New Guidance on Third-Party Risk Management for US Banks

The federal banking regulators have issued interagency guidance on managing the risks of working with third parties. The new guidance finalizes the proposal published in July 2021 and replaces previous guidance issued individually by the agencies. In the release, the agencies recognize the value of interacting with third parties, noting that “[T]he use of third parties can offer banking organizations significant benefits, such as access to new technologies, human capital, delivery channels, products, services, and markets.”

The new guidance covers all third-party relationships, regardless of the lack of “a contract or remuneration,” and extends beyond the scope of vendor management requirements. It also recognizes that not every third-party relationship represents the same level of risk and that banks may adjust their risk management activities based on the risks presented. The guidance does not apply to depositors and other customers who take services, including loan customers (other guidance and regulations govern those interactions).

A footnote acknowledges that “[S]upervisory guidance does not have the force and effect of law and does not impose any new requirements on banking organizations.”

The guidance is organized into four sections:

• Risk Management
• Third-Party Relationship Lifecycle
• Governance
• Supervisory Reviews of Third-Party Relationships.

Risk Management

The agencies state that sound risk management requires more “comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities.” Critical activities include those which could:

• Cause significant risk if a third party “fails to meet expectations”
• Have a significant impact on customers
• Have a significant impact on operations or financial condition.

Identifying critical activities is part of an effective risk-based risk management process.

Relationship Lifecycle

The release includes a detailed discussion of the third-party relationship lifecycle, saying the risk management process should align with the lifecycle. The lifecycle consists of five stages:

• Planning
• Due diligence and third-party selections
• Contract negotiation
• Ongoing monitoring
• Termination.

The guidance offers many examples of sound risk management techniques that banks should consider for each of the five stages. These examples also provide a roadmap for the overall process.

Governance

The agencies make clear that banks use different structures to carry out their risk management activities. The guidance reminds us that a bank’s “board of directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable.” It also calls out these typical elements that boards should consider:

• Does the third-party risk management program support the bank’s strategic goals and align with its risk appetite?
• Does it receive effective reporting on the bank’s third-party relationships?
• Is management taking appropriate actions to repair declining performance or addressing changing risks or material issues identified?

The guidance also reminds us that “management is responsible for developing and implementing third-party risk management policies, procedures, and practices commensurate with the banking organization’s risk appetite and the level of risk and complexity of its third-party relationships.” It also calls out a list of some actions that management should consider in carrying out its responsibilities.

The guidance also includes a discussion on the need for an effective independent review mechanism to test the functioning of the risk management program.

Supervisory Review

The agencies include a discussion of what examination teams will look at when assessing the effectiveness of your third-party risk management program.

Key Takeaways

• The interagency guidance is built on the prior Office of the Comptroller of the Currency (OCC) guidance, which was somewhat more prescriptive than the previous guidance from the Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve (Fed). State-chartered banks should carefully assess what new actions they need to take that were not covered in the prior guidance from their regulator.
• Banks supervised by the OCC should do a gap analysis to identify aspects of the interagency guidance that are not part of their present third-party risk management program.
• Because the guidance extends to all third-party relationships, banks should have a complete inventory of third-party relationships. If your organization has an inventory, perform a gap analysis to ensure that it includes third parties not part of your vendor management process.
• Consider reviewing your third-party risk management program through a “critical activities lens” to see if you have identified all your significant risks.
• The guidance is a good roadmap for reviewing your existing third-party risk management program.
• The guidance Is a good guide for what the examination teams will look at when assessing your program.