As a credit union employee, you may wonder if OCC and FDIC guidance regarding third-party risk management is relevant to your organization. After all, the National Credit Union Administration (NCUA) already offers third-party risk management (TPRM) guidance such as Letter 07-CU-13. Is it necessary to stay informed of other regulations that may not apply directly to your specific type of financial institution? The short answer is yes!
When managing third-party risk, it's always a good idea to keep up with regulatory guidance. Many regulators look to each other for best practices, and if the guidance of a specific regulatory agency changes, the others often follow their lead. Even though credit unions are unique and operate differently than traditional consumer banking institutions, the risks presented by third-party relationships are often the same. Since NCUA's guidance letter was issued a decade ago, the risk landscape has dramatically changed, and updated guidance is likely on the horizon.
An Increased Focus on Third-Party Risk Management
Over the past several years, regulators have emphasized the importance of properly managing third-party risk. Incidents like vendor data breaches are becoming increasingly frequent and complex, so, understandably, regulators are trying to address these issues with more guidance and enforcement actions. Here are a few regulations worth knowing:
- OCC Bulletin 2017-7
- OCC Bulletin 2020-10
- FDIC FIL 44-2008
- FDIC FIL 3-2012
- OCC Model Risk Management Handbook
- Proposed Interagency Guidance on Third-Party Relationships: Risk Management
These regulations and guidelines generally fall into one of two categories. They either answer the question, "How should our organization manage third-party risk?" or "How should examiners evaluate an organization's TPRM program?" Both questions are important for organizations to understand, as these two concepts can help your organization be better prepared to manage third-party risk.
Examiners Do Cross Paths
Regulatory examiners like the OCC, FDIC, and more rarely work in a vacuum. Although they hold different responsibilities, they often compare notes and assist one another with determining industry best practices. The Federal Financial Institutions Examination Council (FFIEC) is one good example of multiple agencies, including the NCUA, that set regulatory standards together.
3 Compliance Tips for Credit Unions
Ensuring that you and your third parties maintain regulatory compliance isn't always easy, but it's an absolute must. Doing so helps avoid negative consequences like fines, enforcement actions, or other criminal penalties.
Here are some tips that can help your organization stay in compliance:
- Stay informed of current regulations. Subscribe to news alerts from individual regulatory agencies, which can be accomplished by visiting the regulators' websites. You can also stay informed of regulatory changes by subscribing to risk alerts and monitoring services. Alternatively, a basic internet news alert can be helpful as well.
- Formalize your documentation & reporting. Your TPRM program should contain formal governance documents, such as a policy, program, and procedures. By defining and formalizing your TPRM program's rules and requirements, these documents can help evidence your TPRM program's regulatory compliance. And regular TPRM compliance reporting ensures your stakeholders can drive action and make informed decisions.
- Establish good contract management. Work closely with your contracting or legal team to ensure that your vendor contracts are effectively written. Regulatory compliance must be built into your contracts, which may include details such as a right to audit, service level agreements (SLAs), and indemnification and insurance.
Although credit unions and traditional banking institutions are regulated by different agencies, don't assume that OCC and FDIC guidelines are irrelevant to your organization. And regulatory changes will undoubtedly occur as the third-party risk landscape evolves and changes. Third-party risk management is an important practice that every organization should prioritize, regardless of who's making the laws.