In early June 2023, the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) published guidance on managing third-party risk, replacing existing guidance that each regulatory agency had published, to have a unified approach to supervisory oversight in this area.
The final guidance is in response to comments received from the proposed guidance from July 2021, and the agencies emphasize that “supervisory guidance does not have the force and effect of law and does not impose any new requirements on banking organizations.”
The topic of third-party risk management has grown exponentially over the past few years due to changes in the financial services industry, including financial institutions partnering with fintech providers and the explosion of artificial intelligence used in many third-party systems. Combine this with ever-increasing regulatory requirements pertaining to technology, cybersecurity, consumer compliance, anti-money laundering, sanctions, and fraud, and you have a very complex situation that requires robust risk management processes.
What should those risk management processes include? The guidance reminds readers of the importance of three things:
From a risk and compliance perspective, it’s important to avoid burying compliance risks too deep in the third-party assessment. For example, a vendor’s service might not be mission-critical and could be easily replaceable. The third party’s service might not have a big impact on the institution’s financial condition or operations. But other aspects of the relationship could present a higher criticality level, such as if the third party provides a consumer lending service whereby consumer complaints go directly to the third party, or the vendor might be processing transactions for foreign businesses or individuals, resulting in OFAC risk.
In light of this information, vendor management teams should involve risk and compliance professionals at the beginning of the lifecycle, when the possibility of entering into a new third-party relationship first arises. This should be a function of the governance and accountability structure of the institution. Waiting until the due diligence phase might put risk and compliance professionals at a disadvantage in understanding the relationship.
Related Reading | Getting Started With Vendor Due Diligence Reviews →
Risk and compliance professionals should update their entire third-party risk management program, including policies and procedures, forms, and workflows. When updating the policy and procedures, pay special attention to roles, responsibilities, and approvals. How does this third-party risk management process interface with the new products/service risk management process? Are there hard stops in place to prevent a contract from being signed before the approvals are obtained? Can a contract be signed with pending items, and if so, which items can be pending when management moves forward with signing a contract? Ensure that the forms and workflow support the entire lifecycle.
As financial services organizations of all types rely on vendors and other third parties to provide products and services to their customers, those relationships may pose significant risk to the institution. Based on the content of the guidance released in June, regulators will be examining this area closely in the near future. A solid third-party risk management program will help to identify and mitigate these risks.