The federal bank regulatory agencies issued a request for public comment this week on proposed interagency guidance designed to help banking institutions manage risks associated with third-party relationships.
The proposed guidance can assist banking institutions in identifying and addressing the risks associated with third-party relationships and appears to respond to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. In prior years, the Federal Reserve, Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have primarily issued their own guidance for their respective supervised banking institutions relating to third-party relationships and appropriate risk management practices. However, with this proposal, the agencies look to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party management.
The guidance comes in the midst of profound expansion of bank-FinTech partnerships in recent years and appears to serve as a reminder to banking institutions of the following underlying notion that applies to those banks who engage third parties to provide products or services or to perform other activities:
Whether a banking institution conducts activities directly or through a third party, the banking institution cannot alleviate responsibility to conduct the activities in a safe and sound manner and consistent with applicable laws and regulations, including those designed to protect consumers.
Prudent banking institutions should incorporate this underlying notion in each facet of their third-party risk management programs, including in the way that the institutions’ structure their control functions, such as audit, risk management, and compliance, to account for the management of third-party relationships. It is also essential that institutions develop training programs for personnel at the line of business level to account for third-party relationship risks. Institutions can strengthen their programs by completing risk assessments, regularly reviewing and updating due diligence questionnaires and documents, and evaluating the controls over the third-party relationships. Ideally, these reviews would extend all the way up to oversight of senior management by the banking institution’s board of directors to regularly assess the adequacy of the program.
There is no one-size-fits-all approach. However a bank structures its third-party risk management program, the board of directors remains responsible for overseeing the development of an effective program commensurate with the bank’s size, complexity, and risk profile as well as with the level of risk, complexity, and the number of the bank’s third-party relationships. As the regulators note, periodic board reporting is essential to ensure that board responsibilities are fulfilled.
Not all relationships will present the same level of risk to a bank, and the regulators note in their guidance that they would encourage institutions to identify those relationships that support significant bank functions, or as the regulators call them, “critical activities.” With the expectation that “critical activities” would receive more comprehensive and rigorous oversight and management as part of sound risk management. According to the regulators, “critical activities” also include activities that:
- could cause a banking organization to face significant risk if the third party fails to meet expectations;
- could have significant customer impacts;
- require significant investment in resources to implement the third-party relationship and manage the risk; or
- could have a major impact on bank operations if the banking organization has to find an alternate third party or if the outsourced activity has to be brought in-house.
The regulators propose that an effective third-party risk management program will generally follow a continuous life cycle for all relationships and, per the proposed guidance, incorporates the following essential principles applicable to all stages of the life cycle:
Comments to the proposed guidance, which is expected to be published in the Federal Register in the next few days, will be due sixty days after publication.