Pub. 13 2023-2024 Issue 4

T One Rule for All INTERAGENCY GUIDANCE FOR THE RISK MANAGEMENT OF THIRD-PARTY RELATIONSHIPS By Julia A. Gutierrez, Director of Education, Compliance Alliance The day-to-day functions of a financial institution would be impossible without the ability to outsource. Recently, existing guidance applicable to each specific regulatory agency — the Federal Reserve (Board of Governors of the Federal Reserve System), the FDIC (Federal Deposit Insurance Corporation) and the OCC (Office of the Comptroller of the Currency) — was replaced with a single rule, the Interagency Guidance on Third-Party Relationships: Risk Management (Interagency Guidance). The Interagency Guidance aligns the regulatory requirements and risk management expectations of third-party relationships among the “agencies” (Federal Reserve, FDIC and OCC). Financial institutions routinely rely on third-party relationships for their day-to-day functions and existence. In today’s ever-growing world of speed and technology, it would be nearly impossible to be successful and competitive without outsourcing to third-party vendors. Financial institutions may rely on outsourcing for a range of products, services and other activities. Outsourcing allows financial institutions a number of significant benefits including faster and more efficient access to technologies, human capital, delivery channels, products and services, and markets. It can also mean a more costeffective operational existence overall. Despite the option to outsource certain functions and activities, financial institutions must still adhere to risk management and compliance expectations. The use of thirdparty relationships does not eliminate the need for sound risk management within an organization. In fact, it’s quite the opposite when it comes to third-party relationships. Third-party relationships, especially those involving new technologies, could present an even higher or more elevated risk for financial institutions. A phrase we commonly use in the compliance industry is, “You can contract away the function, but you can’t contract away the compliance responsibility.” Financial institutions must understand their responsibilities to ensure safe and sound third-party relationships and practices in conjunction with the compliance of all applicable laws and regulations, including those intended to protect consumers. The New Interagency Guidance On June 6, 2023, the federal banking agencies issued the Interagency Guidance. Much of what is outlined in the new Interagency Guidance is already somewhat familiar to the agencies. The core concepts of the Interagency Guidance remain consistent with the individual agency guidance that existed prior. The new Interagency Guidance provides consistency and an interagency approach to managing thirdparty risk. This is especially important for those relationships which involve critical third parties and relationships that are customer-facing or may otherwise be impactful to consumers. The new Interagency Guidance was developed to align with the expectations and best practices in other areas of risk management. It creates a vendor management lifecycle which includes six steps: 1. Planning for a relationship 2. Due diligence and third-party selection 3. Contract negotiation 4. Oversight and accountability 5. Ongoing monitoring 6. Termination It’s worth noting that the guidance is broadly applicable and applies to all business arrangements. It doesn’t specifically address the various categories or the types of third parties, such as artificial intelligence or fintech firms. But the principles within the guidance will apply to all third parties and third-party Colorado Banker 14

RkJQdWJsaXNoZXIy MTg3NDExNQ==