More Help on Third-Party Risk

Banks have fresh guidance this week on how to tackle third-party risk management, and the material offers plenty of good advice on the subject for businesses in any sector. 

The guidance comes from the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp., and the Federal Reserve, which have been working for several years to consolidate pre-existing guidance that each agency had issued on its own. This week’s guidance, formally released on Tuesday, also updates the material to reflect new concerns about banks’ reliance on third-party technology providers and the newfangled relationships many banks have with startup fintech firms.

We should also stress that this material is only guidance — and principles-based guidance at that, intended to give banks flexibility in how they finesse their own third-party risk management programs, depending on a bank’s size, operations, and customer base. But soon enough, regulatory examiners from all three agencies will base their supervisory reviews of your risk management programs on what this week’s guidance says; it can’t be ignored.

Plus, third-party risk management (TPRM) is a challenge for all companies these days. Even for the vast majority of risk and compliance professionals who don’t work in banking, the advice about due diligence, contract negotiation, ongoing monitoring, and governance of your TPRM program is worth reading.

Broadly speaking, the 68 pages of guidance identifies several major components of third-party risk management:

  • Risk management, which outlines the basic goals a company should be trying to achieve with its TPRM program.
  • The third-party relationship cycle, which includes planning, due diligence, contract negotiation, monitoring, and termination.
  • Governance of the program, including what the board should oversee and independent reviews that should happen, as well as documentation of the program.
  • Supervisory reviews of your TPRM program from whatever regulators oversee your business. 

Lots of the details in the guidance are common-sense issues compliance officers have heard before over the years. I’ll focus on a few important concepts in the guidance instead.

Think in Broad Terms

Before you even get into the guts of due diligence and monitoring activities, you need to understand the realm of third-party relationships that should be on your risk management radar screen. The guidance spent a fair bit of time talking about that, reviewing what counts as a “business arrangement” or “critical activities” that will need your attention.

Basically, the guidance defines both terms broadly. A business arrangement can be any relationship with any third party, and the guidance expressly says that a third-party relationship “may exist despite a lack of a contract or remuneration.” Some commenters had panned that language in the agencies’ original proposal as overbroad, but tough luck; it’s still there.

“Critical activities” gets similar treatment. The proposed guidance had originally included several related concepts such as “significant investment” and “significant bank function,” but that’s all gone. The final guidance now only defines critical activities as “such as activities that could cause significant risk to the banking organization if the third party fails to meet expectations or that have significant impacts on customers or the banking organization’s financial condition or operation.” 

Let’s pause here. The object of the game is identify which third parties support what critical services you have. Banks can approach that task in multiple ways. For example, you might list all your third-party relationships and assign a criticality level to each one. Or you could define your mission-critical activities first, and then identify which third parties support those activities. There might be other ways to tackle this task, too.

The guidance makes clear that the regulators don’t really care which method you choose, so long as that method is sound and you can defend your logic when the examiners show up. Your choice will depend more on the personnel you have at your bank, the technology at your disposal, and management’s plans for future operations: more expansion into new markets, more or less reliance on third parties, more investment in people versus IT.

So when we toss around those aspirational phrases like “the third-party risk management program must align with the organization’s strategic goals” — that’s what those words mean in practice. It’s about developing a way to work through the challenge that makes sense for how your business operates

Only then do we get into the nitty-gritty of due diligence and monitoring activities. 

The Nitty-Gritty on Third-Party Risk

The guidance is clear that not all third-party relationships need the same level of due diligence and oversight because not all parties pose the same level of risk. In other words, banks should take the ever-popular risk-based approach.

Alas, that might be easier said than done. The guidance also makes clear that banks should not broadly assume lower levels of risk based solely on the type of a third party. For example, your third-party relationships with affiliates (say, a fintech partner your bank partly owns) might have different risks than non-affiliates (an outsourced HR and payroll provider), but affiliate relationships won’t always provide fewer risks. So even though classifying your third parties by category is wise, you’ll still need to perform a risk assessment and due diligence on each third party you have. Ugh.

The third-party risk management lifecycle. Source: OCC

It will also be important for banks to identify and document any limitations of their due diligence, understand the risks from those shortcomings, and consider alternative ways to mitigate the risks. 

Sub-contractors are a good example of this, since many times you might not have visibility into (or permission to see) who a third party’s sub-contractors are. In that case, the guidance says, banks should keep their focus on the third party itself, and examine the party’s own vendor risk management system. You might be able to glean that insight from a cleverly scoped SOC 1 or SOC 2 audit (which, coincidentally, came up in a post I had earlier this week about SOC audit reports). 

That’s enough for today; there’s plenty more detail in the guidance, and we’ll try to revisit it again in future posts. For now, anyone working on third-party risk management in any industry would do well to find a spare hour and give this material a read. 

Leave a Comment

You must be logged in to post a comment.