By: Edward Pugh, CAMS, CAMs-Audit, AAP, CFE
Financial Institutions are increasingly relying on third parties for a broad range of products and services. Utilizing third parties can offer organizations significant benefits, including access to new technologies, delivery channels, products and services, and increased operational efficiencies. However, engaging third parties, especially those using new technologies, can expose financial institutions and their customers to increased risks. Operational, compliance, and strategic risks are often impacted by the utilization of third parties. Given the increase in the number and type of third parties engaging with financial institutions, the Office of the Comptroller of the Currency (OCC), the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) released Interagency Guidance on Third-Party Relationships: Risk Management in June of 2023.
Interagency Guidance on Third-Party Risk
The aforementioned guidance addresses all business arrangements between a financial institution and another entity, whether a formal contract exists or not. Third-party relations can include outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures. While there are many benefits to using third-party services, their use can reduce an institutions’ direct control over activities and may introduce new or increasing risks. Thus, it is important for an institution to identify, assess, monitor, and control risks related to third-party relationships.
A critical element of third-party risk management is to develop and maintain a complete inventory of third-party relationships. This also includes periodically conducting risk assessments for each relationship. This process will allow an institution to determine its risk and whether these risks have changed over time. The overall goal is to be able to update risk management practices as circumstances and risks change. Third parties performing more critical activities, such as those that may impact customers, the institution’s financial conditions or operations, warrant more robust oversight.
Third-Party Risk Management Life Cycle
The Interagency Guidance identifies planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination of the relationship as the stages of the risk management life cycle.
Key elements of the planning stage include assessing a potential third party’s impact on customers, including access to or use of those customers’ information, third-party interaction with customers, potential for consumer harm, and handling of customer complaints and inquiries. Attention should also be paid to the information security implications, including access to the institution’s systems and to its confidential information. The planning phase should also determine how the institution will select, assess, and oversee the third-party, including monitoring compliance with applicable laws, regulations, and contractual provisions. Requiring remediation of compliance issues is an important element to consider.
Due diligence includes assessing the third party’s ability to perform the activity as expected, adhere to the institution’s policies related to the activity, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner. The Guidance notes that, “Relying solely on experience with or prior knowledge of a third party is not an adequate proxy for performing appropriate due diligence, as due diligence should be tailored to the specific activity performed by the third party.” It is critical to identify and document any limitations of its due diligence, understand the risks from such limitations, and consider alternatives in risk mitigation. Factors to consider in performing due diligence include:
- strategies and goals
- legal and regulatory compliance
- financial condition, business experience
- qualifications and backgrounds of key personnel
- risk management
- information security
- management of information systems
- operational resilience
- incident reporting and management processes
- physical security, reliance on subcontractors
- insurance coverage, and
- contractual arrangements with other parties
Contract negotiations are also an important element of third-party risk management. Factors to consider include the nature and scope of the arrangement, performance measures or benchmarks (i.e., a service level agreement), responsibilities for providing, receiving, and retaining information, the right to audit and require remediation, responsibility for compliance with applicable laws and regulations, costs and compensation, ownership and licensing, confidentiality and integrity, operational resilience and business continuity, indemnification and limits on liability, insurance, dispute resolution, customer complaints, subcontracting, foreign-based third parties involved, and default and termination arrangements. It is important to also stipulate that the performance of the activities are subject to regulatory supervision and examination.
Ongoing monitoring allows a financial institution to confirm the quality and sustainability of the third-party’s controls and the ability to meet contractual obligations, escalate significant issues or concerns, and respond to such issues or concerns when identified. Depending on the complexity of the activities being performed, ongoing monitoring can include a review of reports regarding the third party’s performance and the effectiveness of its controls, periodic visits and/or meetings to discuss performance and operational issues, regular testing of the financial institution’s controls that manage risks from its third-party relations, especially for more complex relationships. Some additional factors to consider when performing ongoing monitoring include determining the overall effectiveness of the relationship, changes to the third-party’s business strategy and agreements with other entities, changes in financial conditions, insurance coverage, relevant audits and/or testing results, and the third-party’s ongoing compliance with applicable laws and regulations and its performance as measured against contractual obligations. Depending on the complexity of the relationship, additional factors may also be considered.
The final stage, termination, is also an important element of the risk management life cycle. There are many reasons an institution may wish to terminate a relationship with a third-party. Some factors to facilitate termination include options for an effective transition of services, costs and fees associated with termination, managing risks associated with data retention and destruction, handling of joint intellectual property, and managing risks to the financial institution, including any impact on customers, if the termination happens as a result of the third-party’s inability to meet expectations.
Governance in Third-Party Risk Management
There are many ways an institution can structure their third-party risk management processes. The accountability structure may be dispersed across business lines or may be centralized. Regardless of the structure, the following practices should be considered through the risk management lifecycle: oversight and accountability, independent reviews, and documentation and reporting.
Upholding Responsibilities in Third-Party Relationships
This summary is not intended to be a comprehensive review of the Agencies’ Interagency Guidance on Third-Party Relationships: Risk Management released on June 6, 2023. As a reminder, the use of third parties does not diminish or remove financial institutions’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations. The full text of the Guidance may be found here: Interagency Guidance on Third-Party Relationships: Risk Management (occ.gov)
Optimize Your Risk Strategy with Y&A’s Expertise
Discover our customizable Vendor Risk Management Policy, which provides guidance on managing risks from outsourced relationships. This comprehensive policy covers responsibilities, risk assessment, due diligence, contracts, security, confidentiality, controls, business resumption, and monitoring. Learn more here.
For insights into vendor due diligence or program refinement, please reach out to Michael Gerbick at [email protected] or contact us on our website. Strengthen your risk approach with our expertise – connect with us today.