UPDATED GUIDANCE FROM THE FEDERAL BANKING AGENCIES ON THIRD-PARTY RISK MANAGEMENT

Third-party risk management (TPRM) has long been a critical aspect of a financial institution’s AML process, given the importance of third-party provision of technology, data management, human resources, and other services. Given this, it’s significant for BSA/AML officers that, last month, the FDIC, Fed, and OCC jointly issued updated TPRM guidance for banks, in order?to “promote consistency in supervisory approaches.”?

The guidance, which replaces existing TPRM advice, covers risk management practices for all stages in the life cycle of third-party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination; and includes illustrative examples. As always, the regulators expect a risk-based approach that takes?into account the level of risk, complexity, and size of the bank, and the nature of each third-party relationship. Third parties that support a bank’s critical activities, of course, warrant a greater degree of planning and consideration.

A driving factor for the regulators in issuing the updated guidance is, as Fed Governor Michelle Bowman said in a March speech at an Independent Community Bankers of America conference, to support innovation built on third-party partnerships. The banking regulators have taken recent actions to increase supervision of bank-fintech relationships. For example, the Fed in 2021 began providing state member banks with supervisory reports on their third-party partners.?

It's instructive to take note of all of the considerations that regulators expect banks to take into account in addressing TPRM risk. They include:

·??????Planning: A bank should fully understand the strategic purpose of the business arrangement and how it aligns with its overall strategic goals; evaluate how the third-party relationship could affect bank employees; assess the impact on customers, including access to or use of customers’ information; understand potential information security implications, understand potential physical security implications; and outline the bank’s contingency plans in the event it needs to transition the activity to another third party or bring it in-house.?

·??????Due Diligence and Third-Party Selection: As part of due diligence, a bank should consider the third party’s overall business strategy and goals and how the third party’s current and proposed strategic business arrangements (such as mergers, acquisitions, and partnerships) may affect the activity. Appropriate due diligence also includes an evaluation of the effectiveness of a third party’s own risk management policies, processes, and internal controls.

·??????Legal and Regulatory Compliance: A review of the legal and regulatory compliance considerations associated with engaging a third party.

·??????Qualifications and Backgrounds of Key Personnel: An evaluation of the qualifications and experience of a third party’s principals and other key personnel. The bank also should periodically conduct background checks on the third party’s key personnel and contractors who may have access to information technology systems or confidential information.?

·??????Operational Resilience:?An assessment of a third party’s operational resilience practices and its ability to effectively operate through and recover from any disruption or incidents, both internal and external.

·??????Contractual Arrangements with Other Parties: Consideration of a third party’s commitments to other parties that may introduce potential legal, financial, or operational implications to the bank.?

·??????Responsibilities for Providing, Receiving, and Retaining Information: Contract provisions that specify the third party’s obligation to retain and provide timely, accurate, and comprehensive information to allow the bank to monitor risks and performance.?

·??????Responsibility for Compliance with Applicable Laws and Regulations: It’s important for a contract to specify the obligations of the third party and the bank to comply with applicable laws and regulations.?

·??????Subcontracting: A bank should address when and how the third party should notify the bank of its use or intent to use a subcontractor and whether specific subcontractors are prohibited by the bank.?

·??????Default and Termination:?An effective contract stipulates what constitutes default, identifies remedies, allows opportunities to cure defaults, and establishes the circumstances and responsibilities for termination.?

·??????Regulatory Supervision:?For relevant third-party relationships, contracts should stipulate that the performance of activities by third parties for the bank is subject to regulatory examination and oversight, including appropriate retention of, and access to, all relevant documentation and other materials.

·??????Ongoing Monitoring: Effective TPRM includes ongoing monitoring throughout the duration of the relationship to: (1) confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations; (2) escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, and compliance lapses; and (3) respond to significant issues or concerns when identified.?

·??????Governance: A bank’s board of directors has ultimate responsibility for providing oversight for TPRM, and holding management accountable. The board also should provide clear guidance regarding acceptable risk appetite, approve appropriate policies, and ensure that appropriate procedures and practices have been established. A bank’s management is responsible for developing and implementing TPRM policies, procedures, and practices.?

·??????Independent Reviews: It’s important for a bank to conduct periodic independent reviews to assess the adequacy of its TPRM processes. Such reviews typically consider whether the third-party relationships align with the bank’s business strategy, and with internal policies, procedures, and standards; whether risks of third-party relationships are identified, measured, monitored, and controlled; whether the bank’s processes and controls are designed and operating adequately; whether appropriate staffing and expertise are engaged to perform risk management activities throughout the TPRM life cycle; and whether conflicts of interest or appearances of conflicts of interest are avoided or eliminated.

·??????Documentation and Reporting: It’s important that a bank properly document and report on its TPRM process and specific third-party relationships throughout their life cycle, including maintaining a current inventory of all third-party relationships; planning and risk assessments related to the use of third parties; due diligence results and recommendations; executed contracts; reports addressing the quality and sustainability of the third party’s controls; and reports from third parties of service disruptions, security breaches, or other events that pose, or may pose, a material risk to the bank.