Time to Review Your Third-Party Relationships… Again!

Understanding regulator expectations on managing third-party relationships just got a little bit easier. Earlier this month, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released “Third-Party Risk Management: A Guide for Community Banks,” presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices. Let’s break it down.

Risk Management

The Guide underscores the need for comprehensive initial risk assessments tailored to the third party and emphasizes governance practices, such as oversight mechanisms and documentation procedures. Recognizing the varied nature of third-party relationships and the differences in risks for community banks is essential. Banks should tailor their risk management practices according to their size, complexity, and risk profile, and periodic assessments should gauge the risks of each partnership. Effective risk management requires the active involvement of bank personnel with the requisite expertise at each phase of risk management.

Five-Stage Life Cycle

The Guide lays out a five-stage life cycle for risk management of third-party relationships:

Planning. Planning is paramount because it enables a bank to proactively identify and mitigate risks associated with a proposed relationship. Key considerations include:

  • Assessing legal and compliance requirements applicable to the prospective activities.
  • Evaluating whether the anticipated benefits outweigh the potential costs and risks.
  • Determining the extent of interaction the third party will have with customers.

Due Diligence and Third-Party Selection. Adequate due diligence requires evaluating a third party’s ability to perform activities as expected and adhere to the bank’s policies and legal requirements. The Guide recommends an examination of the third party’s available resources and expertise, past performance, and utilization of technologies that may introduce greater risk. To assess the suitability of a third-party relationship, it is advised that banks examine various sources of information, such as audited financial statements and relevant policies and procedures. Additionally, banks should examine consumer complaints, strategic plans, training programs, audit reports, and insurance coverage to ensure a comprehensive risk assessment strategy.

Contract Negotiation. Banks need to align contract terms with their strategic objectives, regulatory requirements, and risk management policies. Contracts should set forth each party’s responsibilities and include governance and escalation protocols, address data access rights, and assess potential scenarios for breach of contract.

Ongoing Monitoring. Continuous monitoring of third-party activities is necessary for ensuring compliance with contractual requirements and facilitating timely adjustments to risk management practices.

Termination. Although termination of a third-party relationship may become necessary, the Guide encourages banks to carefully consider the potential impact of termination during the planning phase to minimize costs and disruptions, especially for higher-risk activities. Considerations include assessing the effects of termination on bank operations and compliance with applicable laws and regulations, determining access to bank systems or information granted to the third party, and ensuring access to data for compliance with BSA requirements and other recordkeeping obligations. The Guide suggests leveraging resources such as third-party contract terms, transition plans, and strategies to minimize disruption to customer accounts and operations.