Financial institutions are increasingly ramping up partnerships with third-party organizations that offer technologies that promulgate efficiencies or add new banking products to drive revenues.
As these partnerships increase, the risk to the banking system is also increasing. In June, the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve and the Office of the Comptroller of the Currency released finalized interagency guidance over third-party risk management practices that financial institutions must consider when entering into business arrangements with third parties.
Two notable differences from the guidance initially proposed in 2021 are the need for financial institutions to establish a complete inventory of all third-party relationships and a call out of relationships with fintech organizations that interact directly with an institution’s customers.
The principles-based guidance allows institutions to look at their third-party relationships using a risk-based approach. Higher-risk activities, including critical activities, should receive more comprehensive and diligent oversight from management. Smaller community and regional banks will likely have more work to do to follow this guidance, which will be particularly relevant for institutions with significant fintech relationships.
The guidance provides five key points that institutions should integrate into their risk management procedures over the entire life cycle of a business arrangement with a third party.
1. Planning: Before conducting business with a third party, banks must create a plan to determine the type of risk and related complexities involved. Once the institution identifies such risks, it can design and establish necessary mitigation techniques.
The guidance specified that to understand the risks associated with a third party, an institution should carefully consider the following in the planning process:
• The strategic purpose of the arrangement.
• Benefits and risks of the relationship.
• The volume of transactions involved.
• Related direct and indirect costs.
• The impact of the relationship on employees and customers.
• The physical and information security implications.
• Monitoring the third party’s compliance with laws and regulations.
• Ongoing oversight of the relationship.
• Potential contingency plans.
Once an institution fully evaluates all factors, it can build a risk matrix to visualize whether the exposure involved in the relationship would be within the institution’s risk tolerance levels.
2. Due diligence: The new guidance states that the level of due diligence an institution needs to perform on a third party should be proportionate to the risk associated with the potential relationship. Where the arrangement points to greater complexities or higher risk to the bank, the bank should deploy more thorough due diligence procedures. No matter the arrangement, institutions need to evaluate their ability to identify, assess, monitor and mitigate risks that arise.
If a financial institution is unable to perform the appropriate due diligence on a prospective third party without proper alternatives identified to support the relationship, the bank may likely need to forego the relationship.
3. Contract negotiation: Important to any third-party relationship is negotiating a contract that allows the bank to perform continuous and effective risk management practices. If there is difficulty in negotiating these aspects with the third party, the institution needs to analyze the related risk and weigh whether it is acceptable to enter into a relationship.
Importantly, the board of directors should be aware of negotiations to dispel its oversight responsibilities, whether through direct involvement or updates from an approved negotiating delegate.
4. Ongoing monitoring: Ongoing monitoring is imperative as institutions navigate a rapidly changing banking environment. Establishing different techniques or mechanisms to track the risk landscape and determine the emerging risks are just as important to monitoring as a cadence of regular reviews over current risks.
The agencies did not outline “any specific approach to ongoing monitoring. Rather, the guidance continues to state that a banking organization’s ongoing monitoring, like other third-party risk management processes, should be appropriate for the risks associated with each third-party relationship, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”
5. Termination: Lastly, if an institution has decided the relationship has run its course, an efficient and timely termination is beneficial. The institution should consider transitioning any service provided through the relationship to another third party or bringing it in-house.
The regulators also highlighted three critical governance practices for such relationships.
• Oversight and accountability: The board of directors is ultimately responsible for the oversight of third-party risk management. This includes providing management with guidance on the risk appetite to enter into third-party relationships, as well as approving management policies and procedures.
• Independent reviews: The guidance calls out the need for independent, periodic reviews that assess the adequacy of the risk management process, as well as management’s processes, procedures and controls for adequacy and effective operation.
• Documentation and reporting: Institutions will need to thoroughly document their third-party risk management processes, procedures and outcomes of related independent reviews.
Risk management necessitates perpetual enhancement. As institutions continue to partner with third parties to offer new capabilities, remaining vigilant by incorporating the five key points from the guidance is essential. These techniques help safeguard the stability, trust and sustainability of the financial services industry.
A version of this article originally appeared on RSM US.