A High Bar for Third-Party Risk Management

In June 2023, the Office of the Comptroller of the Currency (OCC), Federal Reserve, and Federal Deposit Insurance Corporation published lnteragency Guidance on Third-Party Relationships: Risk Management. This guidance replaces separate guidance from the agencies going back as far as 2008 and the OCC’s 2020 FAQs. 

Ten years after previous guidance that substantially expanded and heightened expectations for managing third-party relationships, this latest iteration continues to raise the compliance bar even higher. The impact will vary from bank to bank. For example, as facilitator of RMA’s semi-annual Third-Party Risk Management Roundtable, I have learned that participating banks subject to horizontal regulatory exams believe they are substantially prepared to comply with the new guidance—and with minimal work effort. At the other end of the spectrum, compliance will be challenging for smaller institutions, including expectations for managing complex fintech relationships. In fact, Federal Reserve Governor Michelle W. Bowman, in withholding support for the guidance, said her “expectation is that community banks will find the new guidance challenging to implement.” 

Regardless of their size and complexity, all financial institutions need to adjust their practices to meet the expectations described in the new guidance. While it’s still too soon to know exactly how the updated guidance will ultimately impact the sector—for example, the regulators are expected to provide resources to make compliance more manageable for community banks—I’ll share some takeaways and suggestions informed by my experience as a third-party risk management adviser, trainer, and author.   

Principles-Based  

The guidance notes that it is intended to be “principles-based” and apply to all regulated banks, regardless of their “level of risk, complexity, size of the banking organization, and the nature of the third-party relationship.” Words such as “consider” and “typically” are used when describing many but not all expectations.  

However, it has greater specificity than prior guidance for third-party risk management activities that should be considered. While this added clarity is welcomed by many practitioners, be aware that where there is such specificity, there is often an expectation of compliance. It is advisable to document your institution’s rationale as to why certain activities—ones that you consider to be discretionary, but the examiners may not—have not been included in your third-party risk program. Have these exceptions approved by the operational and/or enterprise risk management function, or their equivalent. 

How Third-Party Relationships Are Defined  

In the guidance, third-party relationships are defined as “any business arrangement between a banking organization and another entity, by contract or otherwise.” This means, according to the guidance:  

• The bank’s relationships with its vendors (commercial relationships paid through accounts payable). 
• Non-vendor or non-traditional relationships such as “referral arrangements and merchant payment processing services,” which may or may not involve financial remuneration. 
• Services provided by affiliates and subsidiaries. 
• Joint ventures. 
• “Relationships with new or novel structures and features—such as those observed in relationships with some financial technology (fintech) companies.” (A current example is The Risks and Rewards of Providing Banking as a Service.)  

Clearly, third-party relationships addressed by the interagency guidance encompass every type of business relationship that a banking entity enters into except those with its banking customers. RMA’s “Third-Party Relationship Definitions and Non-Vendor Categories” can help you determine and inventory what’s in scope for your institution.  

The guidance says, “Maintaining a complete inventory of its third-party relationships and periodically conducting risk assessments for each third-party relationship supports a banking organization’s determination of whether risks have changed over time and to update risk management practices accordingly.”  

For banks with thousands of relationships, this can feel aspirational—even after years of work effort. Although all third-party relationships must be recorded in the inventory—even those that are not subject to risk management treatment—fortunately, the guidance is risk-based. This has the effect of allowing each institution latitude to align risk management practices with its risk appetite, ensuring that valuable resources are not consumed by low-risk, low-return activities. In the words of the guidance: “Engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities.” 

Criticality 

What are those critical activities? The guidance says they are anything that can: 

• Cause a banking organization to face significant risk if the third party fails to meet expectations.  
• Have significant customer impacts.  
• Have a significant impact on a banking organization’s financial condition or operations. 

That’s clearer than earlier guidance, which simply mentioned the importance of prioritizing critical third-party relationships and critical activities. The language also shifts the focus from the third-party relationship itself to its possible impact on the bank’s performance and operational resilience in the context of its extended enterprise, comprised of both internal and third-party activities.  

By stating that “it is up to each banking organization to identify its critical activities and third-party relationships that support these critical activities,” the guidance establishes a direct correlation between the bank’s third-party risk, business continuity management, and emerging operational resilience practices. This alignment has been a focus of regulatory exams for several years.  

The guidance acknowledges that “some banking organizations may assign a criticality or risk level to each third-party relationship, whereas others identify critical activities and those third parties that support such activities.” Defining the institution’s critical activities is an essential first step often accomplished by processes developed by an institution’s business continuity professionals and/or its risk control self-assessment (RSCA) processes. Aligning third-party relationships to critical activities is the second step, and understanding the institution’s operational reliance on each third party is the third step. Based on experience, criticality and risk levels are two separate concepts that are best addressed with a sound relationship segmentation framework and process, which are both part of an effective third party-risk management program. 

Criticality should be part of the relationship segmentation framework. It is an inward-facing assessment of the relative operational dependency the bank has on the third party. The goal is to understand the impact of underperformance or a serious failure by the third party on the bank’s operations, customers, financial condition, and ability to comply with regulations and laws.  

Risk levels are determined by methodologies that determine the types and amount of risk the bank faces by engaging any third party to deliver the products or services. The process to determine exposure to inherent risk should also be part of your institution’s relationship segmentation framework. Residual risks should be apparent after evaluating the existence and strength of the third party’s control. This step provides risk insight to support risk acceptance and challenge processes.  

Due Diligence  

The section on due diligence includes many pre-engagement activities that will align critical third-party relationships with the bank’s strategy and risk appetite and inform post-contracting activities. Specifically, it says “certain third parties … typically warrant a greater degree of planning and consideration. For example, when critical activities are involved, plans may be presented to and approved by a banking organization's board of directors (or a designated board committee).” 

Compared to previous guidance, which was less explicit on this matter, there is a clear expectation that due diligence be completed before entering a third-party relationship and refreshed periodically during the life of the relationship. This high-level portion of the guidance may indicate an open door for developing more productive ways of reassessing and recertifying the third party’s internal control than the “rinse and repeat” practice of completing the same external due diligence on the third party’s internal controls at the one-, two-, or three-year mark, according to their profile.  

The section on due diligence is comprehensive and elements have been stepped up from prior guidance. Note the passage on “evaluating the third party’s ownership structure (including identifying any beneficial ownership, whether public or private, foreign, or domestic ownership).” Determining an entity’s ultimate beneficial ownership will be a new practice for the vast majority of banks.  

The due diligence portion of the guidance goes on to include determination of whether the “third party itself or any owners are subject to sanctions by the Office of Foreign Assets Control.” The linkage between third-party risk management, sanctions screening, and financial crimes is clear. But it will be difficult to achieve a high level of assurance when it comes to beneficial ownership, particularly if the company is part of a complex hierarchy of ownership or the third party itself is privately held.  

Another high bar set by the interagency guidance is determining “whether the third party has the necessary legal authority to perform the activity, such as any necessary licenses or corporate powers.” The licensing part of this expectation is relatively easy to achieve, but practices to comply with determining whether the third party has the “necessary corporate powers” are a greater challenge. This is because all corporations have two types of corporate powers: express powers and implicit powers. Some but not all express powers are described in the corporate statute and articles of incorporation, and many express powers are enshrined in law such as the right to enter into contracts or borrow money. Third parties may find it difficult to parse their corporate powers to provide documentary evidence or be reluctant to provide explicit documentation to their customers. Implicit corporate powers are inherent in the business or businesses the third party is in, making them nearly impossible to verify. Therefore, practices to comply with this regulatory expectation are yet to be determined.  

As for a third party’s own risk management efficacy, methods have emerged in recent years to support the guidance’s requirement for “evaluation of the effectiveness of a third party’s overall risk management practices.” One example is, when available, “reviewing System of Control (SOC) reports.” Many institutions have also adopted the Shared Assessments Standardized Information Gathering (SIG) Questionnaire, making it faster and easier for third parties to respond. This shifts work effort to evaluation of responses, review of documentation, and follow-up.  

Other Key Areas  

The new guidance reinforces the importance of integrating lifecycle management activities across procurement, risk specialists, compliance, and legal functions. It says, “It is important to involve staff with the requisite knowledge and skills in each stage of the risk management lifecycle … and [the bank] may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.”  

This acknowledges that the use of third parties to support third-party risk management practices is acceptable, providing it is supplemental to the institution’s internal expertise. It also seems to suggest that employees and third parties involved in third-party risk management activities receive relevant training and hold professional certifications to complement work experience. 

New content related to operational resilience supports an emerging trend in larger institutions that have in the past or are presently focusing on sharpening resilience capabilities across their operational risk management practices. In some institutions, the governance and oversight functions responsible for third-party risk management now report to an executive responsible for consolidating and strengthening the institution’s overall operational resilience capabilities. It seems likely that, over time, there will be increased focus on your institution’s operational resilience capabilities during regulatory exams.  

Physical security is made a more distinct risk management capability in the new guidance, which has a sharper focus on third parties’ “employee on- and off-boarding procedures to ensure that physical access rights are managed appropriately.”  

The contracting section is also comprehensive. It is advisable to verify that your standard contractor terms and conditions comply, and to create a contract checklist when negotiating on “vendor paper”—in other words, when opening negotiations with the third-party’s contract instead of starting with your own. Two new areas of focus are: 

• “Whether the third party is permitted to resell, assign, or permit access to … the banking organization’s data, metadata, and systems, to other entities.” 
• Responding to and reporting customer complaints.  

Previous guidance required continuous monitoring. The new interagency guidance acknowledges that there is value in periodic as well as continuous monitoring commensurate with the “level of risk and complexity of the relationship and activity performed.” The guidance also describes typical monitoring activities. As we learned during the pandemic, most third parties don’t walk back their controls. It’s the changes that the third party undergoes—such as changes to financial health, key personnel, and subcontractors—that increase the risk to their customers. 

You may wish to pay close attention to the section on termination. An essential element of operational resilience is being prepared if the third party suffers a catastrophic failure. Having well-documented exit plans for critical third parties that support critical activities is a regulatory expectation. 

Oversight and governance responsibilities are clearly defined. A change from the draft guidance that was available for comment is acknowledgement of the clear separation of duties between the board of directors—or a board-designated committee—and senior management. The expectations are written in a way that large institutions with multiple subcommittees of the board and smaller institutions with hands-on boards of directors can comply simply by exercising their fiduciary responsibilities. 

The guidance’s long list of documentary requirements is nothing new. Documentary evidence has always been important, and records must be complete and accurate. But institutions that are still trying to run their third-party risk management program on spreadsheets with manual workflow might consider the positive return on investment from a purpose-built system that transitions work effort from task-and-document management to risk management. 

The interagency guidance concludes with some wise words about what to expect during a regulatory exam when it comes to a bank’s third party-risk management program and practices: Not everyone is aware that third-party risk management capabilities have a direct impact on your institution’s safety and soundness exam.  

Linda Tuck Chapman C3PRMP is a recognized expert in third party risk management. She is founder of Third Party Risk Institute (thirdpartyriskinstitute.com), which aims to inspire organizations and professionals to invest in world-class training and certifications that promote safe and healthy third-party relationships.