The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) have issued their Final Guidance on Third-Party Relationships: Risk Management. The guidance offers principles for sound risk management practices for all stages of third-party relationships, taking into account the level of risk, complexity, size of the banking organization, and the nature of the third-party relationship.
This guidance was initially released as a proposal when these agencies released a joint request for comment to their Proposed Interagency Guidance on Third-Party Relationships: Risk Management. The OCC, the Federal Reserve Board, and the FDIC announced this as a response to requests within the industry for aligned approaches to third-party risk management (TPRM) guidance. This interagency effort sought to create cohesive, uniform assessment standards between these regulators. The deadline for comment submission was September 2021, and the agencies have compiled that feedback into this final guidance.
“The final guidance includes illustrative examples to help banking organizations, particularly community banks, align their risk management practices with the nature and risk profile of their third-party relationships. The agencies plan to engage with community banks immediately and develop additional resources in the near future to assist them in managing relevant third-party risks.”
-Interagency Guidance Press Release
The joint guidance replaces each agency’s existing general guidance on this topic and is directed to all banking organizations supervised by the agencies. The guidance is final as of June 6, 2023.
The interagency guidance also provides insights into areas of importance regarding how banks can apply effective risk management principles when developing relationships with third parties and managing their risks.
“Whether activities are performed internally or via a third party, banking organizations are required to operate in a safe and sound manner and in compliance with applicable laws and regulations. A banking organization’s use of third parties does not diminish its responsibility to meet these requirements to the same extent as if its activities were performed by the banking organization in-house.”
– Interagency Guidance on Third-Party Relationships: Risk Management
A key area of TPRM is managing the third-party relationship lifecycle, and each step has its own considerations to ensure compliance, operations, safety, and efficiency, while also minimizing risk. Stages of the risk management lifecycle that the interagency guidance covers, include:
Prior to entering into a third-party relationship, banking organizations should examine all vendor risks and implement a plan to manage the relationship. This guidance provides deeper insights into examining the benefits and risks of the third parties, aligning to the strategic purpose of the business, volume of activity, the nature of interaction with customers, potential information security risks, and more.
Performing due diligence prior to contracting with a third party is necessary in order to gauge a vendor’s ability to perform their service, adhere to policies, comply with laws, and operate safely. Due diligence also provides insights into the risks they bring an organization, and where it affects critical activities. The guidance provides further insights into what factors due diligence should cover including:
Contract negotiation is a critical part of any third-party relationship as it sets responsibilities and provisions. Contracts with third parties can be complex, and it can be sometimes difficult to negotiate terms that satisfy the organization’s needs. The guidance covers factors contributing to this including nature and scope of any agreement, performance benchmarks, responsibilities and roles, right to audit and remediation, responsibility for compliance, confidentiality, indemnification, business continuity, dispute resolution, subcontracting, and more.
In addition to initial due diligence, ongoing monitoring is critical to TPRM as it monitors the duration of the vendor relationship. Ongoing monitoring is particularly important in higher-risk third-party relationships often seen in banking and helps organizations to re-assess existing relationships, examine changing risks throughout the lifecycle, escalate concerns, and determine the type and frequency of reports and assessments needed to effectively manage the relationship. The interagency guidance provides ongoing monitoring insights such as:
If a banking organization needs to terminate a vendor relationship for any reason it is important to manage these efficiently, and securely. The document covers factors to consider during this process including resources needed to transition activities, data retention and destruction risks, information system connections, handling of intellectual property, potential operational or customer disruptions, and other areas of concern.
The board of directors and management for banking organizations are responsible for overseeing third-party risk management processes, implementation, and accountability. The guidance provides an outline of these responsibilities for the board of directors, management, independent reviews, and documentation and reporting.
Conducting independent reviews on a routine basis is critical to determine if TPRM processes are working. The guidance outlines these reviews should cover including alignment, whether risks are controlled, if processes are working, staffing and expertise, and potential conflicts of interest.
Proper documentation of TPRM processes is also an essential component of banks’ programs. The guidance provides examples of processes that support documentation and reporting such as an inventory of third-party relationships, risk assessments, due diligence results, risk performance, potential customer complaints, results of reviews, and board reporting.
The financial services industry is under pressure from an increasingly active regulatory environment, scrutiny of their risk management programs (by all kinds of stakeholders), and a need for measurable program efficiencies defined by their own distinct requirements.
If you are interested in learning more about how the Interagency Guidance could affect your TPRM program, or interested in learning about our platform, contact one of our experts today.
Share with Your Friends:
