Bank Regulators Propose Guidance on Risk Management of Third-Party Relationships
Friday, July 16, 2021

The federal bank regulatory agencies issued a request for public comment this week on proposed interagency guidance designed to help banking institutions manage risks associated with third-party relationships.

The proposed guidance can assist banking institutions in identifying and addressing the risks associated with third-party relationships and appears to respond to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance.  In prior years, the Federal Reserve, Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have primarily issued their own guidance for their respective supervised banking institutions relating to third-party relationships and appropriate risk management practices.  However, with this proposal, the agencies look to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party management.

The guidance comes in the midst of profound expansion of bank-FinTech partnerships in recent years and appears to serve as a reminder to banking institutions of the following underlying notion that applies to those banks who engage third parties to provide products or services or to perform other activities:

Whether a banking institution conducts activities directly or through a third party, the banking institution cannot alleviate responsibility to conduct the activities in a safe and sound manner and consistent with applicable laws and regulations, including those designed to protect consumers.

Prudent banking institutions should incorporate this underlying notion in each facet of their third-party risk management programs, including in the way that the institutions’ structure their control functions, such as audit, risk management, and compliance, to account for the management of third-party relationships.  It is also essential that institutions develop training programs for personnel at the line of business level to account for third-party relationship risks.  Institutions can strengthen their programs by completing risk assessments, regularly reviewing and updating due diligence questionnaires and documents, and evaluating the controls over the third-party relationships.  Ideally, these reviews would extend all the way up to oversight of senior management by the banking institution’s board of directors to regularly assess the adequacy of the program. 

There is no one-size-fits-all approach.  However a bank structures its third-party risk management program, the board of directors remains responsible for overseeing the development of an effective program commensurate with the bank’s size, complexity, and risk profile as well as with the level of risk, complexity, and the number of the bank’s third-party relationships.  As the regulators note, periodic board reporting is essential to ensure that board responsibilities are fulfilled.

Not all relationships will present the same level of risk to a bank, and the regulators note in their guidance that they would encourage institutions to identify those relationships that support significant bank functions, or as the regulators call them, “critical activities.” With the expectation that “critical activities” would receive more comprehensive and rigorous oversight and management as part of sound risk management.  According to the regulators, “critical activities” also include activities that:

  • could cause a banking organization to face significant risk if the third party fails to meet expectations;

  • could have significant customer impacts;

  • require significant investment in resources to implement the third-party relationship and manage the risk; or

  • could have a major impact on bank operations if the banking organization has to find an alternate third party or if the outsourced activity has to be brought in-house.

The regulators propose that an effective third-party risk management program will generally follow a continuous life cycle for all relationships and, per the proposed guidance, incorporates the following essential principles applicable to all stages of the life cycle:

Third-Party Risk Management Program Principles

Considerations

Planning

The regulators encourage the institution to develop a plan that outlines the institution’s strategy, identifies the inherent risks of the activity with the third party, and details how the institution will identify, assess, select, and oversee the third party.

Due Diligence and Third-Party Selection

Effective due diligence and third-party selection would consider the following issues:

  1. Strategies and Goals

  2. Legal and Regulatory Compliance

  3. Financial Condition

  4. Business Experience

  5. Fee Structure and Incentives

  6. Qualifications and Backgrounds of Company Principals

  7. Risk Management

  8. Information Security

  9. Management of Information Systems

  10. Operational Resilience

  11. Incident Reporting and Management Programs

  12. Physical Security

  13. Human Resource Management

  14. Reliance on Subcontractors

  15. Insurance Coverage

  16. Conflicting Contractual Arrangements with Other Parties

Contract Negotiation

Written contracts should be negotiated to articulate the rights and responsibilities of all parties, with consideration of the following:

  1. Nature and Scope of Arrangement

  2. Performance Measures or Benchmarks

  3. Responsibilities for Providing, Receiving, and Retaining Information

  4. The Right to Audit and Require Remediation

  5. Responsibility for Compliance with Applicable Laws and Regulations

  6. Cost and Compensation

  7. Ownership and License

  8. Confidentiality and Integrity

  9. Operational Resilience and Business Continuity

  10. Indemnification

  11. Insurance

  12. Dispute Resolution

  13. Limits on Liability

  14. Default and Termination

  15. Customer Complaints

  16. Subcontracting

  17. Foreign-Based Third Parties

  18. Regulatory Supervision

Oversight and Accountability

Oversight and accountability considerations include:

  1. Board of Directors

  2. Management

  3. Independent Reviews

  4. Documentation and Reporting

Ongoing Monitoring

Ongoing monitoring of the third party’s activities and performance should be considered

Termination

Contingency plans should be developed for terminating the relationship in an effective manner

**


Comments to the proposed guidance, which is expected to be published in the Federal Register in the next few days, will be due sixty days after publication.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins