On June 6, 2023, Federal Bank Regulatory Agencies (Federal Deposit Insurance Corporation (FDIC), Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC)) issued final joint guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies. The Agencies state in the Final Guidance that a banking organization’s use of third parties can increase its risk. Nonetheless, the use of third parties does not diminish or remove a banking organization’s responsibility to perform all activities in a safe and sound manner, in compliance with applicable laws and regulations, including those related to consumer protection and security of customer information. The Agencies recognize that sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship. The Final Guidance is intended to be a resource to assist banking organizations implementing third-party risk management practices by providing examples of considerations in the planning, due diligence, contract negotiation, ongoing monitoring, and termination stages of managing third-party relationships.
The Final Guidance states that a banking organization can be exposed to adverse impacts, including substantial financial loss and operational disruption, if it fails to appropriately manage the risks associated with third-party relationships. As a result, Banking Organizations ought to realize that an Agency may use its legal authority to examine functions or operations that a third party performs on a banking organization’s behalf. Such examinations may evaluate the third party’s ability to fulfill its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect customers and to provide fair access to financial services. The Agencies may pursue corrective measures, including enforcement actions, when necessary to address violations of laws and regulations or unsafe or unsound banking practices by the banking organization or its third party.
The Final Guidance addresses any business arrangement between a banking organization and another entity, whether by contract or otherwise. A third-party relationship may exist despite a lack of a contract or remuneration. Third-party relationships can include, but are not limited to: outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures. Some banking organizations may form third-party relationships with new or novel structures and features including fintech companies. The respective roles and responsibilities of a banking organization and a third party may differ, based on the specific circumstances of the relationship.
Banking organizations ought to engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities as part of their sound risk management. Critical activities may include those activities that could:
- Cause a banking organization to face significant risk if the third party fails to meet expectations
- Have significant customer impacts
- Have a significant impact on a banking organization’s financial condition or operations
Third-Party Relationship Life Cycle
Effective third-party risk management follows a continuous life cycle for third-party relationships.
- Planning: effective planning allows a banking organization to evaluate and consider how to manage risks before entering into a third-party relationship. Banking organizations consider: understanding the strategic purpose of the business arrangement and how the arrangement aligns with a banking organization’s overall strategic goals, objectives, risk appetite, risk profile, and broader corporate policies; identifying and assessing the benefits and the risks associated with the business arrangement and determining how to appropriately manage the identified risks. They also consider the nature of the business arrangement, such as volume of activity, use of subcontractor(s), technology needed, interaction with customers, and use of foreign-based third parties.
- Due Diligence and Third-Party Selection: Due diligence includes assessing the third party’s ability to: perform the activity as expected, adhere to a banking organization’s policies related to the activity, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner. A banking organization typically considers the following factors, among others, as part of due diligence: Strategies and Goals, Legal and Regulatory Compliance, Financial Condition, Business Experience, Qualifications and Backgrounds of Key Personnel and Other Human Resources Considerations, Risk Management, Information Security, Management of Information Systems, Operational Resilience, Incident Reporting and Management Processes, Physical Security, Reliance on Subcontractors, Insurance Coverage, and Contractual Arrangements with Other Parties.
- Contract Negotiation: Depending on the degree of risk and complexity of the third-party relationship, a banking organization typically considers the following factors during contract negotiations: Nature and Scope of Arrangement, Performance Measures or Benchmarks, Responsibilities for Providing, Receiving, and Retaining Information, The Right to Audit and Require Remediation, Responsibility for Compliance with Applicable Laws and Regulations, Costs and Compensation, Ownership and License, Confidentiality and Integrity, Operational Resilience and Business Continuity, Indemnification and Limits on Liability, Insurance, Dispute Resolution, Customer Complaints, Subcontracting, Foreign-Based Third Parties, Default and Termination and Regulatory Supervision.
- Ongoing Monitoring: Ongoing monitoring enables a banking organization to: (1) confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations; (2) escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and (3) respond to such significant issues or concerns when identified. Typical monitoring activities include: (1) review of reports regarding the third party’s performance and the effectiveness of its controls; (2) periodic visits and meetings with third-party representatives to discuss performance and operational issues; and (3) regular testing of the banking organization’s controls that manage risks from its third-party relationships, particularly when supporting higher-risk activities, including critical activities.
- Termination: A banking organization may terminate a relationship for various reasons, such as expiration or breach of the contract, the third party’s failure to comply with applicable laws or regulations, or a desire to seek an alternate third party, bring the activity in-house, or discontinue the activity. When this occurs, it is important for management to terminate relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued.
The following practices are typically considered throughout the third-party risk management life cycle, commensurate with risk and complexity:
- Oversight and Accountability
- Independent Reviews
- Documentation and Reporting
Supervisory Reviews of Third-Party Relationships
When reviewing third-party risk management processes, examiners typically conduct the following activities, among others:
- Assess the ability of the banking organization’s management to oversee and manage the banking organization’s third-party relationships
- Assess the impact of third-party relationships on the banking organization’s risk profile and key aspects of financial and operational performance, including compliance with applicable laws and regulations
- Perform transaction testing or review results of testing to evaluate the activities performed by the third party and assess compliance with applicable laws and regulations
- Highlight and discuss any material risks and deficiencies in the banking organization’s risk management process with senior management and the board of directors as appropriate
- Review the banking organization’s plans for appropriate and sustainable remediation of any deficiencies, particularly those associated with the oversight of third parties that involve critical activities
- Consider supervisory findings when assigning the components of the applicable rating system and highlight any material risks and deficiencies in the Report of Examination
How is your Banking Organization managing Third-Party Risks and Relationships?
Could a financial regulator determine that there is a deficiency in managing your Third-Party Risks and Relationships?
Who is your Corporate Governance Advisor? ©