear definitions for identifying critical activities and core business lines. 

·       Defining tolerances for disruption, such as caused by cyber-attacks.[ii] 

·       Requiring testing and validation of “resilience” capabilities. 

·       Incorporating third-party risk management expectations.[iii] 

·       Stipulating clear communication expectations among stakeholders and counterparties. 

·       Addressing expectations for critical service providers, emphasizing governance and risk management expectations. 

A company subject to recovery or resolution planning requirements can leverage the information I’m providing in an outline form. You can send it to your departments and divisions for feedback and implementation. In my view, the outline conforms to existing regulations and guidance, the results of which should promote sound business continuity management.[iv] 

In your question, you mentioned the term “recovery” was used by the bank examiner. I use that term, in accordance with regulatory guidance, to refer to the restoration of clearing and settlement activities after a wide-scale disruption. I use the term “resumption” to refer to the capacity to accept and process new transactions and payments after a wide-scale disruption.[v] 

I make no claim that the following nine practices are comprehensive. However, the outline may be considered “sufficient” for deriving an overall plan for business continuity and disaster recovery. 

Business Continuity Management 

1)    Business Impact Analysis 

The company’s business continuity management incorporates business impact analysis,[vi] testing, training, awareness programs, and communication and crisis management policies. 

2)    Contingency 

The company periodically reviews its business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities.[vii] Containment strategies must align with existing guidance for a company that performs payment, clearing, and settlement activities in critical financial markets.[viii] 

3)    Testing 

The company tests business continuity plans, reviews the execution of tests, and improves plans by incorporating lessons learned. Business continuity tests and exercises incorporate dependencies of critical operations and core business lines on third parties. The company participates in disaster recovery and business continuity testing with third parties associated with critical operations and core business lines. 

4)    Scenarios 

The company confirms that functional testing procedures for assessing the ability of a company’s IT systems to deliver minimum service capacity to critical operations and core business lines are consistent with its business continuity objectives. Business continuity management incorporates scenarios where service capacity and business continuity objectives cannot be met. 

5)    Personnel 

The company identifies and manages the availability of personnel essential to executing its critical operations and core business lines.[ix] The company has (an) alternate site(s) that has sufficient resources (including personnel), technology capabilities, and functionality to execute the company’s critical operations and core business lines in the event of a disruption.[x] The alternate site(s) is (are) located at a sufficient geographical distance from the primary site and has (have) a distinct risk profile. 

6)    Remote Access 

Business continuity management includes remote access contingencies that allow personnel to continue delivering the company’s critical operations and core business lines during the disrupting event.[xi] The management of contingencies prioritizes critical operations and core business lines and provides personnel with adequate connectivity, communication, collaboration tools, essential technology resources, and access to network systems. These contingencies incorporate transitioning personnel back to normal operations following the resolution of a disruption.[xii] 

7)    Training 

The company trains essential personnel responsible for executing critical operations and core business lines and performing backup roles should a disruption occur. The company implements an operational resilience training and awareness program to evaluate the effectiveness of personnel-related business continuity arrangements, and the program is continually improved as shortcomings are identified. 

8)    Implementation 

The company’s recovery or resolution planning is integrated into its governance and operating processes and is part of business-as-usual activities, including companywide risk management processes. To ensure sufficient implementation, recovery or resolution planning is understood as complementary to, and linked with, existing risk management and business continuity management processes. 

9)    Interconnections 

The company harvests and leverages information in its recovery or resolution plans to identify options to respond to a wide range of severe but plausible internal and external stress scenarios. The company similarly leverages the identification of interconnections and interdependencies among critical operations and core business lines affiliates, subsidiaries, and third parties. 

While sound practices prioritize business continuity and disaster recovery of critical operations and core business lines of a financial institution and its material entities,[xiii] it also should identify and address the resilience of other operations, services, and functions for which a disrupting event could have a significant adverse impact on the company or its customers.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

_______________________________

[i] For more information, consider the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook, which includes the booklet Business Continuity Management (November 2019). This booklet describes principles and practices for IT and operations to ensure safety and soundness, consumer financial protection, and compliance with applicable laws and regulations.
[ii] In 2021, the federal banking agencies adopted the Computer-Security Incident Notification Rule to bolster cyber defenses.
[iii] The federal banking agencies have issued interagency guidance on third-party risk management, building off of the Office of the Comptroller of the Currency’s (OCC) longstanding guidance on the topic.
[iv] Guidance includes SR letter 03-9 and OCC Bulletin 2003-14 Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (April 8, 2003), which outline practices for geographic diversity and resiliency of data centers and operations, as well as recovery and resumption time objectives and related testing standards for firms that perform payment, clearing, and settlement activities in critical financial markets.
[v] Idem
[vi] Op. cit. i, Section III.A. Business Impact Analysis of the FFIEC Information Technology Examination Handbook booklet Business Continuity Management describes the business impact analysis process.
[vii] Ibid, Section II.A. Board and Senior Management Responsibilities
[viii] Op. cit. iv
[ix] Op. cit. i, Section IV.A.4 Personnel
[x] Op. cit. i, Section V.C Facilities and Infrastructure
[xi] Operational risk management and independent internal (or external) audit functions should also consider remote access and any other related conditions.
[xii] Op. cit. ix
[xiii] For purposes of this article, I define a material entity as one that is significant to the activities of an identified critical operation or core business line or is financially or operationally significant to the company's recovery from a disrupting event.