Three’s a Crowd: Third-Party Risk Management

C/A Staff

Little did the OCC know that when they issued their Bulletin 2020-10 back in early March 2020 they were looking into the future, right at the risks resulting from COVID-19. Bulletin 2020-10 discussed third-party relationships and frequently asked questions to supplement prior Bulletin 2013-29. The OCC attempted to clarify its existing guidance to reflect evolving industry trends.

COVID-19 brought third-party risk management under a microscope. During a time of crisis, it is imperative banks know who their critical suppliers are and that they remain proactive in monitoring them for risk, and ensuring they are complying with business continuity plans. OCC Bulletin 2020-10 emphasized a need for risk management, but also a need for periodically assessing existing third-party relationships to determine whether the nature of the activity performed constituted as a critical activity. It aims to assist organizations in understanding the topics that arise within an effective third-party risk management program. Just because the bank relies on third parties does not diminish its responsibility to perform activities in a safe and sound manner. But it is important to remember, all third-party management must be commensurate with the level of risk and complexity of its third-party relationships.

Third-party relationships are any business arrangement between a bank and another entity, by contract or otherwise. “Business arrangements” are broad in scope and are used synonymously with the term third-party relationships. This can include outsourced products and services, independent consultants, networking arrangements, merchant payment processing, joint ventures, referral arrangements, (are you out of breath yet?) appraisers and appraisal management companies, professional service providers and a multitude of other business arrangements. Banks need to conduct in-depth due diligence and ongoing monitoring of each of their third-party service providers that support critical activities. The bank may need to use alternative means in order to receive all the information it seeks regarding a third-party provider.

Everyone knows what risks can arise from third-party relationships: reputational, operational, business continuity and resilience, information security and privacy, strategic, regulatory, and financial risks to name a few. Risk-mitigating controls must be in place so that risk-based decisions can be ascertained. It is important banks consider a comprehensive, data-driven way to control risk through third-party relationships. But also, banks need to assure that any third-party contracts are actually meeting the bank’s needs. Organizations need to be confident in the services being outsourced and that they are secure and resilient.  

Mature third-party risk management programs have adopted a three-tier structure of first, second and third lines of defense. Implementation of these tiers will vary by each institution, but the overall concept remains the same: starting at the business or business unit level, this program is aimed at preventing risk exposure and protecting the organization. The COVID-19 pandemic has exposed issues within many companies, particularly a lack of visibility into their third-party relationships. Thorough third-party risk management processes, particularly those referencing the OCC’s 2020-10 Bulletin, will assist stakeholders with access to the business and operations with meeting their program’s standards (and any regulatory expectations).