The financial services industry is commending a more consistent approach to regulating third-party risk management that is now advancing in Washington—while appealing for more clarity and less rigor in forthcoming interagency guidelines.
Analyzing the Proposal
The Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) issued, on July 19, 2021, a comprehensive interagency proposal (with comments filed September 17, 2021), updating guidance on managing risks associated with third-party relationships. The proposed guidelines expand on the OCC’s 2013 risk management guidance.
Inherent in the proposal are clear requirements for banks which, if finalized, will result in significant revisions to many financial institutions’ third-party risk management programs. No surprise, the proposal states that banks are to adopt risk management practices commensurate with the complexity of third-party relationships for the services and products provided. Also, as with all regulatory issuances, the goal is to ensure the safety and soundness of financial institutions. Now, more than ever, this will require that banks determine which are their critical vendors, and potentially refine existing scoring processes with a clearly articulated assessment rationale. The proposal reaffirms that banks can cede their activities to a third party, but that the risk remains with the financial institution. And it touches on numerous risk types, such as reputational, financial, regulatory, and operational.
Issues with the proposed guidance start with its sweeping definition of third-party relationships, defined as: “… business arrangements between a banking organization and another entity, by contract or otherwise.” Chief Risk Officers may be challenged by this nebulous language of “another entity” and “by contract or otherwise.” The proposal goes on to state that remuneration does not have to be in place, which then raises the question of verbal agreements, but with whom? Most likely the answer would include those with affiliates or maybe between departments and functions within an institution. Again, this should not come as a surprise, and it’s a good reminder of the need for such agreements to be documented, which is consistent with regulatory agencies’ past position. What has changed is the level of detail now required. This is set forth in the five phases of the third-party risk management lifecycle (described in more detail below).
Also cited in the proposed guidance, as examples of third parties, are financial technology companies (FinTechs), which are and have been a source of interest to the regulators. Given that the regulatory regime for FinTechs is less developed than for banks, financial institutions’ third-party risk management programs provide regulators with improved insight into how FinTechs perform from a risk management perspective.
Separately, but still important, it appears the three regulatory agencies have taken this opportunity to reaffirm their historically expressed point of view that affiliates and bank holding companies are viewed as third parties. This point is clear in the introduction of Regulation W, 23A and 23B. In meeting the due diligence requirements set forth in the proposal, the new regulation will provide the OCC and the FDIC even greater insight into those entities that currently don’t fall under their jurisdiction.
Breaking Down the Five Phases of a Third-Party Relationship
Whatever issues may be raised, the five phases of the third-party risk management life cycle outlined in the proposed guidance are logical in approach. They increase existing requirements, as follows:
- Planning: The key takeaway here is for banks to evaluate the “types and nature of risks in the relationship and develop a plan to manage the relationship and its related risks.” This includes considering third parties from a strategic point of view, aligned with the bank’s own business and risk strategies. The proposed issuance touches upon a number of ancillary topics critical to overall risk management, in this case, strategy and the management of strategy.
- Due Diligence and Third-Party Selection: This is the phase that intuitively makes sense from a risk management perspective, but practical methods for execution remain unclear. Some of the requirement nuances that were not previously as clearly stated include due diligence activities: around the review of a third-party’s business strategy and considerations about its own intended mergers, acquisitions, and divestitures; qualifications of company principals and staff delivering services, including their understanding of the control environment; roles, responsibilities, and hand-offs in the process; the independence of internal audit; conformity to assessment/certification by independent third parties such as the National Institute of Standards and Technology; information security specific to emerging threats and vulnerabilities; understanding of the maintenance of information systems including accurate application and system inventories of both the contractors’ and subcontractors’; understanding subcontractor risk by performing due diligence akin to that of the contractor; operational resilience; and incident reporting and management.
Also included is explicit guidance on responsibilities for providing, receiving, and retaining information. The key will be the independent reviews contracted by the banks within agreements. Additional costs for assessments/audits may be incurred by the contractor to satisfy ongoing bank monitoring. These costs could then be passed on to the financial institutions indirectly through the fees they charge.
- Contract Negotiation: Little of this is new. However, to meet ongoing monitoring of compliance with what is set forth in the due diligence phase, those requirements will now need to be clearly articulated and agreed in contracts.
- Ongoing Monitoring: What is expected is continual contractor monitoring leveraged from the due diligence previously performed (e.g., quarterly, semi-annually, annually per the institution’s own program requirements).
- Termination: An important consideration is the contractor’s process, and the financial institution’s oversight/engagement, associated with the return or destruction of any proprietary and consumer data, and how the bank will satisfy itself on this point.
Citing Advantages and Disadvantages
Comments received to date and made public by the regulatory agencies are extensive from both traditional financial services companies and FinTechs. The input includes requests for clarity around what constitutes a third party, and for limits on the rigor of due diligence and ongoing monitoring. In summation, it is impressive how these disparate regulatory agencies, albeit with common interest, have come together to force consistency and thoroughness in third-party risk management programs. Also commendable is their continued, coordinated pursuit of discovery, management, and understanding of FinTechs in a climate of increasing concern.