On June 6, the federal banking agencies issued final Interagency Guidance on banks’ management of risks associated with their third-party relationships. The Guidance responds to the increasing number of relationships between banks and third-party parties and establishes principles and a framework for banks to consider when developing and implementing third-party risk management practices. While the Guidance is based on and largely tracks the OCC’s prior third-party guidance, its reach is broader and more detailed than that of the Federal Reserve and FDIC.
As a first principle of sound risk management, the banking agencies note that a bank analyzes the risks associated with each third-party relationship and tailors risk management practices, commensurate with the bank’s size, complexity, and risk profile and with the nature of the third-party relationship. In this regard, the banking agencies note that maintaining a complete inventory of its third-party relationships and periodically conducting risk assessments for each third-party relationship are supportive of a bank’s sound risk management. The Guidance notes that as part of sound risk management, banks engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities. To this end, banks must identify their critical activities and third-party relationships that support these critical activities. Characteristics of critical activities may include those activities that could cause a bank to face significant risk if the third party fails to meet expectations; have significant customer impacts; or have a significant impact on a bank’s financial condition or operations.
The Guidance provides detailed guidance on implementing effective third-party risk management practices by providing examples of considerations in the planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination stages of managing third-party relationships.
With regard to due diligence, the Guidance emphasizes the importance of due diligence across a range of factors to obtain the information needed about potential third parties to determine if a relationship would help achieve a bank’s strategic and financial goals as well as evaluate whether the bank can appropriately identify, monitor, and control risks associated with the particular third-party relationship. The following factors are typically considered as part of a bank’s due diligence:
The Guidance describes ongoing monitoring throughout the duration of the relationship as integral to effective risk management, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party. The Guidance also describes oversight and accountability measures for a bank’s third-party risk management program, documentation and reporting, and independent reviews.
Finally, the Guidance includes a statement that each banking agency will review its supervised banks’ risk management of third-party relationships as part of its standard supervisory processes. Supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.
Recognizing that implementing these risk-management practices may be challenging, particularly for smaller banks, the Guidance suggests that a bank may use the services of industry utilities or consortiums, consult with other organizations, or engage in joint efforts to supplement its due diligence. It further states that banks may engage external resources, refer to conformity assessments or certifications, or collaborate when performing ongoing monitoring in order to gain efficiencies or leverage specialized expertise.
At True Digital, we look forward to supporting our member banks by serving as an industry utility and a forum for collaboration. The True Digital Platform supports banks’ risk management programs in the following ways, among others:
We will continue to build out the Platform’s capabilities to serve as an industry utility that meets the ever-evolving innovation and regulatory needs of the banking industry.