Issue 4. 2022 13 a risk assessment, due diligence, contract structuring and review, and ongoing oversight. The proposed guidance significantly expands risk management by introducing the Third-Party Relationship Life Cycle. The Life Cycle starts with the first step of planning, which includes not only a risk assessment that, at a minimum, considers the risk areas described above; identifies performance criteria, internal controls, reporting needs, and necessary contractual requirements; assesses management’s ability to provide adequate oversight; and contemplates the consequences of the provider’s failure. In addition to the risk assessment, planning includes the commensurate steps for appropriate risk management. Planning should be a collaboration among members of management with the requisite expertise and may involve managers from across the bank’s business lines, such as compliance, information technology, and legal counsel, in addition to the area directly impacted by the third party’s product or service. The next step of the Life Cycle is due diligence commensurate with the criticality of the proposed activity and level of risk identified in the risk assessment. Due diligence should include an assessment of the provider’s ability to perform as expected considering its financial condition, business experience, and operational resilience; comply with the bank’s policies as well as applicable federal and state laws; and operate in a safe and sound manner. In some cases, an onsite visit may be warranted. After a provider has been selected, the contract negotiation considers service level agreements, required reporting, compliance with applicable laws and regulations, the bank’s right to audit the provider, complaint and dispute resolution, and the use of subcontractors, among other provisions. Following contract execution and provider onboarding, ongoing monitoring should be performed commensurate with the risk level determined during the planning stage. Ongoing monitoring may be similar to the initial due diligence, with an added focus on fulfilment of contract requirements, and should include an update to the risk assessment based on the results of the monitoring. The final stage of the Life Cycle is the termination of the relationship, which should be handled efficiently to minimize the impact on operations and the bank’s customers. However, termination should really be contemplated during the planning stage, including considering the implications if the provider fails to perform to expectations or, in the worst-case scenario, the provider ceases operations. Woven into the proposed guidance is a focus on fourth parties – a third-party provider’s subcontractors – and bank management The proposed guidance significantly expands upon risk management by introducing the Third-Party Relationship Life Cycle which is depicted in the following Stages of the Risk Management Life Cycle graphic. Source: Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency. Proposed Interagency Guidance on Third-Party Relationships: Risk Management. The use of subcontractors must be considered during all stages of the Life Cycle. →
RkJQdWJsaXNoZXIy ODQxMjUw