Category: Resources

18 Aug 2023
Third-Party Risk Management Final Guidance – An In-depth Analysis

Third-Party Risk Management Final Guidance – An In-depth Analysis 

Background 

In July of 2021, the three primary bank regulators (OCC, FDIC, and Federal Reserve) proposed new guidance on third-party risk management (TPRM).  According to the agencies, “The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships.”  In June of 2023 all three (OCC, FDIC, Federal  Reserve) jointly adopted the final guidance, stating that: “The final guidance offers the agencies’ views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.”  The agencies issued this simultaneously to “promote consistency in supervisory approaches”, something we fully support and have long advocated.  It replaces each agency’s existing guidance on this topic and is applicable to all banking organizations supervised by the agencies (currently all financial institutions except credit unions). 

Analysis 

Since third-party relationships represent a significant amount of residual enterprise-wide strategic, operational, and information security risk to many financial institutions (we refer to this as the ‘inherited risk’), and because we believe regulators will greatly increase their scrutiny of your risk management efforts in this area, we’ve taken the last couple months to take a deep dive into the details of the guidance, and the potential implications to your TPRM program.  The following is a summary of our observations. 

The agencies are advising a 5-step continuous life-cycle, wrapped in a formal, 3-phase governance process: 

Each of the 5 phases consists of one or more sections, each of those with one or more statements:   

  1. Planning – 1 section, 11 statements 
  1. Due Diligence & Third-Party Selection – 14 sections, 40 statements 
  1. Contract Negotiation – 17 sections, 61 statements 
  1. Ongoing Monitoring – 1 section, 14 statements 
  1. Termination – 1 section, 6 statements 

and 

  • Governance – 3 sections, 29 statements 

In total, there are 161 statements to evaluate, and they range from what we’ve interpreted as strong recommendations (“It is important for contracts to stipulate…”), to what we’ve determined are general observations and best practices (“May want to consider whether the contract…”).   

Implications 

In addition to factoring the “must have vs. nice to have” interpretation of each statement into the analysis, institutions will also need to determine the applicability of each individual statement to your organization.  No fewer than 13 times in the guidance they mention some variation of “…commensurate with the banking organization’s risk appetite and the level of risk and complexity of its third-party relationships.”  This is the applicability filter through which your “implement/do not implement” determination will pass.   Simply put, although you should be familiar with each statement and its implications, you may not necessarily need to adopt them all.  Indeed, if you currently have and maintain a compliant third-party management program, many are very likely already in place.   

However, the single most important take-away for us is how the statements are distributed throughout the sections, which we believe give a pretty good indication of how the regulators will evaluate your TPRM program on the exam side.  The vast majority (~70%) of statements are clustered in what can be referred to as “pre-engagement” phase, or before you formally engage (by contract or otherwise) with the third-party; the Planning, Due Diligence and Contract phases: 

Does this mean that ~70% of your third-party management efforts going forward should be pre-engagement?  We think that is a reasonable assumption, and we anticipate that sooner or later the regulators will also align their expectations in that direction.  And since most compliant TPRM programs very likely already address the On-going Monitoring and Governance areas, the biggest challenge for most folks will be: 

  1. Evaluating each of the 112 statements in this pre-engagement phase, and determining, 
  1. Whether the statement is already addressed somewhere in your current program, 
  1. If not, deciding whether or not to implement it given the criticality, complexity, and nature of the service(s) provided by the third-party given your risk appetite. 

Pre-engagement vs. Pre-initiative 

Although significantly expanded here, due diligence and contract considerations have, to a greater or lesser degree, always been in place. However, the biggest challenge for most institutions will be in the Planning phase.  There are only 11 statements in this section, but they all address the risks of the business initiative itself, NOT the third-party!  These statements include items such as: 

  • “Understanding the strategic purpose of the business arrangement…” 
  • “Identifying and assessing the benefits and the risks associated with the business arrangement…”, and 
  • “Considering the nature of the business arrangement…” 

While most folks would consider these types of strategic (“why” instead of “how”) discussions to be beyond the scope of a traditional TPRM program, it is clear that regulators are certain to look for them going forward.  Make sure to build this pre-initiative “why” phase into your program.   

Summary 

As with all things in the compliance space, be sure to document your entire decision-making process and don’t hesitate to reach out to our experts for assistance.  As the guidance also states,  “A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.” 

The agencies have indicated that they plan to develop additional resources to assist smaller, less-complex community banking organizations in managing relevant third-party risks, and we’re keeping an eye on this.  In the meantime, we have created an interactive tool that lists all sections and statements, allows you to acknowledge each statement, add your notes, and track your overall progress.  Click here for a copy.   

We also offer a complimentary high-level regulatory compliance evaluation of your existing vendor management program. Click here to request more information. 

We will be hosting an in-depth webinar and analysis on this new guidance on September 20th. A registration link will be available on our webinar page within the next week. 

16 Apr 2011

SOC Report Selection & Evaluation Aids

With the SAS 70 phasing out on 6/15, financial institutions have a dual challenge; determining the best report to request, and evaluating the report they are provided.  To assist with this challenge, I’ve created two documents.

The first, or Step 1, is a SOC Selection Flowchart, which is available here.  This will assist in determining the most relevant report to request from your service provider.  Once you register your email address, I’ll automatically send the second (Step 2) document, the SOC Evaluation Flowchart.  Step 2 is still under development, as the AICPA has not yet completed the audits guides for the SOC 2 or SOC 3.

You will also have the opportunity to opt in (or opt out) of receiving notice of future regulatory compliance resources, like webinars, white papers, etc.  I hope you find the flowcharts and other resources useful.

Download SOC Selection Flowchart

27 Aug 2010

CAMELS ratings and regulatory reform

The ability of management to respond to changing circumstances, and to address the risks that may arise from changing business conditions, has become an area of increased examiner scrutiny in the wake of recent large financial institution failures.  Accordingly, the “Management” component is given special consideration when assigning a CAMELS composite rating.  What are the elements of this component, and how can you demonstrate compliance in this area?

Download this white paper now.

11 Aug 2010

About the FFIEC

The Council is a formal inter-agency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).