Tag: OCC

12 Oct 2023
Updated Regulatory Guidelines on Third-Party Risk Management

Updated Regulatory Guidelines on Third-Party Risk Management

Updated Regulatory Guidelines on Third-Party Risk Management

Earlier this year, federal bank regulatory agencies released new guidance designed to help banking organizations better manage risks related to third-party relationships. These latest guidelines, issued by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC), have broad implications for virtually all financial institutions that employ third parties.

Fostering Safe and Sound Practices

The updated guidance offers more streamlined language and clarification to help institutions better identify and reduce risks relating to using third parties like vendors, suppliers, partners, contractors, and service providers—including financial technology companies. It covers risk management practices for the stages in the life cycle of third-party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination. The underlying impetus of regulatory agencies is to ensure that institutions have an effective third-party risk management process that supports safe and sound banking practices.

While the new guidance was just finalized in June, examiners are already increasing their questions and expectations regarding third-party risk management. Financial institutions should take proactive steps as soon as possible to address any potential issues. For example, they should broaden their consideration of what constitutes a “business arrangement.” The guidelines indicate that a third-party relationship may exist regardless of whether there is a formal contract or an exchange of compensation. Hence, institutions should be as inclusive as possible by factoring all business arrangements—no matter how insignificant—into their third-party risk management practices.

Important Areas to Consider

The current guidance encompasses a plethora of “statements”—more than 160 of them—that cover a variety of requirements, suggestions, and best practices. Almost 70% of the statements relate to how banking organizations should handle the planning, due diligence, and contract phases. Since these areas involve the pre-engagement stage, institutions need to place more emphasis on scrutinizing potential third parties because auditors and examiners will be looking more closely at what happens prior to engagement. The scrutiny should start at the early phase when bank management begins to consider a project, initiative, or even a concept.

Financial institutions also need to understand the strategic basis or purpose of a proposed business arrangement. They should identify and assess the benefits and risks associated with the arrangement and then verify that they align with their strategic objectives. They also must consider other crucial areas, including the institution’s ability to manage and oversee the relationship, the legal and regulatory compliance implications of the relationship, along with the third party’s financial condition, business experience, expertise of key personnel, and operational resilience. Additionally, institutions need to be cognizant of how third parties are managing their own subcontractors, which could ultimately impact the delivery of their services.

However, not all of the 160-plus statements in the new guidance apply to all institutions or all relationships, and some seem unattainable or overly burdensome. Institutions should identify the ones that are the most relevant and feasible and then prioritize their efforts accordingly.

In a joint press release in June, the Federal Reserve Board, FDIC, and OCC said they “plan to engage with community banks immediately and develop additional resources in the near future to assist them in managing relevant third-party risks.” In the meantime, institutions can download interactive checklists we designed to walk them through key regulatory requirements of the third-party relationship life cycle.

To learn more about how the revised guidelines may affect your financial institution, access our webinar on “New Third-Party Risk Managers Guidance.”

05 Apr 2023
Evolution of Third-party Management

Evolution of Third-party Management

Evolution of Third-party Management

Pending interagency guidance on the management of third-party relationships will significantly alter how financial institutions (FIs) handle risks related to external service providers. The new guidelines will increase the complexity and responsibility of third-party management for banking organizations in the near future. These standards will apply to all financial institutions—including community banks—with third-party relationships.1

The updated guidance—proposed jointly by the Board of Governors of the Federal Reserve System (the Board), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC)—will consolidate2 the agencies’ separate rules into a single common guideline built around the OCC Bulletin 2013-29. The proposed guidance states that “the new framework is based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.”

Increased Regulatory Expectations

FIs s need to consider the key implications of increased regulatory scrutiny in this area, particularly where they expand on current expectations. For instance, regulators will expect them to do more due diligence on the pre-engagement side, which affects the initial selection and contract negotiation process. Institutions will also be held more accountable for understanding and predefining the termination process for outside service providers. This includes considering who owns data, how the data is returned, and how it is disposed of after the relationship with the provider ends.

From a regulatory perspective, third parties represent the biggest single source of noncontrollable risk to a bank or credit union. To a considerable extent, examiners will draw comparisons to overall enterprise risk management maturity from an institution’s third-party risk management program. In their words; “A banking organization’s failure to have an effective third-party risk management process that is commensurate with the level of risk, the complexity of third-party relationships, and the organizational structure of the banking organization may be an unsafe or unsound practice.” In addition, they will expect to see sufficient oversight at all levels, from the board to senior management, and ultimately the employees directly overseeing the individual relationships.

Vendor vs. Third Party

It is also critical for FIs to be aware of—and adjust for—the difference between the terms “vendor” and “third party.” While banks have historically used these words interchangeably, it is now clear that institutions will have to remove the term “vendor” from their vocabulary and substitute “third-party” in its place. The proposed guidance uses the term “vendor” only 4 times, while the term “third-party” is used 262 times!

The reason for the change is more than just semantic, it represents a significant shift in how a third party is defined. A third party can be any entity with which the institution has a business relationship, and neither a written contract nor monetary exchange is necessary to establish a business arrangement. A business relationship can include more obvious arrangements such as referral agreements and professional services providers like law and audit firms, but also less obvious companies such as maintenance, catering, and custodial service companies. Business arrangements have greatly expanded and become more varied and, in some cases, far more complex. FI’s should be prepared to expand the scope of their third-party risk management (TPRM) program.

Expansion of Third-Party Risk Assessment

Financial institutions will also need to expand third-party risk management beyond the scope of the Gramm-Leach-Bliley Act (GBLA) to comply with the new guidance. They should broaden their focus beyond non-public information (NPI) to include anything that may not be directly related to customer information, but still needs to remain confidential. This can include strategic plans, unaudited financial statements, HR and shareholder records, and committee meeting minutes. Regardless of the type of information, regulators will expect institutions to manage their risk by accurately assessing all third-party exposure to the storage, transmittal, and processing of information.

While institutions cannot directly control third-party risks, they will need to request and review certain documents—especially from critical parties. A few key third-party documents that institutions should examine prior to engagement3 include contracts, audit reports4, and financials. Depending on criticality, FIs may also need to maintain a list of potential alternate providers in case their primary provider fails or cannot complete the terms of their contract. Finally, institution management should be fully aware of any gaps or limitations in third-party contracts, so they can manage any increased residual risk effectively.

Another area likely to draw increased scrutiny is Complementary User-entity Controls (CUECs), included in the SOC report. These are the controls third parties require for you to utilize their products or service. The best practice strongly suggests you document these CUECs and adhere to them.

Financial institutions that may lack the internal time and/or expertise to review third-party contracts, financials, and SOC reports, can consider adding a solution like Safe Systems’ Vendor Management Document Review. The service enhances the control review process and makes it easier for institutions to meet the increased regulatory expectations for managing third parties. Read more about this topic by accessing our “Evolution of Third Party Management” webinar.

1 As of this date the NCUA has not indicated that they will be a signatory on this new guidance.

2 The Board’s 2013 guidance, the FDIC’s 2008 guidance, the OCC’s 2013 guidance and its 2020 FAQs.

3 Certain documents such as SOC reports may only be made available after a contract is in place.

4 Depending on the trust criteria selected, audit reports like the AICPA System and Organization Controls (SOC) 1 and SOC 2 should also include an auditor opinion on the information security and business continuity controls in place at the third party.