On leap day, Feb. 29, I was fortunate to participate as a member of a distinguished panel discussing third-party risk management for banks at the 2024 Banking Outlook Conference hosted by the Supervision and Regulation Division of the Federal Reserve Bank of Atlanta in conjunction with the Graduate School of Banking at Louisiana State University. The conference included a really impressive collection of speakers and presentations addressing a number of topics important to banks today, including artificial intelligence, FedNow, and consumer compliance hot topics. There was also a very interesting bank executive panel titled “Adapting to the Rapidly Changing Banking Environment” as well as a fireside chat with Raphael Bostic, president and CEO of the Federal Reserve Bank of Atlanta, and Jennifer Burns, deputy director of the Federal Reserve Board of Governors. This was my first Banking Outlook Conference. I thoroughly enjoyed it and plan to be back in the future as an attendee, if not as a panelist. If you were not able to make it this year, I encourage you to plan on attending next year, either virtually or in person. It is a valuable opportunity to hear important thoughts on pressing issues for banks from regulators and other industry participants.

Our panel, which was moderated by Lorenzo Garza, vice president of the Federal Reserve Bank of Dallas, addressed the risks and rewards for banks associated with outsourcing, specifically the management of risks related to third parties in accordance with the Interagency Guidance on Third-Party Relationships: Risk Management (the Guidance) published June 6, 2023. Other participants on our panel were Terry Hughes, bureau chief for the Florida Office of Financial Regulation, and Hema Parekh, principal examiner for the Federal Reserve Bank of Richmond.

The Guidance was adopted by the board of governors of the Federal Reserve System, the Federal Deposit Insurance Corp., and the Office of the Comptroller of the Currency to provide sound risk management principles for banks and consolidate each of their previous general guidance on the topic in order to promote consistency in supervisory approaches. It is based on the premise that “sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.”

The Guidance addresses any business arrangement between a banking organization and another entity, by contract or otherwise, and states that “a third-party relationship may exist despite a lack of a contract or remuneration.” Such relationships can include use of outsourced services, independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates, and joint ventures, although this is certainly not an exclusive list.

The Guidance recognizes that the use of third parties can offer banks significant benefits, but it also states that it can reduce a bank’s direct control over activities and may introduce new risks into the bank. According to the Guidance, as part of sound risk management, banks must “engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities.” The following characteristics of critical activities are identified within the Guidance:

• Causing a bank to face significant risks if the third party fails to meet expectations
• Having significant customer impacts
• Having a significant impact on a banking organization’s financial condition or operations

Some third-party relationships obviously have these characteristics and therefore merit considerable investigation and monitoring under the Guidance (e.g., core processing systems), and others may require less attention due to an apparent lack of these characteristics. That being said, banks would be wise to carefully evaluate each relationship for the existence of any of these characteristics since some seemingly mundane relationships may be conducted in such a way to make the relationship “high risk.” After all, it was only a couple of years ago that a prominent American company was victimized by a data breach that was perpetrated using credentials stolen from a seemingly harmless third-party vendor, i.e., its HVAC systems provider.

The Guidance is organized around a concept it calls the “Third-Party Relationship Life Cycle.” According to the Guidance, this life cycle consists of five stages: (a) planning, (b) due diligence and third-party selection, (c) contract negotiation, (d) ongoing monitoring, and (e) termination. The Guidance goes on to say that it is important to involve staff with the right knowledge and skill set for each stage of the life cycle, and that may necessitate including experts across disciplines within the bank, such as compliance, risk, technology, or legal. It may also be necessary for banks to engage external support to supplement the expertise of their in-house personnel for some aspects of the life cycle.

As a firm, we assist banks often with third-party relationships, and unfortunately, our involvement typically begins after a problem has arisen. In my experience, bankers are naturally optimistic people who utilize that tendency to identify opportunities for taking acceptable risks in order to achieve rewards for their shareholders. That being said, they are not ingrained with the same cynical view of everyday circumstances that law school imposes on my profession and therefore may often spend less time on the first three stages of the life cycle in order to secure a third-party relationship that they believe will be profitable.

As a result, when problems within the relationship arise, or the third-party vendor experiences issues that impact the bank and its customers, it is often difficult for the bank to protect itself or extract itself from the relationship. A common example in today’s banking environment that we deal with often is a data breach that releases bank customer information.

In nearly every data breach we see, it is not the bank’s system that has been compromised but that of a third-party vendor that is in possession of bank customer information. In some cases, the vendor may have access to customer information without the bank’s realization of what information has been captured for the service, or it may retain customer information for longer than the bank expects, resulting in a larger release of customer information than the bank anticipated at the beginning of the relationship. In many cases, these risks could have been eliminated, or at least mitigated, had the bank spent more time planning the relationship or performing due diligence on its selected vendor and the vendor’s processes.

Contract negotiation is often a challenge as well, with banks accepting form agreements that are skewed heavily toward the interest of the vendor, either because they have very little leverage to negotiate the terms or because they are so eager to begin the relationship with the vendor that will provide the bank and its customers a valuable service that they fail to take the time to get the agreement reviewed by counsel or even to read it themselves. This can exacerbate a later problem in the relationship when the bank can’t enforce the agreement to ensure the vendor adequately secures customer information or terminate the relationship prior to the end of its term without significant inconvenience or costs.

One thing made evident by the Guidance, as well as the regulators who participated on our panel, is that examiners will be looking much more closely into how banks manage these relationships and whether or not they are heeding the warnings and following the recommendations of the Guidance. While most big problems may originate within the vendor’s operation, since jurisdiction over such vendors by banking regulators is limited, oversight will be more intensively focused on the banks instead to ensure that they are defending themselves against third-party risks posed by their third-party relationships.