Pub. 14 2023 Issue 2

4. Ongoing Monitoring The guidance notes that effective third-party risk management includes ongoing monitoring throughout the duration of the third-party relationship commensurate with the level of risk and complexity of the relationship and the activity performed by the third-party. Factors that should be considered as part of ongoing monitoring include: • The overall effectiveness of the third-party relationship • Changes to the third-party’s business strategy, financial condition, insurance coverage and key personnel • Relevant audits, testing results and other reports that address capability of third-party to manage risks and meet contractual obligations and regulatory requirements • Ongoing compliance with applicable laws and regulations • Performance measured against contractual obligations • Reliance on and use of subcontractors and risk management process for monitoring subcontractors • Employee training • Response to changing threats, new vulnerabilities and incidents impacting the activity • Ability to maintain confidentiality and integrity of banking organization’s systems, information and data • Volume, nature and trends of customer inquiries and complaints and adequacy of responses 5. Termination When a bank needs to terminate a third-party relationship, the guidance recommends consideration of the following factors: • Options for effective transition of services • Relevant capabilities, resources and time frame required to transition the activity • Costs and fees associated with termination • Management of risks associated with data retention and destruction • Handling of joint intellectual property • Managing impact on customers The guidance provides that the board of directors of the bank has the ultimate responsibility for providing oversight for thirdparty risk management and holding management accountable. The board must consider whether third-party relationships are managed consistent with the bank’s strategic goals and risk appetite, whether there is appropriate periodic reporting on the third-party relationship and whether management has taken appropriate actions to remedy performance issues or changing risks. The guidance also lists certain activities that management should perform when carrying out their responsibilities in developing and implementing third-party risk management policies, procedures and practices. Although the final guidance is broadly consistent with the regulator’s existing guidance and should not require significant updates to a bank’s third-party risk management framework, we recommend that bank management review the considerations set forth in the guidance against the bank’s existing risk-management policies and procedures to ensure that there are not areas that have been overlooked.  The proposed interagency guidance issued in July 2021 was revised to clarify that the guidance does not have the force and effect of law and does not impose any new requirements on banks. Sandra M. Murphy focuses her practice on acquisition, regulatory, enforcement, corporate governance and securities law matters for banks and other financial institutions. Admitted to practice in West Virginia and Virginia, she leads the Bowles Rice Banking and Financial Services team. She can be reached at (304) 347-1131 or by email at Amy J. Tawney focuses her practice on banking law, mergers and acquisitions, securities law and regulatory matters. She is admitted to practice in West Virginia and Virginia. Contact Amy by phone at (304) 347-1123 or by email at 14 West Virginia Banker