Banks utilize third-party service providers to enhance their products and services, to gain access to new or better technologies, and to obtain an array of other business benefits and efficiencies.  Bank regulators have made it clear that banks cannot avoid their safety and soundness requirements or compliance with other applicable laws and regulations by delegating processes to third parties.  Thus, in addition to assessing and managing their own risks, banks must also assess and manage the risks associated with their third-party relationships.  Earlier this year, the Federal Deposit Insurance Corporation (FDIC), Board of Governors of the Federal Reserve System (Board), and Office of the Comptroller of the Currency (OCC) issued updated interagency guidance on managing third-party risk utilizing a risk-based approach.[1]

The guidance includes risk-based principles for risk management of all third-party relationships.  A third-party relationship is any business arrangement between a banking organization and another entity, regardless of whether there is a contract between the parties or any monies are paid.  Third-party relationships include, but are not limited to, joint ventures, referral arrangements, and relationships where services are provided by affiliates and subsidiaries; consultants; outsourced entities; or merchant payment processors.  No third-party relationships are categorically excluded from needing oversight, even those that are low-risk.  Instead, bank risk management processes should be tailored to the risk level of a particular relationship.  Different third-party relationships will require varying levels of oversight by the bank.

The guidance provides that effective third-party risk management follows all five stages of the risk management life cycle: (i) planning; (ii) due diligence and third-party entity selection; (iii) contract negotiation; (iv) ongoing monitoring; and (v) termination.  A bank should begin its third-party risk management program by identifying all third parties that provide services to the bank and evaluating the risks of each relationship and how they will be managed.  This same planning process should be utilized prior to entering new third-party relationships.  The highest intensity of oversight and management should be applied to third-party relationships that support the critical activities of the bank. Critical activities are those that have the potential to substantially impact bank operations or customers, increase bank risk, or impact the bank’s financial condition.  The guidance recommends that plans to manage third-party risk for relationships involving the bank’s critical activities should be presented to, and approved by, the bank’s board of directors, or appropriate committee thereof.

The second phase of the risk management life cycle is due diligence.  The guidance provides that a bank should perform tailored due diligence in regard to a third-party provider before entering into a relationship with that provider.  Due diligence should determine whether the third-party provider can perform the activity, in compliance with all applicable laws and regulations, in compliance with the bank’s policies, and in a safe and sound manner.  The numerous factors to be considered during the due diligence phase are the third party’s: business strategy and goals; level of legal and regulatory compliance; financial condition; business experience; principals and other key personnel qualifications and experience (including periodic background checks); overall risk management, information security program; management of information systems; operational resilience; incident management and reporting; physical security; insurance coverage; and contracts with others.  The level of due diligence performed by the bank should be proportionate to the risk level and complexity of the third-party relationship, and the most comprehensive due diligence should be performed when the third party will support the critical activities of the bank.

The third phase of the risk management life cycle is contract negotiation.  The guidance provides that contracts with third parties should clearly state the obligations of the parties and support effective risk management and oversight by the bank.  If the bank is unable to negotiate all the terms it desires in a contract, it must determine whether the increased risk to the bank is acceptable and whether it can move forward with the relationship.  The guidance suggests that the bank’s board of directors, or appropriate committee thereof, should be aware of and should approve contracts with third-party providers who provide support for critical activities of the bank.  Legal review of these contracts is also desirable.

The fourth phase of the risk management life cycle is ongoing monitoring.  Ongoing monitoring keeps the bank knowledgeable about the third party’s performance and early signs of any increased risks.  Generally, monitoring activities include reviewing performance reports, on-site visits with the third party, and testing of the bank’s risk controls.  The bank may conduct ongoing monitoring periodically or continually.  A higher level or frequency of monitoring is desirable when the third-party relationship supports the bank’s critical activities.

The fifth and final phase of the risk management life cycle is termination, and the guidance recommends efficient termination.  Factors the bank should consider to aid in the termination of third-party relationships include the transition of services, resources and time required for a smooth transition; costs, data retention and destruction; information system access and control; intellectual property; and impacts on customers.  Throughout the entire risk management life cycle, the bank should document and internally report on its third-party risk management process for each provider.

The updated interagency guidance provides a consistent approach for banks to utilize in managing risks associated with their third-party relationships.  A recurring theme in the guidance is that banks should develop and implement third-party risk management policies and procedures that are commensurate with the bank’s size, risk appetite, and the level of risk and complexity associated with the third-party relationship.  Banks should utilize the principles provided in the guidance to develop this risk-based approach when creating and implementing risk management practices for all stages in the life cycle of their third-party relationships. 

For more information about this article or other legal banking issues, contact DeMarion Johnston, VBA General Counsel, at djohnston@vabankers.org. This article has been prepared for informational purposes only and is not legal advice.