Interagency Guidance on Third Party Risk Management

With the proliferation of innovative technologies, banking organizations are depending on more third-party service providers or vendors than ever before to help deliver their products, services, and other activities. While there are benefits to using third-party vendors, the use of third-party services does not absolve a bank of its obligation to manage the risk associated with the activity. On the contrary, the use of the third-party services may introduce new risk or increase an existing risk. As third-party services become an integral part of banking operations, the third-party risk management process becomes more critical. For safe and sound operations of the banking organizations, regulators around the world are developing updated or new guidelines and standards related to third-party risk management practices. Most recently, on June 6, 2023, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the Agencies) issued interagency guidance (or the Guidance) on third-party risk management for all banking organizations supervised by the Agencies¹. The Guidance provides a consistent approach to third-party risk management across all the banking organizations and replaces each agency’s previously issued guidance. The Guidance provides a new third-party risk management framework leveraging the OCC’s 2013 guidance and its 2020 frequently asked questions. In addition to introducing several new requirements across the third-party relationship life cycle, the Guidance emphasizes the Agencies focus on risks associated with third-party relationships in general and fintech partnerships in particular. While the interagency guidance is primarily applicable to banking organizations, fintech entities engaged in third-party relationships, specifically partnerships involving novel activities with banking organizations, should also take note, as banks will expect their compliance with the Guidance.  The key requirements of the Guidance² are outlined below.

Interagency Guidance

The objective of the Guidance is to promote consistent third-party risk management principles across banking organizations. The Guidance states that “sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.”³ The Guidance is not prescriptive and provides flexibility for the banking organizations to design and implement their risk management approaches based on third-party relationships and the associated risks. The guidelines state that an effective third-party risk management life cycle consists of (1) planning, (2) due diligence and third-party selection, (3) contract negotiation, (4) ongoing monitoring, and (5) termination phase.

Planning — During the planning phase, a bank determines how to manage the risks associated with a third-party relationship. Not all vendors require the same amount of planning. For example, a vendor supporting a critical activity will require more detailed planning than vendors providing simple services. During the planning phase, a bank should understand the strategic purpose of engaging with a third-party service provider, identify risks associated with the activity, assess the cost and benefit of the engagement, and understand the information security implications. Additionally, the bank should also assess its ability to monitor the risks associated with the third-party relationship.

Due Diligence and Third-Party Selection — Due diligence is the process of evaluating a third-party service provider’s ability to perform an activity for a bank in a safe and sound manner. It is a critical step for a bank prior to entering into a contract with a third party. The scope and nature of the due diligence depends on the risk and complexity of the activity. Depending on the nature of the third-party relationship, a bank may consider the following factors, among others, as part of the due diligence process⁴:

• Strategies and goals: A review of the strategy and goals of a third party helps the bank to understand the strategic intent, business philosophy, policy, and employment practices of the third party, which are critical in determining the suitability of the vendor.
• Legal and regulatory compliance: Legal and regulatory compliance posture of a third party helps the bank to determine the third party’s ability to address any compliance risk that may arise from the activity provided to the bank. 
• Financial condition: Assessment of the financial reports such as audited financial statements, annual reports, US Securities and Exchange Commission filings help to determine the viability of the third party as a service provider. 
• Business experience: Business experience of the third party, such as past experience of supporting similar activity and past customer feedback, among others, establishes the competency of the service provider. 
• Qualifications and backgrounds of key personnel and other human resources considerations: Evaluation of qualifications and experience of key personnel helps in ascertaining the ability of the third party to support the activity provided to the bank. 
• Risk management: An assessment of the overall risk management posture of the third party, including review of risk management policies, procedures, and internal controls, are important considerations while conducting a due diligence examination. As an example, a bank may consider reviewing the System and Organization Controls report of the third party to determine the adequacy of governance, policies, procedures, and internal controls. 
• Information security: The assessment typically involves review of the access control, application security, and results of vulnerability and penetration tests, among others. The objective is to ascertain a third party’s ability to maintain confidentiality, integrity, and availability of information that the third party has access to from the bank. 
• Management of information system: When technology is a major component of a third-party relationship, it is critical to evaluate the technology process, service level, and interoperability issues.
• Operational resilience: It is crucial to understand a third party’s ability to operate through and recover from an incident or disaster. Review of business continuity policy and test results can help in determining the adequacy of the operational resiliency posture of the third party. 
• Incident reporting and management processes: Review of the incident reporting and management processes helps a bank to determine the third party’s ability to meet the bank’s policy and regulatory expectations related to incident notification.  
• Physical security: This typically involves review of safety and security of the physical facility of a third-party service provider.
• Reliance on subcontractors: Subcontractors can pose additional risk to a third-party relationship. It is important to assess the volume and quality of subcontractors used by a third party and its ability to manage the risk associated with it.
• Insurance coverage: Insurance coverage of a third party helps in mitigating future potential losses to the bank caused by the third party.
• Contractual arrangements with other parties: It is essential to evaluate a third party’s contract with other parties, including sub-contractors, which might transfer or bring additional risk to the bank.

Contract Negotiation — A contract is a formal agreement that includes provisions that governs the relationship between a bank and a third party. Level of details in the contract depends on the complexity and nature of the third-party relationship. The contract document helps the bank to manage the risk associated with the third party. While developing a contract, the bank may include the following factors: (a) Nature and scope of arrangement; (b) Performance measures or benchmarks; (c) Responsibilities for providing, receiving, and retaining information; (d) The right to audit and required remediation; (e) Responsibility for compliance with applicable laws and regulations; (f) Costs and compensation; (g) Ownership and license; (h) Confidentiality and integrity; (i) Operational resilience and business continuity; (j) Indemnification and limits on liability; (k) Insurance; (l) Dispute resolution; (m) Customer complaints; (n) Subcontracting; (o) Foreign-based third parties; (p) Default and termination; (q) Regulatory supervision⁵. 

Ongoing Monitoring — Ongoing monitoring helps a bank to assess the ability of a third party to meet the contractual obligations. Ongoing monitoring may be conducted on a periodic or an ongoing basis. The nature and complexity of third-party relationship decides the frequency of monitoring. The monitoring activities include review of performance report, assessment of controls related to third-party activity, and review discussion with third-party representatives. During ongoing monitoring, the bank may consider the same factors used during the due diligence phase. 

Termination Activity — A bank may terminate a third-party relationship for several reasons. While planning for termination, proper consideration should be given to transition timeline, costs, and fees associated with the termination, intellectual property ownership, and availability of alternatives, among others. 

Conclusion

Regulators will continue to focus on third-party risk management as a key area for the supervisory examination as banks engage more external partners for their critical services, technologies, and human capital needs. With the new Guidance in effect, banking organizations should assess their current third-party risk management program to ensure that their program adheres to the interagency guidance. Banks should consider carrying out the following activities to ensure conformity with the Guidance: assess the third-party risk assessment framework to ensure it aligns with a risk-based approach; create a documented inventory of third-party relationships; revise and enhance the due diligence process in accordance with the Guidance; update policies and procedures; maintain comprehensive documentation and audit trail for all third-party relationships; identify third-party relationships involving novel activities requiring heightened risk management; and conduct an independent assessment of third-party risk management programs.

How Guidehouse Can Help

Guidehouse is highly qualified and experienced in helping financial institutions with various third-party risk management activities to comply with regulations, standards, and guidelines. Our experts have worked on multiple third-party risk management engagements, and we have an unparalleled perspective into key issues driving regulatory actions. We have assisted organizations of all sizes, including top-tier banks, insurance companies, and fintech companies, with third-party risk management initiatives. Guidehouse’s third-party risk management services include:

1. Third-Party Risk Management Program Development — Develop third-party risk management strategy, framework, methodology, processes, policies, and procedures
2. Independent Program Assessment — Assess the current state of the third-party risk management program against regulations, guidelines, and standards
3. Third-Party Due Diligence — Assist with third-party due diligence, including risk identification, third-party risk assessment, reporting, and monitoring
4. System Implementation Assistance — Assist with business requirements documentation, system development, vendor selection, system implementation, program management, and testing of third-party risk management application
5. Managed Services and Outsourcing — Assist with ongoing risk assessment and monitoring activities.