In June 2023, three U.S. federal regulators jointly issued new guidance for the banking sector. The Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are aiming to improve third-party compliance and risk planning.
In this article, we explore the interagency guidance for third-party risk management in banking. We also provide actionable checklists of actions to take during each stage of the third-party relationship.
What Is the New Interagency Guidance on Third-Party Banking Relationships?
Three regulatory agencies have jointly issued regulation 88 FR 37920 — Interagency Guidance on Third-Party Relationships: Risk Management — specifically for the banking industry to improve the management of their third-party risk management (TPRM).
The three agencies that issued this joint guidance to replace their separate guidelines are:
- The Federal Reserve System (FRS)
- The Federal Deposit Insurance Corporation (FDIC)
- The Office of the Comptroller of the Currency (OCC)
Which third parties are they targeting? Essentially, they’re directing this guidance to any service provider or financial institution that banks rely on for activities like:
- Business or knowledge process outsourcing
- Fintech services
- Merchant payment processing
- Referral programs
- Services by affiliates and subsidiaries
- Joint ventures
This guidance will help banks manage third-party dependencies and their financial risks more effectively.
Which Banking Organizations Must Comply?
In the U.S., the FRS regulates large banking institutions, state-chartered banks, bank holding companies, and foreign banks. The OCC regulates national banks but not state banks. The FDIC regulates all institutions that offer federally insured deposits, which includes most banks.
All of these banking institutions must improve their compliance programs and third-party risk management programs by incorporating this new guidance from 2023.
Recommendations to Improve Risk Management in Banking
The guidance offers recommendations for each of the five stages of the third-party relationship lifecycle, starting with a risk-planning checklist and ending with a termination checklist.
Stage 1: Risk-Planning Checklist
Risk planning ensures that you're prepared for third-party arrangements from your end. The guidance recommends the following seven steps.
1. Identify Your Critical Activities
The goal here is to identify those business activities and third-party relationships that require comprehensive monitoring because of their risks. You can designate activities involving third parties as critical if they:
- Adversely impact your customers: Critical activities have significant material impacts on your customers. For example, if your third-party payment processor's information security practices are poor, your customers may suffer financial losses or find that their accounts were misused for crimes like money laundering.
- Carry serious risks: Your organization faces different types of risk — operational risks, legal or compliance risks, reputational damage, inherent risks in the activities, supply chain risks, procurement risks, credit risks, or market risks — if the third party is incapable of meeting your contractual and ethical standards.
- Substantially affect your operations or finances: They have significant impacts on your operations or financial health.
2. Place Critical Activities Under Board Supervision
Are you actively involving your board of directors and board subcommittees in the decision-making for all high-risk activities that involve third parties? Ensure that the following roles are routinely included in these committee activities:
- Chief compliance officer
- Chief risk officer
- Chief information security officer
- Head of bank operations
- Head of vendor management
- Head of strategic partnerships
3. Understand Your Third-Party Relationships
A checklist for every planned third-party arrangement must ask these questions:
- What is its strategic purpose, and what are its benefits? Does it satisfy your long-term strategic goals, your business models, and your short-term objectives?
- Does it satisfy your corporate policies?
- Does it align with your organization's risk exposure and risk appetite? Have you readied a plan to manage its identified risks?
4. Understand the Costs
Evaluate the direct contractual costs you'll incur due to the relationship. Also, evaluate all the indirect internal pricing and risks you'll incur to adapt your staff, systems, and processes. The following factors influence these numbers:
- Volume and scope of third-party participation
- The cost of replacing the third party with another or of bringing the activity in-house
- The third party's use of subcontractors
- Involvement of foreign third parties and associated risks, like U.S. Foreign Corrupt Practices Act (FCPA) violations or sanctions evasion
- The technologies you'll require for the arrangement
5. Assess the Impacts on Your Customers
Any kind of third-party arrangement is bound to affect your customer relationships, too. Ask the following questions:
- What is the extent of customer interaction that is required either with you or directly with the third party?
- How will the activity use or access customer information?
- What are the risks and potential harm to your customers?
- How do you plan to handle customer inquiries and complaints related to these activities?
6. Don't Ignore the Security Implications
A third party will have profound impacts on your information security, which will include access to sensitive information about your customers, organization, and employees. In some cases, it may also affect the physical security of your facilities. Include security monitoring and a system of alerting in your plans.
7. Plan the Active Management of Third-Party Relationships
For each third-party arrangement, plan your internal oversight, management, and outlook concerning:
- The required organizational structure, staffing, roles, and expertise
- The readiness of your risk and compliance management systems
- Your internal controls for risk mitigation
- The necessary governance policies and procedures
Stage 2: Third-Party Due Diligence and Selection Checklist
The risk planning above ensures your readiness but also produces essential criteria that you must evaluate when conducting your due diligence of third parties. Crucially, this can't be a mere checkbox exercise. You must tailor your due diligence to the particular activity you want from a third party, and it must be risk-based.
Let’s look at the due diligence and selection steps you should take.
Make the Diligence Proportional to the Business Complexity
Ensure that the scope, depth, and comprehensiveness of your due diligence are proportional to the criticality of the activity, the level of risk, and the complexity of the business arrangement with the third party.
If you can't obtain some of the essential information, document those diligence blindspots, assess possible future risks emanating from them, and set up the risk controls you'll need to mitigate them.
Another option is to obtain information about third parties from external sources, like data intelligence providers, industry associations, or consortiums.
In the worst case, you may want to consider hiring a less-risky third party instead.
Review the Third Party's Strategies and Experience
Ask these questions:
- Does its future plan include any partnership or acquisition that may impact your business activity?
- Are its organizational policies and practices compatible with yours?
- Does it have the necessary experience, track record, and capability for the business activity?
Assess Its Regulatory Compliance
You must ensure that the third party is in the clear on all compliance aspects. Check for these:
- Clear ownership: You have identified its beneficial ownership, ownership structure, and key stakeholders.
- Licensed for the activity: You have ensured that it has all the requisite licenses, certifications, and authorizations to conduct the business activity.
- Free from sanctions allegations: Ensure that the third party and its owners aren't on any sanctions lists.
- Ability to maintain compliance: Does the third party have the processes and controls to help you remain compliant with all domestic and international laws and regulations?
- Responsive to regulators: Is it proactive and responsive toward regulatory agencies?
Verify the Third Party’s Financial Health
Audit its finances for assurance that it has the financial capability and stability it needs to conduct the business activity effectively. Look into debts and liquidity risks.
Conduct Background Checks on Key Staff
Ensure that key staff of the third party are qualified and experienced and that they can pass periodic background checks. Also evaluate other human resource aspects like:
- Does it identify and remove employees who are unsuitable or who are barred from working in financial services?
- Does it train its personnel on their duties and responsibilities? Does it train them on all relevant laws, regulations, and organizational policies?
- Does it have redundancy planning for key staff?
- Does it have processes and policies to hold employees accountable for compliance lapses?
- Does it have employee onboarding and offboarding processes?
Evaluate the Third Party's Risk Management Framework
Gauge the effectiveness of the third party's enterprise risk management because it impacts your risk management, too. Look into these aspects:
- Does it have good risk management practices and internal controls?
- Does it have clear roles and separation of duties for the business activity?
- Are its operations and controls independently tested and audited?
- Do its processes comply with standards like the System and Organization Controls (SOC)?
Assess Its Information Technology and Security
Your due diligence must ensure that the third party's information security policies meet your organization's security posture in terms of confidentiality, integrity, and availability of data. Use this questionnaire:
- Are its information systems interoperable with yours? Have they undergone stress tests to prove they are capable of the expected quality of service?
- Does it have a cybersecurity risk management plan?
- Is it certified for data protection standards like the ISO 27001 or the Payment Card Industry Data Security Standard (PCI DSS)?
- Is it using security techniques like access control, multifactor authentication, and end-to-end encryption?
- Does it have vulnerability management and penetration testing?
- Does it have efficient incident management workflows?
- Does it have good physical security at its premises to protect its personnel, systems, and data?
Test the Third Party's Resiliency
Due diligence requires looking into the third party's operational resiliency, business continuity, disaster recovery, and communications redundancy plans.
Evaluate the Third Party's Subcontractors
If the third party relies heavily on subcontractors for your business activity, you must ensure that it has a comprehensive risk management process to deal with key risks emanating from them.
Check Insurance Coverage
The third party must have adequate insurance coverage for your business activity. This may include insurance for natural disasters, data loss, negligence, cybersecurity incidents, and other matters.
Verify Its Contracts With Other Parties
Your due diligence must ensure that the third party's contracts with other parties don't result in any legal, operational, financial, or other potential risks to you or your customers.
Stage 3: Contract Checklist
With planning done and a third party selected, it's time to transfer all those expectations to a legal contract for ongoing assurance and accountability.
Apart from formalizing all the requirements we've seen so far, ensure that the contract includes:
- Key performance indicators (KPIs): Define business KPIs and metrics to monitor the third party's activities. But ensure that they don't incentivize reckless business behavior by, for example, setting unrealistic sales targets that increase your organization's risks.
- Data use and access: Clearly define the permitted and prohibited uses of any data related to your business activity. Include comprehensive data processing agreements as contract addendums.
- Regular business updates: The contract must require the third party to notify you whenever it sees important strategic or operational changes like mergers, divestitures, key personnel changes, or regulatory proceedings.
- Regular audit reports: Your contract should demand regular external and internal audits of the third party conducted by them, you, or independent auditors.
- Indemnification provisions: Ensure you have indemnification agreements to protect you from liabilities due to the third party's misconduct.
- A plan for customer complaints: If interacting with your customers is an important part of the third-party activity, include provisions for the timely and proper resolution of customer complaints.
- Jurisdictional provisions: Designate the legal jurisdictions for contract enforcement and dispute resolution. They're particularly important for foreign-based third parties.
Stage 4: Third-Party Monitoring Checklist
Effective monitoring of each third party throughout the lifetime of the business relationship is essential to keep risks under control. In addition to monitoring for all the requirements and contractual provisions we've seen so far, ensure the following about your third-party monitoring:
- It’s commensurate with the activity: The extent of monitoring should be proportionate to the risk levels and the complexity of the activity. Monitor critical activities comprehensively and frequently, perhaps even setting up real-time monitoring for especially critical activities.
- It receives regulatory updates: Monitor new regulatory requirements, regulatory changes, and economic conditions that could affect the third party's financial or operational health.
- It tracks strategic changes: Make sure that you're notified of all major changes in the third party's strategic goals, risk profile, policies, and agreements with other parties.
- It monitors financial health: Keep an eye on the third party's financial health, debts, revenues, and insurance coverage.
- It notifies of personnel changes: You must be notified of any changes to the key people handling your business activity.
- It tracks security posture: Ensure that you will know about any major security policy change or data breach at the third party.
Stage 5: Termination Checklist
If the relationship ends because the contract is completed, ensure the following:
- Confidential data related to your organization is either destroyed or retained securely only for regulatory purposes.
- Information system interconnections and access control are withdrawn without jeopardizing your operations.
- All costs and fees associated with the activity are settled.
But if you end the contract prematurely on grounds of the third party's misconduct, negligence, or similar reasons, you must be doubly careful and ensure the following:
- Evaluate alternative third parties as a replacement, and prepare a plan for a streamlined transition.
- Using legal means, ensure that the third party that you’re separating with destroys all confidential data related to your business. Allow the third party to keep only minimal data securely, strictly for regulatory purposes.
- Prepare yourself for any operational, legal, compliance, or reputational risks from the terminated third party. In particular, be prepared for adverse impacts on your customers.
- Have a plan for handling any joint intellectual property. Be prepared for litigation here.
Documentation Challenges of Risk Management in Banking
All the checklists above generate an enormous amount of documentation and reporting, which is necessary for audits and regulatory examination. This volume is a challenge in itself for banking organizations.
The guidance recommends documenting the following information for effective risk management in banking:
- All third-party relationships: Maintain an up-to-date list of all third-party relationships, associated subcontractors, and their relevance to any high-risk or critical activities.
- Risk plans and assessments: Document all the plans and risk assessments of the third parties.
- Due diligence reports: Document your due diligence process and limitations.
- Contracts: Track the status and provisions of your ongoing and completed contracts.
- Remediation plans: When continuous monitoring throws up red flags about the third party's controls, document your remediation plans for them.
- Risk and performance reports: Store all the risk and performance reports your third parties send you on service disruptions, security incidents, or other events.
- Customer reports: Document customer complaints and resolutions.
- Audit and review reports: Keep all the independent audits and reviews of third parties with you.
- Periodic reports to the board: Maintain all the periodic reports sent to your board or subcommittee that's supervising this business relationship.
To securely store and retrieve such large volumes of documents from many years, you’ll need a robust platform like Certa!