New Federal Guidance for Banks on Managing Third-Party Risks

The federal government has released new guidance for banks to help them in managing third-party risks.

Over the summer, a trio of banking regulators proposed new guidance to help banks manage risks related to third-party relationships. The proposals — from the Federal Deposit Insurance Corp. (FDIC), the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) — are meant to consolidate earlier guidance each agency had proposed individually; public comments on the proposals are due by Sept. 17, 2021.

The guidance defines a third-party relationship as “any business arrangement between a banking organization and another entity, by contract or otherwise.” The term “business arrangement” is meant to be interpreted broadly so that banking organizations can identify all the relevant third-party relationships that might be affected by the guidance.

That broad definition recognizes the wide range of relationships between banking organizations and third parties, and it also takes into account the level of risk, complexity, and size of the banking organization as well as the nature of the third-party relationship.

As the proposed guidance notes, it “provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships.”

Why do that at all? Because increasingly, banking organizations are outsourcing business services, and sometimes even products, to third parties. These services and products can include core bank processing, information technology services, accounting, compliance, human resources, loan servicing, mobile payments, credit-scoring systems, and customer point-of-sale payments.

That outsourcing can bring significant advantages to banks, such as quicker and more efficient access to new technologies, human capital, delivery channels, products, services, and markets.

At the same time, third parties also bring new risks to banking organizations and their customers. That includes introducing new risks or increasing existing risks.

A January 2020 Ponemon Institute webinar revealed that in the past two years, 53 percent of all organizations have experienced at least one data breach caused by a third party, and a data breach costs an average of $7.5 million to remediate. At the same time, third-party vendors are notorious for low standards when it comes to cybersecurity and information protection.

And the financial industry faces unique threats, given how tempting banks are as targets for attackers and fraudsters — including attacks from internal employees as well as external threat actors. So as banks continue to rely on third parties, they must appropriately manage third-party relationships, including consumer protection, information security, and other operational risks.

The guidance is intended for FDIC-supervised institutions, but all financial institutions can benefit from the proposed framework to help reduce risks.

Following the guidelines could save your bank from failing to manage third-party relationships appropriately, and that failure can leave your firm exposed to considerable financial, operational, or compliance risk.

Hence a bank should invest the time to identify, assess, monitor, and control the risks associated with third parties and the services they provide.

Not all third-party relationships present the same level of risk, of course. Banks should pay more attention to third-party relationships that support mission-critical activities, including:

• Activities that could cause the bank to face significant risk if the third party fails to meet expectations.
• Activities that could cause significant customer harm.
• Activities that require significant investment in resources to implement the third-party relationship and manage risk.
• Activities that could cause major disruption if the bank suddenly had to find a substitute third party or to bring the service in-house.

Now let’s review the main guidelines for managing third-party risks and discuss what these guidelines mean for banks moving forward.

2021 Guidelines for Managing Third-Party Risks

The proposed guidelines are extensive and run more than 90 pages long. Highlights from the document include:

• The proposed guidance offers a framework based on sound risk management principles that banks can use to develop risk management practices throughout the life cycle of third-party relationships. These steps include planning to manage the relationship and its risks, due diligence, and third-party selection, contract negotiation, oversight and accountability, ongoing monitoring, and termination.
• The proposed guidance also offers a framework that considers the level of risk, complexity, and size of the bank and the nature of the third-party relationship; and promotes compliance with applicable laws and regulations, including those related to consumer protection.
• The proposed guidance also discusses supervisory reviews of third-party relationships.
• Public comment on the proposed guidance is welcome until Sept. 17, 2021. The agencies will then consider that feedback and publish final guidance sometime in the future.

These new proposed guidelines will replace previous guidelines for third-party risk management (TPRM).

Although the guidance provides banks with a solid set of guidelines, the framework is not required. It is, however, strongly recommended for FDIC-supervised institutions and should be implemented by all banks to avoid regulatory, reputational, financial, and compliance risk.

As mentioned in the highlights, the proposed guidance sets forth principles for managing risk in each stage of a third-party relationship life cycle. Let’s take a closer look at each of these principles, and how banks can implement them into a third-party risk management program.

Best Practices for Third-Party Risk Management

As outlined in the proposed guidance, effective third-party risk management generally follows a continuous life cycle for all relationships in the supply chain. It should incorporate the following phases:

1. Planning. Before you enter into a third-party relationship, evaluate the types and nature of risks in the relationship and develop a plan to manage the relationship and those risks.

   As with all the phases of the third-party risk management life cycle, planning and assessment should be performed by those with the requisite knowledge and skills, including compliance, risk, or technology officers, legal counsel, and external support.

2. Due diligence and third-party selection. Before you enter into contracts, conduct due diligence on third parties. Do not rely solely on experience with or prior knowledge of the third party.

   As with all the phases of the third-party risk management life cycle, planning and assessment should be performed by those with the requisite knowledge and skills, including compliance, risk, or technology officers, legal counsel, and external support.

   The degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship. Due diligence includes assessing a third-party’s ability to perform the activity as expected, adhere to your policies, comply with all applicable laws, regulations, and requirements, and operate in a safe and sound manner.

   Due diligence will also provide senior management with the information it needs to determine whether a relationship mitigates identified risks or poses additional risk. When a third-party relationship is high-risk or where it involves critical activities, perform more extensive due diligence.

   To facilitate or supplement your due diligence, you may use the services of industry utilities or consortiums, including development organizations, consult with other banking organizations, or engage in joint efforts for performing due diligence to meet the established assessment criteria.

   You should consider the following factors, among others, during your due diligence review of a third party:

   • Strategies and goals
   • Legal and regulatory compliance
   • Financial condition
   • Business experience
   • Fee structure and incentives
   • Qualifications and backgrounds of company principals
   • Risk management
   • Information security
   • Management of information systems
   • Operational resilience
   • Incident reporting and management programs
   • Physical security
   • Human resources management
   • Reliance on subcontractors
   • Insurance coverage
   • Conflicting contractual arrangements with other parties

3. Contract negotiation. Once you have selected a third party, negotiate a contract that clearly specifies the rights and responsibilities of each party to the contract. Third parties may offer a standard contract, but banks may seek to request additional contract provisions or addendums. Your organization’s board should be aware of and approve contracts involving critical activities before their execution, and legal counsel review may be necessary for significant contracts prior to finalization. You should review your existing contracts periodically to assure they continue to address pertinent risk controls and legal protections.

   You should consider the following factors, among others, during contract negotiations with a third-party:

   • Nature and scope of agreement
   • Performance measures or benchmarks
   • Responsibilities for providing, receiving, and retaining information
   • The right to audit and require remediation
   • Responsibility for compliance with applicable laws and regulations
   • Costs and compensation
   • Ownership and license
   • Confidentiality and integrity
   • Operational resilience and business continuity
   • Indemnification
   • Insurance
   • Dispute resolution
   • Limits on liability
   • Default and termination
   • Customer complaints
   • Subcontracting
   • Foreign-based third parties
   • Regulatory supervision

4. Oversight and accountability. Your board of directors (or a designated board committee) and management are responsible for overseeing your banking organization’s overall risk management process, including third-party risk management. Effective management teams need to establish responsibility and accountability for managing third parties commensurate with the level of risk and complexity of the relationship.

   The board of directors and management will have different roles and responsibilities when overseeing the management of risks associated with third-party relationships. Boards are typically responsible for big-picture decision making, such as approving the bank’s policies that govern third-party risk management. Executing and implementing the board’s strategies and policies is management’s responsibility, and usually includes more day-to-day involvement such as reviewing and approving contracts with third parties.

   In addition to designating roles and responsibilities for stakeholders, you’ll likely conduct periodic independent reviews of your third-party risk management program, particularly when third parties perform critical activities. The results of independent reviews can be used to determine whether and how to adjust your third-party risk management process, including policy, reporting, resources, expertise, and controls.

   It’s also important that management properly documents and reports on its third-party risk management process and specific business arrangements throughout their life cycle. This will facilitate the accountability, monitoring, and risk management associated with third parties. It also includes a current inventory of all third-party relationships, risk assessments, due diligence results, executed contracts, and more.

5. Ongoing monitoring. This essential component of third-party risk management should occur throughout the relationship. The appropriate degree of ongoing monitoring should be commensurate with the complexity and level of risk of the third-party relationship. A higher-risk relationship should mean more comprehensive monitoring.

   Since the level and types of risks may change over the lifetime of third-party relationships, you should adapt your ongoing monitoring practices accordingly, including changes to the frequency and types of reports from the third party, such as service-level agreement performance reports, audit reports, and control testing results.

   You should also make sure to dedicate sufficient staffing with the necessary expertise, authority, and accountability to perform ongoing monitoring. This might include periodic on-site visits and meetings with third-party representatives to discuss performance and operational issues.

   Ongoing monitoring should also include the regular testing of your banking organization’s controls to manage risks from third-party relationships.

6. Termination. You might end a third-party relationship for a number of reasons specified in the contract: expiration of or dissatisfaction with the contract, a desire to seek an alternate third party, a desire to bring the activity in-house or discontinue the activity, or a breach of contract. When this happens, it’s important to terminate relationships in an efficient manner, and to transition the services promptly to another third-party provider or bring the services in-house.

While there is no one-size-fits-all third-party management framework, the proposed banking industry guidance is a good place to start.

Third-party risk management, however, is no easy task. Even with a framework to guide you, documenting and conducting due diligence reviews of third-party vendors and their security risks can take time, effort, and cost — especially if you’re relying on spreadsheets.

To automate your third-party risk management, you’ll need vendor risk management (VRM) software. A quality governance, risk, and compliance (GRC) software tool with VRM capabilities will get the job done.

ZenGRC Helps You Manage Third-Party Risks

Once you complete the onboarding process for a third party, keeping tabs on its security is only the beginning. From sending self-assessment questionnaires, to obtaining penetration testing results, to updating your vendor data continuously, the task of third-party management is never done.

Using ZenGRC from Reciprocity to automate your third-party vendors takes the hassle and the worry out of third-party risk management.

Continuous monitoring features assure that you’re always aware of your third parties’ compliance. ZenGRC also streamlines workflows for you so you don’t have to do everything yourself. It even sends out questionnaires and tallies the results for you as they come in.

ZenGRC keeps track of vendors’ compliance with multiple frameworks, and provides continuous auditing in just a few clicks. Its user-friendly dashboards show you in real-time which parties are compliant and which ones aren’t.

With ZenGRC automation for your third-party risk management tasks, you and your team can focus on other, more important tasks.

Schedule a demo to find out how ZenGRC can help your banking organization implement the framework in the new federal guidance and automate your third-party risk management today.