utah.bank 12 RISK MANAGEMENT OF THIRD-PARTY RELATIONSHIPS By Tracey Levandoski, CRCM, CrossCheck Compliance, LLC On July 19, 2021, the regulatory agencies issued Proposed Interagency Guidance on Third-Party Relationships: Risk Management. The proposed guidance consolidates all prior guidance, offers a detailed framework covering all stages in the life cycle of third-party relationships, and takes into account the level of risk, complexity, and size of the bank, as well as the nature of the third-party relationship. While it is unclear when the proposal will be finalized, the principles of sound third-party risk management remain the same. Governance and Oversight Under current guidance, the bank’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships to the same extent as if the activities were handled directly by the bank. The proposed guidance states that using third parties does not diminish the bank’s responsibility to perform an activity in a safe and sound manner and in compliance with applicable laws and regulations. For evidence that the regulators will not allow a bank to outsource its accountability and responsibility to third-party providers, one only needs to read a few consent orders in which banks were held accountable for the actions of their third-party providers. The Primary Focus of Third-Party Risk Management – Significant vs. Critical Current guidance focuses the attention of third-party risk management on significant relationships and further defines what types of relationships should be considered significant, such as providers who: Introduce a new relationship or a new bank activity; Perform critical functions for the bank; Have access to sensitive customer information; Market bank products or services; Provide products or services involving subprime lending or card payment transactions; or Pose risks that could significantly affect earnings, capital, or the bank’s reputation. Additionally, the nature of risk in the context of the current or planned use of a third party should be understood in conjunction with the risk areas you consider in everything else you do: Strategic Risk – Does the use of the third-party’s services align with the bank’s strategic goals? Reputation Risk – What risk does using the third party contribute to the bank’s good name in the community? Operational Risk – Do the third party’s processes integrate compatibly with the bank’s processes? Transaction Risk – What is the risk of the third party’s failure to perform as expected? Credit Risk – What is the credit risk of the third party? What credit risk does the third party introduce when using proprietary credit models for underwriting loans on the bank’s behalf (for example)? Compliance Risk – What is the exposure if the third party violates laws or fails to comply with the bank’s internal policies? The proposed guidance is intended for all third-party relationships but is especially important for relationships that are relied on to a significant extent entail greater risk and complexity, and involve critical activities. Critical activities: Cause significant risks if the third party fails to meet expectations Have significant customer impacts Require significant investment in resources to implement the activity and manage the risk Cause a major impact on the bank’s operations if an alternative must be found or the activity must be brought in-house Regardless of the approach to defining significant or critical service providers, the bank should implement a sound methodology for designating which relationships receive more comprehensive oversight and risk management. The Risk Management Process Under the current guidance, the key to the effective use of a third party is to appropriately assess, measure, monitor, and control the risks associated with the relationship, which includes
RkJQdWJsaXNoZXIy ODQxMjUw