Federal banking regulators have jointly issued a guide to help community banks develop and implement their third-party risk management programs, policies, and practices. The Third-Party Risk Management, A Guide for Community Banks (the "Guide"), issued by the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency (collectively, the "Agencies"), is intended to be a resource for community banks to comply with specific guidance on third-party relationships issued by the Agencies in 2023 (the "Interagency Guidance")1.
The Agencies note that while the Guide is written for a community bank audience, banking organizations of all sizes and risk profiles may find it useful.
The Guide provides potential considerations, resources and examples through each stage of the third-party risk management life cycle. It is not a checklist and does not prescribe specific risk management practices or establish any safe harbors for compliance with laws or regulations. It also is not a substitute for the Interagency Guidance, but is intended to illustrate the principles discussed in the Interagency Guidance.
I. The Guide
A. Risk Management
The Guide notes that community banks should apply more rigorous risk management practices throughout the third-party relationship life cycle for third parties that support higher-risk activities, including critical activities. Characteristics of critical activities may include activities that could cause a banking organization to face significant risk if the third party fails to meet expectations, have significant customer impact, or have a significant impact on a banking organization's financial condition or operations. According to the Guide, in determining whether an activity is higher risk, banks may assess various factors, such as if the third party has access to sensitive data (including customer data), processes transactions, or provides essential technology and business services. Additionally, community banks should adjust and update their third-party risk management practices based on their size, complexity, and risk profile by periodically analyzing the risks associated with each third-party relationship.
B. Third-Party Relationship Life Cycle
The Guide lays out a five-stage life cycle of risk management of third-party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination.
- Planning. The planning stage involves assessing potential risks and determining the necessary risk management resources for overseeing third-party relationships.
- Due Diligence and Selection. During the due diligence and third-party selection stage, a community bank should assess a particular third party's ability to perform the activity as expected, adhere to the community bank's policies, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner before forming a relationship. If the community bank cannot obtain desired due diligence information from the third party, it may consider alternative information, controls, or monitoring.
- Contract Negotiation. Before entering a contractual relationship with a third party, a community bank should consider contract provisions that meet its business objectives, regulatory obligations, and risk management policies and procedures. If a community bank has limited negotiating power, it is important for bank management to understand any resulting limitations and consequent risks.
- Ongoing Monitoring. Ongoing monitoring of the third party's performance enables bank management to determine if the third party is performing as required for the duration of the contract.
- Termination. This final stage involves ending the relationship efficiently, considering the impact on operations and compliance, and transitioning activities if necessary.
C. Governance
Governance throughout the life cycle includes oversight and accountability, independent reviews, and documentation and reporting.
- Oversight and Accountability. The board of directors is responsible for providing oversight for third-party risk management and holding management accountable.
- Independent Review. Periodic independent reviews are necessary to assess the adequacy of third-party risk management processes.
- Documentation and Reporting. Proper documentation and reporting facilitate control activities and vary depending on the complexity of third-party relationships.
II. Conclusion
The issuance of the Guide highlights the Agencies' focus on third-party risk management within the community banking sector. The guidance serves as a tool for community banks of all sizes to implement effective third-party risk management practices.
Footnote
1. See Interagency Guidance on Third-Party Relationships: Risk Management here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.