By Kathryn Rock, Prasun Howli
With the proliferation of innovative technologies, banking organizations are depending on more third-party service providers or vendors than ever before to help deliver their products, services, and other activities. While there are benefits to using third-party vendors, the use of third-party services does not absolve a bank of its obligation to manage the risk associated with the activity. On the contrary, the use of the third-party services may introduce new risk or increase an existing risk. As third-party services become an integral part of banking operations, the third-party risk management process becomes more critical. For safe and sound operations of the banking organizations, regulators around the world are developing updated or new guidelines and standards related to third-party risk management practices. Most recently, on June 6, 2023, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the Agencies) issued interagency guidance (or the Guidance) on third-party risk management for all banking organizations supervised by the Agencies1. The Guidance provides a consistent approach to third-party risk management across all the banking organizations and replaces each agency’s previously issued guidance. The Guidance provides a new third-party risk management framework leveraging the OCC’s 2013 guidance and its 2020 frequently asked questions. In addition to introducing several new requirements across the third-party relationship life cycle, the Guidance emphasizes the Agencies focus on risks associated with third-party relationships in general and fintech partnerships in particular. While the interagency guidance is primarily applicable to banking organizations, fintech entities engaged in third-party relationships, specifically partnerships involving novel activities with banking organizations, should also take note, as banks will expect their compliance with the Guidance. The key requirements of the Guidance2 are outlined below.
The objective of the Guidance is to promote consistent third-party risk management principles across banking organizations. The Guidance states that “sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.”3 The Guidance is not prescriptive and provides flexibility for the banking organizations to design and implement their risk management approaches based on third-party relationships and the associated risks. The guidelines state that an effective third-party risk management life cycle consists of (1) planning, (2) due diligence and third-party selection, (3) contract negotiation, (4) ongoing monitoring, and (5) termination phase.
Planning — During the planning phase, a bank determines how to manage the risks associated with a third-party relationship. Not all vendors require the same amount of planning. For example, a vendor supporting a critical activity will require more detailed planning than vendors providing simple services. During the planning phase, a bank should understand the strategic purpose of engaging with a third-party service provider, identify risks associated with the activity, assess the cost and benefit of the engagement, and understand the information security implications. Additionally, the bank should also assess its ability to monitor the risks associated with the third-party relationship.
Due Diligence and Third-Party Selection — Due diligence is the process of evaluating a third-party service provider’s ability to perform an activity for a bank in a safe and sound manner. It is a critical step for a bank prior to entering into a contract with a third party. The scope and nature of the due diligence depends on the risk and complexity of the activity. Depending on the nature of the third-party relationship, a bank may consider the following factors, among others, as part of the due diligence process4:
Contract Negotiation — A contract is a formal agreement that includes provisions that governs the relationship between a bank and a third party. Level of details in the contract depends on the complexity and nature of the third-party relationship. The contract document helps the bank to manage the risk associated with the third party. While developing a contract, the bank may include the following factors: (a) Nature and scope of arrangement; (b) Performance measures or benchmarks; (c) Responsibilities for providing, receiving, and retaining information; (d) The right to audit and required remediation; (e) Responsibility for compliance with applicable laws and regulations; (f) Costs and compensation; (g) Ownership and license; (h) Confidentiality and integrity; (i) Operational resilience and business continuity; (j) Indemnification and limits on liability; (k) Insurance; (l) Dispute resolution; (m) Customer complaints; (n) Subcontracting; (o) Foreign-based third parties; (p) Default and termination; (q) Regulatory supervision5.
Ongoing Monitoring — Ongoing monitoring helps a bank to assess the ability of a third party to meet the contractual obligations. Ongoing monitoring may be conducted on a periodic or an ongoing basis. The nature and complexity of third-party relationship decides the frequency of monitoring. The monitoring activities include review of performance report, assessment of controls related to third-party activity, and review discussion with third-party representatives. During ongoing monitoring, the bank may consider the same factors used during the due diligence phase.
Termination Activity — A bank may terminate a third-party relationship for several reasons. While planning for termination, proper consideration should be given to transition timeline, costs, and fees associated with the termination, intellectual property ownership, and availability of alternatives, among others.
Regulators will continue to focus on third-party risk management as a key area for the supervisory examination as banks engage more external partners for their critical services, technologies, and human capital needs. With the new Guidance in effect, banking organizations should assess their current third-party risk management program to ensure that their program adheres to the interagency guidance. Banks should consider carrying out the following activities to ensure conformity with the Guidance: assess the third-party risk assessment framework to ensure it aligns with a risk-based approach; create a documented inventory of third-party relationships; revise and enhance the due diligence process in accordance with the Guidance; update policies and procedures; maintain comprehensive documentation and audit trail for all third-party relationships; identify third-party relationships involving novel activities requiring heightened risk management; and conduct an independent assessment of third-party risk management programs.
Guidehouse is highly qualified and experienced in helping financial institutions with various third-party risk management activities to comply with regulations, standards, and guidelines. Our experts have worked on multiple third-party risk management engagements, and we have an unparalleled perspective into key issues driving regulatory actions. We have assisted organizations of all sizes, including top-tier banks, insurance companies, and fintech companies, with third-party risk management initiatives. Guidehouse’s third-party risk management services include:
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.