NEW BANK GUIDANCE: Regulators Share Direction on Third-Party Risk Management Financial institutions are increasingly ramping up partnerships with third-party organizations to improve banking technologies that promulgate efficiencies and cost-savings or add new banking products to drive revenues. As these partnerships increase, the risk to the banking system is also increasing. In June, the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve and the Office of the Comptroller of the Currency released finalized interagency guidance over third-party risk management practices that financial institutions must consider when entering into business arrangements with third parties. Although the final guidance — which was issued and went into effect June 6, 2023 — did not differ significantly from the third-party risk management proposal released in July 2021, there were some notable adjustments. Two of note were the need for financial institutions to establish a complete inventory of all third-party relationships and to call out such relationships with fintech organizations that interact directly with an institution’s customers. The principles-based guidance allows institutions to look at their third-party relationships using a risk-based approach. Higher-risk activities, including critical activities, should receive more comprehensive and diligent oversight from management. While larger banks already have a number of these risk management practices in place, the guidance formalizes such practices. Smaller community and regional banks will likely have more work to do to follow this guidance, which will be particularly relevant for institutions with significant relationships with fintech companies. The guidance describes the process institutions should use throughout the life cycle stages of the third-party relationship and what practices management should employ to appropriately govern the risks through those stages. THIRD-PARTY RELATIONSHIP LIFE CYCLE The guidance provides five key points that institutions should integrate into their risk management procedures over the entire life cycle of a business arrangement with a third party: 1. Planning: Before conducting business with a third party, an effective plan to determine the type of risk and related complexities involved is essential. Once the institution identifies such risks, it can design and establish necessary mitigation techniques. The guidance specified that to understand the risks associated with a third party, an institution should carefully consider the following in the planning process: • The strategic purpose of the arrangement • Benefits and risks of the relationship • The volume of transactions involved • Related direct and indirect costs • The impact of the relationship on employees and customers • The physical and information security implications • Monitoring the third party’s compliance with laws and regulations • Ongoing oversight of the relationship • Potential contingency plans Once an institution fully evaluates all factors, it can build a risk matrix to visualize whether the exposure involved in the relationship would be within the institution’s risk tolerance levels. 2. Due diligence: The new guidance states that the level of due diligence an institution needs to perform on a third party should be proportionate to the risk associated with the potential relationship. Where the arrangement points to greater complexities or higher risk to the bank, the bank should deploy more thorough due diligence procedures. No matter the arrangement, institutions need to evaluate their ability to identify, assess, monitor and mitigate risks that arise. If a financial institution is unable to perform the appropriate due diligence on a prospective third party without proper alternatives considered to support the relationship, the bank may likely need to forego the relationship. BY BRANDON KOESER, Financial Services Senior Analyst, RSM and ANGELA KRAMER, Financial Services Senior Analyst, RSM Utah Banker 14
RkJQdWJsaXNoZXIy MTg3NDExNQ==