In July of 2021, the three primary bank regulators (OCC, FDIC, and Federal Reserve) proposed new guidance on third-party risk management. According to the agencies, “The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships.”
After an extended comment period ending in September 2021, regulators are now digesting the feedback, and we expect final guidance to be issued in the not-to-distant future. The proposed guidance states that it would “…replace each agency’s existing guidance on this topic…”, and we believe that institutions would greatly benefit from the consistency that a consolidation of (often conflicting) guidance in this area will bring. We’ll reserve a more in-depth analysis of the guidance for its final release, however, since third-party relationships represent a significant amount of strategic, operational, and information security risk to financial institutions, we think it’s only prudent to take an early look at what changes the final guidance may require. And even in this early stage, there are strong indications that significant changes may be coming.
Again, although the final will look differently from the proposed, we believe the basic structure of the guidance will stay the same, with only the implementation details changing. With that as a given, one of the stark differences between current guidance and best practices in this area vs. what is being proposed is the sheer amount of “pre-vendor” analysis they will expect you to perform. In fact, while the traditional approach places most of the emphasis (and effort) on the on-going management of existing relationships, going forward the agencies are proposing a 6-step process that places the vast majority of third-party management practices prior to the third-party actually becoming a vendor. The 6 steps are:
- Planning
- Due Diligence and Third-party Selection
- Contract Negotiation
- Oversight and Accountability
- On-going Monitoring
- Termination
Notice that the first 3 steps are actually pre-contract (i.e., pre-vendor) activities, with on-going monitoring relegated to step 5. Furthermore, steps 2 and 3 require 13 and 18 separate considerations, respectively. Of course, the criticality of the third-party should always determine the degree of scrutiny, and key vendors will require the most, but in all likelihood regulator expectations will be increased for all third parties across the board. More to come, but institutions would be well-advised to at least familiarize themselves with the new framework, so they aren’t completely blind-sided. We’ve prepared a high-level extract of the framework as it is currently proposed. Click here for a copy.
