The Failure of First Republic Bank and the Need for Comprehensive Third-Party Risk Management

On May 1, First Republic Bank became the latest regional bank to fail, following Silicon Valley Bank and Signature Bank, which collapsed less than two months ago.

The decline had been brewing for First Republic since Silicon Valley Bank and Signature Bank were seized in March. Those two failures triggered a search for other lenders in trouble, and First Republic was soon identified as vulnerable to significant deposit outflow risk. However, the true death spiral began when the bank announced last Monday that it had lost $100 billion in deposits in just three months. 

The stock value of First Republic plummeted so much following the announcement that the New York Stock Exchange halted trading several dozen times during the week. By mid last week, it had become obvious that government intervention was needed. Over the weekend, the FDIC seized the bank, and JPMorgan Chase bought all of its deposits and most of its assets through an auction. On Monday, May 1, First Republic's 84 branches opened as JPMorgan Chase.

Unlike the Silicon Valley Bank and Signature Bank, the FDIC has only agreed to protect First Republic's depositors up to the FDIC-insured limit of 250,000 dollars per institution, and investors are facing a total loss. There is no shortage of news media coverage on the First Republic Bank's and others' failures and how they affect the broader economy and banking system. 

Banks as Vendors

It's no small secret that banking partners are often overlooked for TPRM due diligence. After all, those institutions are regulated, and surely the regulators are keeping watch, right? This common misconception often leads to a false sense of security because regulations in and of themselves do not prevent banks (or any other type of vendor) from failing. It’s for this reason that regulators issue guidance instructing organizations on identifying, assessing, managing, and monitoring third-party risks. And banks and other financial institutions must be covered by your organization's third-party risk management practices. In most instances, banks should be considered critical vendors, not just for your organization, but also for your vendors.

For starters insight into your vendor’s banking relationships and understanding their operational resiliency is important. Suppose your organization or one of its vendors suffers the loss of a key financial partner. The impacts on your organization or its customers can be devastating. Many organizations have lost deposits over the $250,000 limit, possibly creating a serious financial shortfall. If your vendor is in this situation, they may be forced to take out loans to make payroll, fund basic operations, or reduce staff or services to compensate for the loss. In addition, if your vendor relies on a specific bank or financial institution for capital and funding, this resource is lost when that institution fails. This could mean business disruptions or delays; in a worst-case scenario, it could be the straw that breaks the camel's back, forcing your vendor to go out of business.

Important Considerations Regarding Banking Partners - Yours or Your Vendor’s 

• Have you done due diligence and risk reviews for your organization's financial partners?
  
  • Your organization's financial partners (banks, lenders, credit unions, etc.) should be in scope for third-party risk management. 
  • In many cases, your organization's financial partners should qualify as critical vendors
• Are any of your critical vendors potentially impacted by events related to recent banking failures or pressures?
• Do you or your vendors have additional risk exposure due to our vendor's relationships with First Republic, SVB, Signature Bank, or other banks experiencing financial or operational pressures?
• What is your potential exposure through fourth parties?
  
  • Don't forget that your vendors should be properly vetting and monitoring their banking partners as part of their third-party risk management practices.

4 Steps Can Take In Your Third-Party Risk Management Program Today

1. Ensure that all financial institutions are in scope for third-party risk management. 
2. Add questions to your vendor risk questionnaires that address banking relationships and possible concentrations of banking relationships:
   •    Who does your organization bank with? 
   •    Does your organization hold all its funds/deposits with one bank or multiple institutions?
   •    What are the names of the institutions?
   •    Have you recently performed any due diligence (i.e., financial health analysis/assessment) on your banking partner(s)?
3. Make sure that vendor financial reviews are comprehensive and include: 
   •    The vendor's latest cash and cash equivalents balance and liquidity position
   •    Outside of cash and cash equivalents, the vendor's sources of liquidity and funding, and ability to access them if they do not have access to cash
   •    Determining if the vendor's funds/deposits held domestically in the U.S. or internationally
   •    Any vendor restrictions accessing their cash and cash equivalents balance
4. Utilize adverse media, financial health, and other real-time monitoring tools to fill information gaps and keep your organization up-to-date with the latest developments and changes in your vendor's risk profile.
   
   Using vendor risk screening and monitoring platforms can help uncover your organization's "blind spots" and streamline the information you need regarding your vendor base. Furthermore, these tools can assist you in becoming more aware of risks associated with evolving events, particularly those relating to banking relationships and possible bank failures in the future.

The recent bank failures should illustrate how quickly risks can shift and change. Even though effective third-party risk management won’t prevent the next bank failure, it could give your organization an advantage by highlighting operational risks directly related to your or your vendor's banking relationships. Early issue detection and regular risk monitoring can help your organization take control over risks vs. being surprised by them.