Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Final Interagency Third-Party Risk Management Guidance: 4 Actions to Comply

5 min read
Featured Image

Well, it’s official! The long-awaited Interagency Guidance on Third-Party Relationships: Risk Management is now final, nearly two years after it was first introduced by the Federal Reserve Board, FDIC, and OCC. 

Each of these agencies had previously issued their own set of general third-party risk management (TPRM) guidelines — the Board’s 2013 guidance, the FDIC’s 2008 guidance, and the OCC’s 2013 guidance and its 2020 frequently asked questions. These have now been replaced with this final 68-page interagency guidance. 

Note: The final guidance retains the scope of the term “business arrangement” that was initially defined in the 2021 proposed guidance. That guidance states, “The term ‘business arrangement’ is meant to be interpreted broadly to enable banking organizations to identify all third-party relationships for which the proposed guidance is relevant.” 

This guidance is effective beginning June 6, 2023, and is intended to provide a more consistent approach on how banking organizations should manage third-party relationships. We previously covered some of the highlights from this proposed risk management guidance shortly after it was released, so now we’ll focus on suggested next steps to comply with the agencies’ expectations. 

Even if your organization is not regulated by these agencies, keep in mind that it’s common for regulators across different agencies to look to each other for best practices.

Please note that direct excerpts from the guidance are noted in italicized text. 

4 Suggested Actions to Meet Regulatory Compliance 

The guidance is structured in five sections, beginning with an overview. The following four suggested actions align with the remaining sections outlined in the guidance. 

final interagency third party risk management guidance

1. Identify Your Critical and High-Risk Vendors

Section B of the guidance states that third-party relationships will present different levels of risk and will therefore require different levels of oversight. An effective TPRM program will require an organization to identify its third parties that involve high-risk and/or critical activities. The guidance provides some helpful criteria that can define critical activities:

    • Cause a banking organization to face significant risk if the third party fails to meet expectations
    • Have significant customer impacts
    • Have a significant impact on a banking organization’s financial condition or operations

Keep in mind that regulators expect organizations to determine for themselves which third-party relationships are critical. The descriptions listed above are simply guidelines that can be used to make this determination. 

After you’ve established a process to identify your high-risk and critical third parties, you can then take a risk-based approach to your TPRM activities, such as due diligence, risk assessments, and ongoing monitoring.

2. Follow the Lifecycle

The next section describes the TPRM lifecycle, which is considered a tried-and-true process that will help identify, mitigate, and manage a third-party’s risk. The guidance lists the following five stages in the lifecycle: planning, due diligence and third-party selection, contract management, ongoing monitoring, and termination. The guidance also references the importance of using subject matter experts (SMEs) in TPRM activities:

It is important to involve staff with the requisite knowledge and skills in each stage of the risk management life cycle. A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.

Each of these stages contains many considerations, so it’s worthwhile to read through the guidance so you can better align your TPRM program and processes with the agencies’ guidelines.

3. Review Your Governance Documents

Section D of the guidance covers governance, which is often considered the foundation of the TPRM lifecycle. The agencies state that there are certain practices that should be considered, including oversight and accountability, independent reviews, and documentation and reporting. In particular, the guidance highlights who should be responsible in overseeing third-party risk management:

A banking organization’s board of directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable.

It’s recommended that an organization reviews its policy, program, and procedures to ensure that they include details that are called out in the final guidance.

4. Prepare for Audits and Exams

The final section of the guidance briefly covers how examiners will assess an organization’s TPRM processes, noting that an organization’s third-party relationships will present different risks. Examiners would assess these processes through activities such as:

    • Assess the ability of the banking organization’s management to oversee and manage the banking organization’s third-party relationships
    • Assess the impact of third-party relationships on the banking organization’s risk profile and key aspects of financial and operational performance, including compliance with applicable laws and regulations

Organizations that violate laws and regulations or are engaged in unsafe third-party practices may be subject to enforcement actions, so it’s recommended to self-audit your TPRM program at least annually. 

As you perform this self-audit, make sure you can prove that your policy is compliant with all laws, rules, and regulations. You should also verify that your processes align with your policy and that they’re effective for identifying, assessing, and managing third-party risk. Any exceptions to your processes should also be documented, so they can be presented to examiners if needed.

3 Additions to Your Existing TPRM Program

So, maybe you’ve read through these suggested actions and realized your program is already in good shape. If so, great! Here are just a few more additions that you may need to implement in your program, if you’re not already doing so:

  • Identify your subcontractors. The final guidance removed the term “critical subcontractor,” though it should still be noted that the agencies expect organizations to have a certain level of oversight on their subcontractors. According to the final guidance, 
    “…relationships with a third party, including a third party’s use of subcontractors, should be evaluated based on the risk the relationship poses to the banking organization, which may include assessing whether a third party’s use of subcontractors may heighten or raise additional risk to the banking organization and applying mitigating factors, as appropriate.” Identifying your subcontractors (also known as fourth parties) is an important first step in evaluating the risks they pose to your organization.
  • Establish a strategy for due diligence challenges. Many commenters were particularly focused on the topic of due diligence and vendor selection, with the guidance stating that, “Some raised concerns with the feasibility of banking organizations performing the full range of due diligence outlined in the proposal, noting that third parties or their related subcontractors may be unable or unwilling to disclose certain information.” The agencies acknowledge these challenges and state that organizations may consider a collaboration strategy to reduce the burden of due diligence. This collaboration may be done with other banking organizations, or third parties that specialize in performing due diligence. 
  • Stay updated on regulations. It’s common for regulations to be updated as the industry evolves, and new third-party risks emerge. The final guidance states that the agencies will monitor trends and developments in the industry and may issue new guidance or educational resources as needed. By establishing a practice of monitoring regulations, you’ll be better prepared to implement those updates when necessary.

Staying informed of these latest third-party risk management regulations will help put you on the path of successfully keeping your organization safe.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo