This week US banking regulators asked for comment on proposed interagency guidance on third-party relationships. The proposed guidance will replace existing guidance, some of which dates to 2009. John and Elliot discuss the proposal, what financial service providers should consider as this proposal becomes final, and how the proposal may impact the examination process.
Proposed Interagency Guidance on Third-Party Relationships TRANSCRIPT
John Byrne: Hey, Elliot, how's it going? Nice to see the bucks have tied it up.
Elliot Berman: Making it interesting for home fans and for general basketball fans all at the same time.
John Byrne: Absolutely.
Elliot Berman: So, this week, the federal bank regulators, including the OCC, issued a notice asking for comment on a proposed risk management guidance for third-party relationships.
Did you see that?
John Byrne: I did, it's pretty lengthy. It's a combination of previously issued guidance and statements. So, the agencies are banding together on this, so a lot to look through, but I think the point we want to make during our conversation is that it's open for 60-day comment periods. Virtually any of our clients we work with who work with third parties, many do, even smaller institutions.
So, it becomes pretty important to determine what examiners are going to be looking for. So, I think it's really essential, as it always is, but to file comments and to offer you operational and other thoughts on something as important as this.
Elliot Berman: Agreed. As you mentioned, there is existing guidance from OCC, FRB, and the FDIC. The FDIC is the oldest that came out in 2009. The Fed and OCC both issued things in 2013. I think it was May of 2020 the OCC issued some FAQs, and, in the release, they mentioned that the inter-agency guidance will be built on the current OCC guidance and FAQ, which makes sense.
You've got to pick something to start. Third-party relationships have become more important. This concept's been around for a long time. Now it applies to lots of different things, and there are some key provisions that will deal with the financial crimes compliance.
John Byrne: Right. We used to call it vendor management years ago. And obviously, that's a broad-based term. So, there's a couple of things that I think are worth calling out.
One is, the OCC and the other agencies have made similar comments that if you fail to have a risk management process for third parties, that's commensurate with your risk levels.
Obviously, going back to the whole notion of your risk levels, it could be an unsafe and unsound practice. So, they say in the notice that these are some of the things that examiners typically look at.
They want to see whether you have the ability to manage the relationships. So, that means you don't defer everything to either the vendor or the generic third-party—pretty common sense. Have a remediation plan and then to deal with issues such as when you get deficiencies that are identified by your third parties or identified by supervisory findings, from the examiners - MRAs, MRIAs, that sort of stuff.
The thing that jumped out at me is the last section on what examiners do. It says, look, the examinations are going to evaluate safety and soundness, operational and financial viability to the third party. That third parties, ability to fulfill their contractual obligations and apply the laws and regs and that those laws and regs would include consumer protection. And then in our world BSA, AML, and OFAC law laws and regs.
The thing that I would highlight is, given all of that, the agencies may pursue appropriate corrective measures, including enforcement actions to address violations of law regulations, not just by the banking organization but potentially by the third party.
That's an area that I don't think we've seen a lot of that, but if that's going to be a focus. And if maybe potentially a priority that becomes even more important for both sides, right? The third-party and the banking organization need to get their act together from day one.
Elliot Berman: Absolutely. There has been some history of that in the core processing area, where they are examined by federal bank regulators, and there have been enforcement actions of varying types.
I think that when this new guidance is issued, it will renew everybody's focus on it. And so, we may see some examinations of service providers that haven't been used to being examined in the past, and if you have ever been examined before, you know, it takes some prep.
John, I think you had some responsibility for that in the private sector, as I recall.
John Byrne: Right.
And the last thing, as you're filing the comments, understand it with the OCC's content; they're asking you to look at their previously issued FAQs and see whether any of those should be included in the guide. So, please take a look at that. That's an appendix to the proposal, and the topics in the FAQs there is a whole series of them.
But it's things like bank management's responsibility regarding third-party subcontractor's and risk management when the bank has limited negotiating power. So, a lot to chew on there, and we'll certainly follow it closely going forward.
And as we always say, hopefully, you'll subscribe to This Week in AML. Get it on iTunes or wherever you get your podcasts.
Elliot Berman: Okay, John, have a great rest of the week, and I will talk to you next week.
John Byrne: Take care, Elliot, go Bucks.
Elliot Berman: Bye-bye.