Well, it’s official! The long-awaited Interagency Guidance on Third-Party Relationships: Risk Management is now final, nearly two years after it was first introduced by the Federal Reserve Board, FDIC, and OCC.
Each of these agencies had previously issued their own set of general third-party risk management (TPRM) guidelines — the Board’s 2013 guidance, the FDIC’s 2008 guidance, and the OCC’s 2013 guidance and its 2020 frequently asked questions. These have now been replaced with this final 68-page interagency guidance.
Note: The final guidance retains the scope of the term “business arrangement” that was initially defined in the 2021 proposed guidance. That guidance states, “The term ‘business arrangement’ is meant to be interpreted broadly to enable banking organizations to identify all third-party relationships for which the proposed guidance is relevant.”
This guidance is effective beginning June 6, 2023, and is intended to provide a more consistent approach on how banking organizations should manage third-party relationships. We previously covered some of the highlights from this proposed risk management guidance shortly after it was released, so now we’ll focus on suggested next steps to comply with the agencies’ expectations.
Even if your organization is not regulated by these agencies, keep in mind that it’s common for regulators across different agencies to look to each other for best practices.
Please note that direct excerpts from the guidance are noted in italicized text.
4 Suggested Actions to Meet Regulatory Compliance
The guidance is structured in five sections, beginning with an overview. The following four suggested actions align with the remaining sections outlined in the guidance.
1. Identify Your Critical and High-Risk Vendors
Section B of the guidance states that third-party relationships will present different levels of risk and will therefore require different levels of oversight. An effective TPRM program will require an organization to identify its third parties that involve high-risk and/or critical activities. The guidance provides some helpful criteria that can define critical activities:
-
- Cause a banking organization to face significant risk if the third party fails to meet expectations
- Have significant customer impacts
- Have a significant impact on a banking organization’s financial condition or operations
Keep in mind that regulators expect organizations to determine for themselves which third-party relationships are critical. The descriptions listed above are simply guidelines that can be used to make this determination.
After you’ve established a process to identify your high-risk and critical third parties, you can then take a risk-based approach to your TPRM activities, such as due diligence, risk assessments, and ongoing monitoring.
2. Follow the Lifecycle
The next section describes the TPRM lifecycle, which is considered a tried-and-true process that will help identify, mitigate, and manage a third-party’s risk. The guidance lists the following five stages in the lifecycle: planning, due diligence and third-party selection, contract management, ongoing monitoring, and termination. The guidance also references the importance of using subject matter experts (SMEs) in TPRM activities:
It is important to involve staff with the requisite knowledge and skills in each stage of the risk management life cycle. A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.
Each of these stages contains many considerations, so it’s worthwhile to read through the guidance so you can better align your TPRM program and processes with the agencies’ guidelines.
3. Review Your Governance Documents
Section D of the guidance covers governance, which is often considered the foundation of the TPRM lifecycle. The agencies state that there are certain practices that should be considered, including oversight and accountability, independent reviews, and documentation and reporting. In particular, the guidance highlights who should be responsible in overseeing third-party risk management:
A banking organization’s board of directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable.
It’s recommended that an organization reviews its policy, program, and procedures to ensure that they include details that are called out in the final guidance.
4. Prepare for Audits and Exams
The final section of the guidance briefly covers how examiners will assess an organization’s TPRM processes, noting that an organization’s third-party relationships will present different risks. Examiners would assess these processes through activities such as:
-
- Assess the ability of the banking organization’s management to oversee and manage the banking organization’s third-party relationships
- Assess the impact of third-party relationships on the banking organization’s risk profile and key aspects of financial and operational performance, including compliance with applicable laws and regulations
Organizations that violate laws and regulations or are engaged in unsafe third-party practices may be subject to enforcement actions, so it’s recommended to self-audit your TPRM program at least annually.
As you perform this self-audit, make sure you can prove that your policy is compliant with all laws, rules, and regulations. You should also verify that your processes align with your policy and that they’re effective for identifying, assessing, and managing third-party risk. Any exceptions to your processes should also be documented, so they can be presented to examiners if needed.
3 Additions to Your Existing TPRM Program
So, maybe you’ve read through these suggested actions and realized your program is already in good shape. If so, great! Here are just a few more additions that you may need to implement in your program, if you’re not already doing so:
- Identify your subcontractors. The final guidance removed the term “critical subcontractor,” though it should still be noted that the agencies expect organizations to have a certain level of oversight on their subcontractors. According to the final guidance,
“…relationships with a third party, including a third party’s use of subcontractors, should be evaluated based on the risk the relationship poses to the banking organization, which may include assessing whether a third party’s use of subcontractors may heighten or raise additional risk to the banking organization and applying mitigating factors, as appropriate.” Identifying your subcontractors (also known as fourth parties) is an important first step in evaluating the risks they pose to your organization. - Establish a strategy for due diligence challenges. Many commenters were particularly focused on the topic of due diligence and vendor selection, with the guidance stating that, “Some raised concerns with the feasibility of banking organizations performing the full range of due diligence outlined in the proposal, noting that third parties or their related subcontractors may be unable or unwilling to disclose certain information.” The agencies acknowledge these challenges and state that organizations may consider a collaboration strategy to reduce the burden of due diligence. This collaboration may be done with other banking organizations, or third parties that specialize in performing due diligence.
- Stay updated on regulations. It’s common for regulations to be updated as the industry evolves, and new third-party risks emerge. The final guidance states that the agencies will monitor trends and developments in the industry and may issue new guidance or educational resources as needed. By establishing a practice of monitoring regulations, you’ll be better prepared to implement those updates when necessary.
Staying informed of these latest third-party risk management regulations will help put you on the path of successfully keeping your organization safe.