Interagency Guidance on Third-Party Relationships: Risk Management

True Digital
Share this post

At True Digital, we look forward to supporting banks’ third-party risk management processes through the tools available on our Platform.

On June 6, the federal banking agencies issued final Interagency Guidance on banks’ management of risks associated with their third-party relationships.  The Guidance responds to the increasing number of relationships between banks and third-party parties and establishes principles and a framework for banks to consider when developing and implementing third-party risk management practices.  While the Guidance is based on and largely tracks the OCC’s prior third-party guidance, its reach is broader and more detailed than that of the Federal Reserve and FDIC.

As a first principle of sound risk management, the banking agencies note that a bank analyzes the risks associated with each third-party relationship and tailors risk management practices, commensurate with the bank’s size, complexity, and risk profile and with the nature of the third-party relationship. In this regard, the banking agencies note that maintaining a complete inventory of its third-party relationships and periodically conducting risk assessments for each third-party relationship are supportive of a bank’s sound risk management.  The Guidance notes that as part of sound risk management, banks engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities.  To this end, banks must identify their critical activities and third-party relationships that support these critical activities.  Characteristics of critical activities may include those activities that could cause a bank to face significant risk if the third party fails to meet expectations; have significant customer impacts; or have a significant impact on a bank’s financial condition or operations.

The Guidance provides detailed guidance on implementing effective third-party risk management practices by providing examples of considerations in the planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination stages of managing third-party relationships.

With regard to due diligence, the Guidance emphasizes the importance of due diligence across a range of factors to obtain the information needed about potential third parties to determine if a relationship would help achieve a bank’s strategic and financial goals as well as evaluate whether the bank can appropriately identify, monitor, and control risks associated with the particular third-party relationship.  The following factors are typically considered as part of a bank’s due diligence: 

  • strategies and goals;
  • legal and regulatory compliance;
  • financial condition;
  • business experience;
  • qualifications of key personnel and other human resources considerations;
  • risk management;
  • information security;
  • management of information systems;
  • operational resilience;
  • incident reporting and management processes;
  • physical security;
  • reliance on subcontractors;
  • insurance coverage; and
  • contractual relationships with other parties.

The Guidance describes ongoing monitoring throughout the duration of the relationship as integral to effective risk management, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party.  The Guidance also describes oversight and accountability measures for a bank’s third-party risk management program, documentation and reporting, and independent reviews.

Finally, the Guidance includes a statement that each banking agency will review its supervised banks’ risk management of third-party relationships as part of its standard supervisory processes.  Supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.

Recognizing that implementing these risk-management practices may be challenging, particularly for smaller banks, the Guidance suggests that a bank may use the services of industry utilities or consortiums, consult with other organizations, or engage in joint efforts to supplement its due diligence.  It further states that banks may engage external resources, refer to conformity assessments or certifications, or collaborate when performing ongoing monitoring in order to gain efficiencies or leverage specialized expertise.

At True Digital, we look forward to supporting our member banks by serving as an industry utility and a forum for collaboration.  The True Digital Platform supports banks’ risk management programs in the following ways, among others:

  • The True Digital Platform provides a mechanism for banks to keep a current inventory of their third-party relationships. This is important to help demonstrate to banking supervisors that bank management has knowledge and oversight of those relationships. 
  • The True Digital Platform’s database of vendors and products allows banks to better optimize their third-party relationships and efficiently identify the third parties that fit within their risk appetites. 
  • The ability of banks to easily communicate with one another on the True Digital Platform facilitates collaboration and information sharing that can be critical in all phases of third-party risk management lifecycle.  This is particularly important where it may be difficult to obtain information or keep current on developments about a third party. 
  • True Digital’s forthcoming monthly reporting feature covering negative news and data regarding vendor usage (whether a vendor is adding or losing customers on the True Digital Platform) will provide powerful insights that will allow banks to better fulfill their obligation to monitor their third-party relationships.
  • Diligence questionnaire responses from vendors that will beshared on the True Digital Platform will make it easier for banks to quickly identify whether a vendor is engaged in critical activities and is high risk, and focus their follow-on due diligence efforts.

We will continue to build out the Platform’s capabilities to serve as an industry utility that meets the ever-evolving innovation and regulatory needs of the banking industry.