Third-Party Risk Management in the Spotlight

In early June 2023, the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) published guidance on managing third-party risk, replacing existing guidance that each regulatory agency had published, to have a unified approach to supervisory oversight in this area.

The final guidance is in response to comments received from the proposed guidance from July 2021, and the agencies emphasize that “supervisory guidance does not have the force and effect of law and does not impose any new requirements on banking organizations.”

Background

The topic of third-party risk management has grown exponentially over the past few years due to changes in the financial services industry, including financial institutions partnering with fintech providers and the explosion of artificial intelligence used in many third-party systems. Combine this with ever-increasing regulatory requirements pertaining to technology, cybersecurity, consumer compliance, anti-money laundering, sanctions, and fraud, and you have a very complex situation that requires robust risk management processes.

Guidance and Reminders

What should those risk management processes include? The guidance reminds readers of the importance of three things:

• Defining a third-party relationship broadly — meaning any relationship between a banking organization and another entity
• Identifying critical vendors based on a methodology that makes sense for the institution, acknowledging that not all third-party relationships present the same risk based on the critical activities they are involved with. The regulators present suggestions for what critical activities might include, such as:
  1. The third party fails to meet expectations, creating significant risk for the institution
  2. The third party has significant customer impacts, creating fair lending, UDAAP, privacy, AML, sanctions, and other risks for the institution
  3. The third party has a significant impact on the institution’s financial condition or operations

From a risk and compliance perspective, it’s important to avoid burying compliance risks too deep in the third-party assessment. For example, a vendor’s service might not be mission-critical and could be easily replaceable. The third party’s service might not have a big impact on the institution’s financial condition or operations. But other aspects of the relationship could present a higher criticality level, such as if the third party provides a consumer lending service whereby consumer complaints go directly to the third party, or the vendor might be processing transactions for foreign businesses or individuals, resulting in OFAC risk.

• Using the third-party relationship lifecycle in the risk management process. The guidance defines this lifecycle using the following five stages:
  1. Planning
  2. Due Diligence & Third-Party Selection
  3. Contract Negotiation
  4. Ongoing Monitoring
  5. Termination

In light of this information, vendor management teams should involve risk and compliance professionals at the beginning of the lifecycle, when the possibility of entering into a new third-party relationship first arises. This should be a function of the governance and accountability structure of the institution.  Waiting until the due diligence phase might put risk and compliance professionals at a disadvantage in understanding the relationship.

Related Reading | Getting Started With Vendor Due Diligence Reviews →

Moving Forward

Risk and compliance professionals should update their entire third-party risk management program, including policies and procedures, forms, and workflows. When updating the policy and procedures, pay special attention to roles, responsibilities, and approvals. How does this third-party risk management process interface with the new products/service risk management process? Are there hard stops in place to prevent a contract from being signed before the approvals are obtained? Can a contract be signed with pending items, and if so, which items can be pending when management moves forward with signing a contract? Ensure that the forms and workflow support the entire lifecycle.

As financial services organizations of all types rely on vendors and other third parties to provide products and services to their customers, those relationships may pose significant risk to the institution. Based on the content of the guidance released in June, regulators will be examining this area closely in the near future. A solid third-party risk management program will help to identify and mitigate these risks.

Read Next | Governing the Third-Party Risk Management Lifecycle →