Unpacking the Final Interagency Guidance on Third-Party Relationships: Risk Management

July 10th, 2023 Hannah Tichansky Reading Time: 4 minutes
Magnifying glass and arrows

The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) have issued their Final Guidance on Third-Party Relationships: Risk Management. The guidance offers principles for sound risk management practices for all stages of third-party relationships, taking into account the level of risk, complexity, size of the banking organization, and the nature of the third-party relationship.

This guidance was initially released as a proposal when these agencies released a joint request for comment to their Proposed Interagency Guidance on Third-Party Relationships: Risk Management. The OCC, the Federal Reserve Board, and the FDIC announced this as a response to requests within the industry for aligned approaches to third-party risk management (TPRM) guidance. This interagency effort sought to create cohesive, uniform assessment standards between these regulators. The deadline for comment submission was September 2021, and the agencies have compiled that feedback into this final guidance.

“The final guidance includes illustrative examples to help banking organizations, particularly community banks, align their risk management practices with the nature and risk profile of their third-party relationships. The agencies plan to engage with community banks immediately and develop additional resources in the near future to assist them in managing relevant third-party risks.”

-Interagency Guidance Press Release

The joint guidance replaces each agency’s existing general guidance on this topic and is directed to all banking organizations supervised by the agencies. The guidance is final as of June 6, 2023.

Highlights of the Guidance for Third-Party Relationships

The interagency guidance also provides insights into areas of importance regarding how banks can apply effective risk management principles when developing relationships with third parties and managing their risks.

“Whether activities are performed internally or via a third party, banking organizations are required to operate in a safe and sound manner and in compliance with applicable laws and regulations. A banking organization’s use of third parties does not diminish its responsibility to meet these requirements to the same extent as if its activities were performed by the banking organization in-house.”

– Interagency Guidance on Third-Party Relationships: Risk Management

A key area of TPRM is managing the third-party relationship lifecycle, and each step has its own considerations to ensure compliance, operations, safety, and efficiency, while also minimizing risk. Stages of the risk management lifecycle that the interagency guidance covers, include:

Planning:

Prior to entering into a third-party relationship, banking organizations should examine all vendor risks and implement a plan to manage the relationship. This guidance provides deeper insights into examining the benefits and risks of the third parties, aligning to the strategic purpose of the business, volume of activity, the nature of interaction with customers, potential information security risks, and more.

Due Diligence and Third-Party Selection:

Performing due diligence prior to contracting with a third party is necessary in order to gauge a vendor’s ability to perform their service, adhere to policies, comply with laws, and operate safely. Due diligence also provides insights into the risks they bring an organization, and where it affects critical activities. The guidance provides further insights into what factors due diligence should cover including:

  • Legal and regulatory compliance
  • Financial condition
  • Business experience
  • Qualifications
  • Risk management
  • Management of information systems
  • Operational resilience
  • Incident reporting
  • Physical security
  • Insurance coverage
  • Contractual agreements
  • And more

Contract Negotiation:

Contract negotiation is a critical part of any third-party relationship as it sets responsibilities and provisions. Contracts with third parties can be complex, and it can be sometimes difficult to negotiate terms that satisfy the organization’s needs. The guidance covers factors contributing to this including nature and scope of any agreement, performance benchmarks, responsibilities and roles, right to audit and remediation, responsibility for compliance, confidentiality, indemnification, business continuity, dispute resolution, subcontracting, and more.

Ongoing Monitoring:

In addition to initial due diligence, ongoing monitoring is critical to TPRM as it monitors the duration of the vendor relationship. Ongoing monitoring is particularly important in higher-risk third-party relationships often seen in banking and helps organizations to re-assess existing relationships, examine changing risks throughout the lifecycle, escalate concerns, and determine the type and frequency of reports and assessments needed to effectively manage the relationship. The interagency guidance provides ongoing monitoring insights such as:

  • The effectiveness of third-party relationships
  • Changes to business strategy
  • A third party’s financial condition
  • The adequacy of insurance coverage
  • Legal and regulatory updates
  • Training
  • And more

Termination:

If a banking organization needs to terminate a vendor relationship for any reason it is important to manage these efficiently, and securely. The document covers factors to consider during this process including resources needed to transition activities, data retention and destruction risks, information system connections, handling of intellectual property, potential operational or customer disruptions, and other areas of concern.

Highlights of Governance Topics

Oversight and Accountability:

The board of directors and management for banking organizations are responsible for overseeing third-party risk management processes, implementation, and accountability. The guidance provides an outline of these responsibilities for the board of directors, management, independent reviews, and documentation and reporting.

Independent Reviews:

Conducting independent reviews on a routine basis is critical to determine if TPRM processes are working. The guidance outlines these reviews should cover including alignment, whether risks are controlled, if processes are working, staffing and expertise, and potential conflicts of interest.

Documentation and Reporting:

Proper documentation of TPRM processes is also an essential component of banks’ programs. The guidance provides examples of processes that support documentation and reporting such as an inventory of third-party relationships, risk assessments, due diligence results, risk performance, potential customer complaints, results of reviews, and board reporting.

Learn More About TPRM for Financial Services

The financial services industry is under pressure from an increasingly active regulatory environment, scrutiny of their risk management programs (by all kinds of stakeholders), and a need for measurable program efficiencies defined by their own distinct requirements.

If you are interested in learning more about how the Interagency Guidance could affect your TPRM program, or interested in learning about our platform, contact one of our experts today.

Hannah Tichansky

Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.

Hannah holds over 12 years of writing and marketing experience, with 6 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.

Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management