The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) have issued guidance to provide sound risk management principles.
Banking organizations routinely rely on third parties for a range of products, services, and other activities. The use of third parties can offer banking organizations significant benefits, such as quicker and more efficient access to technologies, human capital, delivery channels, products, services, and markets. However, the use of third parties can reduce a banking organization’s direct control over activities and may introduce new risks or increase existing risks, such as operational, compliance, and strategic risks.
The agencies have issued joint guidance to promote consistency in supervisory approaches. The final guidance states that sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.
Here are some key factors for banks to consider in developing and implementing risk management practices for all stages in the life cycle of third-party relationships:
- Risk Management Tailoring: Not all relationships present the same level of risk, and therefore not all relationships require the same level or type of oversight or risk management. A banking organization analyzes the risks associated with each third-party relationship and tailors risk management practices, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of the third-party relationship. Banking organizations engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities.
- Third-Party Relationship Life Cycle: Effective third-party risk management generally follows a continuous life cycle for third-party relationships. The stages of the risk management life cycle of third-party relationships are planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination. It is important to involve staff with the requisite knowledge and skills in each stage of the risk management life cycle.
- Planning: Effective planning allows a banking organization to evaluate and consider how to manage risks before entering into a third-party relationship. Depending on the degree of risk and complexity of the third-party relationship, a banking organization typically considers factors such as understanding the strategic purpose of the business arrangement, identifying and assessing the benefits and the risks associated with the business arrangement, and evaluating how the third-party relationship could affect banking organization employees.
- Due Diligence and Third-Party Selection: Conducting due diligence on third parties before selecting and entering into third-party relationships is an important part of sound risk management. The scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship. Depending on the degree of risk and complexity of the third-party relationship, a banking organization typically considers factors such as strategies and goals, legal and regulatory compliance, and financial condition, as part of due diligence.
- Contract Negotiation: When evaluating whether to enter into a relationship with a third party, a banking organization typically determines whether a written contract is needed, and if the proposed contract can meet the banking organization’s business goals and risk management needs. Depending on the degree of risk and complexity of the third-party relationship, a banking organization typically considers factors, among others, during contract negotiations such as the nature and scope of arrangement, performance measures or benchmarks, and responsibilities for providing, receiving, and retaining information.
- Ongoing Monitoring: Ongoing monitoring enables a banking organization to confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations. Effective third-party risk management includes ongoing monitoring throughout the duration of a third-party relationship, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party.
- Termination: A banking organization may terminate a relationship for various reasons, such as expiration or breach of the contract, the third party’s failure to comply with applicable laws or regulations, or a desire to seek an alternate third party, bring the activity in-house, or discontinue the activity. Depending on the degree of risk and complexity of the third-party relationship, a banking organization typically considers factors, among others, to facilitate termination such as options for an effective transition of services, costs and fees associated with termination, and handling of joint intellectual property.
- Governance: Proper oversight and accountability are important aspects of third-party risk management because they help enable a banking organization to minimize adverse financial, operational, or other consequences. A banking organization’s board of directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable. The board also provides clear guidance regarding acceptable risk appetite, approves appropriate policies, and ensures that appropriate procedures and practices have been established.
By following these key principles, banking organizations can effectively manage the risks associated with third-party relationships and ensure they operate in a safe and sound manner, in compliance with applicable laws and regulations.
