Banking Agencies Proposed Risk Management Guidance for Third-Party Relationships

In the past, The Federal Reserve Board, FDIC and OCC each have issued their own guidance for their respective supervised banking organizations, including the Board’s 2013 guidance, the FDIC’s 2008 guidance the, OCC’s 2013 guidance, and most recently, a list of 2020 FAQs.

On July 13, 2021, the three federal banking regulatory agencies (the Federal Reserve Board of Governors, the FDIC and the OCC) issued a press release calling for comments on the newly proposed third-party risk management guidance - Proposed Interagency Guidance on Third-Party Relationships: Risk Management. The new guidance would drive consistency between the agencies, eliminating all previous agency guidelines and replacing them with a single new version.

While the final version of the guidance may change slightly, the proposed version will feel very recognizable to those familiar with the OCC’s guidance of 2013. The new guidance has been directly modeled off of the OCC 2013 bulletin. In addition, the new document includes the FAQ issued by the OCC in 2020. Many of the new changes or additions appear to be in response to widely shared questions and concerns. We sat down and poured over these documents to see what was added, changed and clarified.

Impressions and Takeaways from the Proposed Guidance

1. Defining (and Expanding) The Definition Of Third Party

Notably, the guidance expands on the very definition of what a third party is. In summary, it seems to be every relationship a banking organization has, excluding its customers. Defining third-party relationships as “business arrangements between a banking organization and another entity, by contract or otherwise.” And, it's clear that since 2013 business arrangements have expanded and become more varied and, in some cases, more complex.

The expansion opens the scope to include various third-party types that had not been traditionally defined as in-scope for third-party management. Including:

• Referral arrangements: A referral arrangement is a continuing agreement between a bank and another party (e.g., bank, corporate entity or individual) in which the bank refers potential customers (or “leads”) to the other party in exchange for some form of compensation. The compensation may also be non-financial such as cross-marketing. The bank has a business arrangement with the party receiving the bank’s referral.
• Appraisers and appraisal management companies: Some banks maintain an approved panel or list of individual appraisers. When an appraisal is requested, the bank enters into an agreement with an individual appraiser. This establishes a business arrangement between the bank and the individual appraiser. Banks may also outsource the process of engaging real estate appraisers to appraisal management companies.
• Professional service providers: Service providers such as law firms, consultants or audit firms are officially third-party relationships.
• Maintenance, catering and custodial service companies. Many organizations had kept companies providing these services out of scope. Often characterized as low spend and low risk, the new guidance requires them to be in scope for third-party risk management.
• Cloud Computing Services and Data Aggregators. If you had any lingering questions about these two, they are also third parties and must be managed as such.
• Agreements for sharing customer-permissioned data. You guessed it, in scope.

In another sign of the times, a new category of third party appears, and this one could be a doozy. Fintech firms are in scope as third-party relationships. Suppose your banking organization uses or is planning to use the services of a fintech firm. In that case, there is a good reason for third-party risk managers to get educated now.

The use cases for fintech companies and services are varied, with new products and services emerging every day. You'll need to understand how their products and services work, the relationship to your customer and how your organization fits into the process. You'll also need to understand how the customer accesses those fintech services. Do they directly go through your applications, fintech systems or even a separate third-party system? And, will the services offered through the fintech company be considered critical to your operations? One more item to consider is the significant fourth-party relationships that usually come with a fintech firm. As these firms bring new and exciting ways to offer additional products and services to the customer, they also bring a lot of complexity to the third-party risk management mix.

2. Third-Party Risk Management Lifecycle Updates

While there are no material changes to the actual third-party risk management lifecycle, some important clarifications and additions have been included:

Planning: While the planning stage isn't new, it lies just outside the scope of third-party risk management for many organizations. The planning stage requires the business to consider and evaluate many different aspects of the relationship. For practical purposes, there needs to be documented evidence that these activities and evaluations occurred. Including:

• Analysis of costs associated with each activity or third-party relationship, including any indirect costs assumed by the banking organization;
• Describing how the banking organization will select, assess and oversee the third party, including monitoring the third party’s compliance with contractual provisions;
• Outlining the banking organization’s contingency plans if the banking organization needs to transition the activity to another third party or bring it in-house;
• And there should be documentation or other records presented to the board of directors or their authorized committee for approval for critical activities before the contract is executed. Those documents (or a copy of them) should be housed with the third-party record for audit purposes.

Due Diligence: The new guidance clearly states: “Relying solely on experience with or prior knowledge of a third party is not an adequate proxy for performing appropriate due diligence.” This statement reinforces the importance of the due diligence process. As well as the completion of due diligence before entering into a contract.

The OCC FAQ 2020 addresses several questions related to due diligence. Here are some of the highlights:

• Do we need to risk-assess every third-party relationship? Bank management should determine the risks associated with each third-party relationship and then determine how to adjust risk management practices for each. So yes, you do need to risk-assess all third parties and all engagements.
• What can I do when I have limited Due Diligence Information? Some third parties, such as fintech, start-ups and small businesses, are often limited in their ability to provide the same level of due diligence-related information as larger or more established third parties. Bank management has the flexibility to apply different methods of due diligence and ongoing monitoring when a company may not have the same level of corporate infrastructure as larger or more established companies.
• How may a bank use third-party assessment services (sometimes referred to as third-party utilities)? Third-party assessment service companies have been formed to help banks with third-party risk management, including due diligence and ongoing monitoring. These companies offer banks a standardized questionnaire with responses from various third parties (particularly information technology-related companies). The benefit of this arrangement is that the third party can provide the same information to many banks using a standardized questionnaire.

Considering the new types and risk levels of in-scope third-party relationships, organizations may experience an increased workload and expense related to managing lower-risk third parties. However, the guidance reiterates that the scope of due diligence must be proportional to the risk, with the most rigorous due diligence performed for the highest risk relationships. But, if you're having trouble working through all the due diligence, the new guidance allows organizations to outsource or collaborate on due diligence:

• “To facilitate or supplement a banking organization’s due diligence, a banking organization may use the services of industry utilities or consortiums, including development organizations, consult with other banking organizations, or engage in joint efforts for performing due diligence to meet its established assessment criteria.”
• "Effective risk management processes include assessing the risks of outsourcing due diligence when relying on the services of other banking organizations, utilities, consortiums, or other similar arrangements and assessment standards. “
• "Use of such external services does not abrogate the responsibility of the Board of directors to decide on matters related to third-party relationships involving critical activities or the responsibility of management to handle third-party relationships in a safe and sound manner and consistent with applicable laws and regulations."

While this allowance opens the possibilities for outsourcing and collaborating on due diligence, the organization is still responsible for the risks. And it must evaluate if such an arrangement is suitable. Keeping in mind that the same third party may present different levels of risks across different organizations. So, any shared report or data must be reviewed and approved in the context of the organization’s risk considerations and relationship with the third party.

• Insurance: Updates suggested policy types to include cyber insurance and intellectual property in addition to liability, property hazard and fidelity bond. It also suggests naming the banking organization as an additional insured where appropriate.
• Default and Termination: Provide for the monitoring of the third party after the terms of the contract are satisfied as necessary.
  

Ongoing Monitoring: Overall the softer language like “ the bank should dedicate sufficient staff” has been changed to explicit language “ the bank dedicates sufficient staff." The change of language makes the expectations clear. And, there is a renewed emphasis on ensuring that monitoring activities are commensurate with the risk. The monitoring activities are essentially the same.

3. Oversight and Accountability.

Overall, oversight and accountability have been limited to three roles:

• The Board
• Management
• Independent Reviewers

The Board is still ultimately accountable for confirming that risks related to TPRM are managed effectively and consistently across the organization. However, there are some adjustments worth noting:

• The Board must approve the third-party risk management policy
• The Board can approve or delegate (to a specific committee) contracts for critical third parties
• The Board must review results of management’s ongoing monitoring of third-party relationships involving critical activities

Management replaces Senior Management and keeps many of the same responsibilities. Clear mandates replace previously vague language:

• Reviewing and approving contracts with third parties
• Providing appropriate organizational structures, management, and staffing (level and expertise)
• Maintaining appropriate documentation throughout the lifecycle.

Independent Reviewers. Internal Auditors continue to assess the sufficiency of third-party risk programs, processes and work products. And, continue to confirm appropriate staffing and expertise to perform risk assessment, due diligence, contract negotiation and ongoing monitoring and management of third parties.

In summary, the new guidance will undoubtedly drive consistency as the single source of truth. Other changes, big and small, will make the most impact on banking organizations and their third parties, such as:

• Expanded definition of who is in scope as a third-party
• The ability for organizations to outsource or collaborate on due diligence
• More explicit language removes any previous room for an interpretation related to the regulatory expectations
• Intensified focus on staffing sufficiency and expertise
• Updated insurance requirements

Since the proposed regulatory guideline is still in a comments phase, we may see changes to the final language as it settles into formal guidance. Still, it's a good idea to get acquainted with the document now.

Need to get your third-party risk management program set up or improved? Download our comprehensive eBook to ensure you're on the right path.