Listen
to
this
post
On
June
6,
2023,
the
Federal
Deposit
Insurance
Corporation
(“FDIC”),
the
Board
of
Governors
of
the
Federal
Reserve
System
(“FRB”)
and
the
Office
of
the
Comptroller
of
the
Currency
(“OCC”)
issued
their
final
Interagency
Guidance
on
Third-Party
Relationships
(“Guidance”).
The
Guidance
provides
principles
that
banking
organizations
should
consider
when
developing
and
implementing
risk
management
practices
for
all
stages
in
the
life
cycle
of
third-party
relationships.
The
new
Guidance
replaces
each
agency’s
existing
guidance
regarding
risk
management
practices
for
third-party
relationships,
including
the
FRB’s
2013
guidance,
the
FDIC’s
2008
guidance,
and
the
OCC’s
2013
guidance
and
2020
frequently
asked
questions.
The
Guidance
is
not
legally
binding
and
does
not
impose
any
new
requirements
on
banking
organizations,
but
outlines
principles
banking
organizations
can
leverage
when
developing
and
implementing
risk
management
processes
adapted
to
the
risks
and
complexity
of
their
third-party
relationships.
In
publishing
the
Guidance,
the
agencies
emphasized
that
“the
use
of
third
parties
does
not
diminish
or
remove
banking
organizations’
responsibilities
to
ensure
that
activities
are
performed
in
a
safe
and
sound
manner
and
in
compliance
with
applicable
laws
and
regulations.”
The
Guidance
addresses
business
arrangements
between
a
banking
organization
and
another
legal
entity.
Notably,
the
Guidance
provides
that
a
third-party
relationship
may
exist
despite
the
absence
of
a
contract
or
remuneration.
Examples
of
third-party
relationships
include
outsourced
services,
use
of
independent
consultants,
referral
arrangements,
merchant
payment
processing
services,
joint
ventures
and
services
provided
by
affiliates
and
subsidiaries.
Under
the
Guidance,
a
banking
organization
should
analyze
the
risks
associated
with
each
third-party
relationship
and
tailor
risk
management
practices,
commensurate
with
the
banking
organization’s
size,
complexity,
and
risk
profile
and
with
the
nature
of
the
third-party
relationship.
Where
third-party
relationships
support
higher-risk
activities,
including
“critical
activities,”
banking
organizations
should
implement
more
comprehensive
and
rigorous
oversight
and
management.
An
activity
may
be
considered
“critical”
if
it
could
(1)
cause
a
banking
organization
to
face
significant
risk
if
the
third
party
fails
to
meet
expectations;
(2)
have
significant
customer
impacts;
or
(3)
have
a
significant
impact
on
a
banking
organization’s
financial
condition
or
operations.
The
Guidance
provides
that
effective
management
of
third-party
relationships
follows
a
continuous,
five-stage
life
cycle
that
includes:
(1)
planning,
(2)
due
diligence
and
third-party
selection,
(3)
contract
negotiation,
(4)
ongoing
monitoring
and
(5)
termination.
The
planning
stage
allows
a
banking
organization
to
evaluate
the
risk
profile
of
a
third-party
relationship
and
consider
risk
management
before
entering
into
the
relationship.
Certain
third-party
relationships
may
require
a
greater
degree
of
planning
and
consideration.
For
example,
where
a
third-party
relationship
involves
critical
activities,
a
banking
organization
may
present
plans
to
and
seek
the
approval
of
the
organization’s
board
of
directors.
The
second
stage,
due
diligence,
includes
assessing
a
third
party’s
ability
to:
(1)
perform
the
activity
as
expected,
(2)
adhere
to
a
banking
organization’s
policies
related
to
the
activity,
(3)
comply
with
all
applicable
laws
and
regulations,
and
(4)
conduct
the
activity
in
a
safe
and
sound
manner.
The
Guidance
provides
that
the
scope
and
degree
of
the
due
diligence
should
be
commensurate
with
the
level
of
risk
and
complexity
of
the
third-party
relationship.
As
part
of
due
diligence,
a
banking
organization
typically
considers
factors,
including
but
not
limited
to
the
following
with
respect
to
the
third
party:
(1)
strategies
and
goals;
(2)
legal
and
regulatory
compliance;
(3)
financial
condition;
(4)
business
experience;
(5)
qualifications
and
backgrounds
of
key
personnel
and
other
HR
considerations;
(6)
risk
management;
(7)
information
security;
(8)
management
of
information
systems;
(9)
operational
resilience;
(10)
incident
reporting
and
management
processes;
(11)
physical
security;
(12)
reliance
on
subcontractors;
(13)
insurance
coverage;
and
(14)
contractual
arrangements
with
other
parties.
If
a
banking
organization
determines
that
a
contract
is
needed
with
a
third
party,
the
organization
begins
contract
negotiation,
the
third
stage
of
the
lifecycle.
During
this
stage,
a
banking
organization
typically
negotiates
contract
provisions
to
facilitate
risk
management
and
oversight
and
specify
the
expectations
and
obligations
of
both
parties,
tailoring
the
provisions
to
the
risk
and
complexity
of
the
third-party
relationship.
The
Guidance
states
that
a
banking
organization’s
board
of
directors
should
be
aware
of
and,
as
appropriate,
approve
of
contracts
involving
higher-risk
activities.
During
contract
negotiations,
a
banking
organization
may
consider
factors
such
as
(1)
the
nature
and
scope
of
arrangement;
(2)
performance
measures
or
benchmarks;
(3)
responsibilities
for
providing,
receiving
and
retaining
information;
(4)
the
right
to
audit
and
require
remediation;
(5)
responsibility
for
compliance
with
applicable
laws
and
regulations;
(6)
costs
and
compensation;
(7)
ownership
and
license;
(8)
confidentiality
and
integrity;
(9)
operational
resilience
and
business
continuity;
(10)
indemnification
and
limits
on
liability;
(11)
insurance;
(12)
dispute
resolution;
(13)
customer
complaints;
(14)
subcontracting;
(15)
foreign-based
third
parties;
(16)
default
and
termination;
and
(17)
regulatory
supervision.
Through
ongoing
monitoring,
the
fourth
stage
of
the
life
cycle,
a
banking
organization
can:
(1)
confirm
the
quality
and
sustainability
of
a
third
party’s
controls
and
ability
to
meet
contractual
obligations;
(2)
escalate
significant
issues
or
concerns,
such
as
material
or
repeat
audit
findings,
deterioration
in
financial
condition,
security
breaches,
data
loss,
service
interruptions,
compliance
lapses,
or
other
indicators
of
increased
risk;
and
(3)
respond
to
such
significant
issues
or
concerns
when
identified.
Monitoring
activities
typically
include:
(1)
review
of
reports
regarding
the
third
party’s
performance
and
the
effectiveness
of
its
controls;
(2)
periodic
visits
and
meetings
with
third-party
representatives
to
discuss
performance
and
operational
issues;
and
(3)
regular
testing
of
the
banking
organization’s
controls
that
manage
risks
from
its
third-party
relationships,
particularly
when
supporting
higher-risk
activities,
including
critical
activities.
When
a
banking
organization
enters
the
last
stage
of
the
life
cycle,
termination,
it
must
terminate
third-party
relationships
in
an
efficient
manner,
including
where
activities
are
transitioned
to
another
third
party,
managed
internally
or
suspended.
The
Guidance
indicates
that,
in
structuring
a
third-party
risk
management
process,
banking
organizations
typically
consider
oversight
and
accountability,
independent
reviews
and
documentation
and
reporting.
The
banking
organization’s
board
of
directors
should
provide
oversight
and
accountability.
In
particular,
the
board
should
oversee
third-party
risk
management,
provide
clear
guidance
regarding
acceptable
risk
tolerance,
approve
relevant
policies
and
ensure
the
establishment
of
appropriate
procedures
and
practices.
The
third-party
risk
management
processes
also
should
include
periodic
independent
reviews
to
evaluate
the
adequacy
of
the
processes,
as
well
as
proper
documentation
of
and
reporting
on
the
processes
and
individual
third-party
relationships.
About Author
