Updated Regulatory Guidelines on Third-Party Risk Management
Earlier this year, federal bank regulatory agencies released new guidance designed to help banking organizations better manage risks related to third-party relationships. These latest guidelines, issued by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC), have broad implications for virtually all financial institutions that employ third parties.
Fostering Safe and Sound Practices
The updated guidance offers more streamlined language and clarification to help institutions better identify and reduce risks relating to using third parties like vendors, suppliers, partners, contractors, and service providers—including financial technology companies. It covers risk management practices for the stages in the life cycle of third-party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination. The underlying impetus of regulatory agencies is to ensure that institutions have an effective third-party risk management process that supports safe and sound banking practices.
While the new guidance was just finalized in June, examiners are already increasing their questions and expectations regarding third-party risk management. Financial institutions should take proactive steps as soon as possible to address any potential issues. For example, they should broaden their consideration of what constitutes a “business arrangement.” The guidelines indicate that a third-party relationship may exist regardless of whether there is a formal contract or an exchange of compensation. Hence, institutions should be as inclusive as possible by factoring all business arrangements—no matter how insignificant—into their third-party risk management practices.
Important Areas to Consider
The current guidance encompasses a plethora of “statements”—more than 160 of them—that cover a variety of requirements, suggestions, and best practices. Almost 70% of the statements relate to how banking organizations should handle the planning, due diligence, and contract phases. Since these areas involve the pre-engagement stage, institutions need to place more emphasis on scrutinizing potential third parties because auditors and examiners will be looking more closely at what happens prior to engagement. The scrutiny should start at the early phase when bank management begins to consider a project, initiative, or even a concept.
Financial institutions also need to understand the strategic basis or purpose of a proposed business arrangement. They should identify and assess the benefits and risks associated with the arrangement and then verify that they align with their strategic objectives. They also must consider other crucial areas, including the institution’s ability to manage and oversee the relationship, the legal and regulatory compliance implications of the relationship, along with the third party’s financial condition, business experience, expertise of key personnel, and operational resilience. Additionally, institutions need to be cognizant of how third parties are managing their own subcontractors, which could ultimately impact the delivery of their services.
However, not all of the 160-plus statements in the new guidance apply to all institutions or all relationships, and some seem unattainable or overly burdensome. Institutions should identify the ones that are the most relevant and feasible and then prioritize their efforts accordingly.
In a joint press release in June, the Federal Reserve Board, FDIC, and OCC said they “plan to engage with community banks immediately and develop additional resources in the near future to assist them in managing relevant third-party risks.” In the meantime, institutions can download interactive checklists we designed to walk them through key regulatory requirements of the third-party relationship life cycle.
To learn more about how the revised guidelines may affect your financial institution, access our webinar on “New Third-Party Risk Managers Guidance.”