Interagency Guidance on Third-Party Risk Management: Top 10 Key Points to Keep in Mind

On June 6, 2023, federal banking agencies updated the guidance on managing third-party relationships, signaling a need for banks to further develop their third-party risk management (TPRM) strategies, particularly for critical and customer-facing partnerships. The guidance also establishes that ties with fintech firms should be treated as third-party engagements, regardless of their structure.

This move, alongside recent regulatory actions, highlights an ongoing scrutiny of TPRM, suggesting banks should be proactive in equipping their personnel to handle third-party risks effectively, even for services not directly provided in-house.

This could involve banks acquiring external expertise to enhance their due diligence, risk analysis, and monitoring processes. Banks must perform a comprehensive gap analysis to identify and rectify weaknesses in their TPRM programs to align with the new guidance, considering the critical insights offered. Below are key takeaways to keep in mind.

Top 10 Takeaways from the TPRM Interagency Guidance

1. The guidance extends beyond vendor relationships.

2. The guidance applies to all third-party entities (but can be customized).

3. The guidance is advice and should not be considered a legal or regulatory mandate.

4. Compliance, customer complaints, and damaging consumers are common issues.

5. The guidance provides essential clarification on the supervision of third-party subcontractors.

6. The agencies define and distinguish the board of directors' and the management team’s roles.

7. More resources are forthcoming, although the exact timing is yet to be determined.

8. Banks may use consortia, shared services, and other collaborative efforts to improve their due diligence operations.

9. It is uncertain whether the guideline provides a greater stick to banks.

10. The guidance expands on the oversight responsibilities of regulators.

The guidance extends beyond vendor relationships.

Previously, "vendor risk management" and "third-party risk management" were synonymous. Now, they diverge, with guidance covering all business ties beyond contractual or compensated ones. It spans diverse relationships, including consultants, referral setups, payment services, related entities, fintech ventures, data firms, and joint projects. It also pertains to regulated third-party relations, like banks servicing other financial institutions.

The guidance applies to all third-party entities (but can be customized)

The ABA notes many inquiries about how the guidance pertains to various third parties like data firms and fintechs. The guidance lays out broad risk management principles applicable across all third-party dealings rather than specifics. Yet, it doesn't call for a one-size-fits-all approach, acknowledging the need to tailor strategies to each relationship's context. Banks must ensure comprehensive oversight proportional to the risk, which may mean updating less developed third-party risk management (TPRM) programs and verifying the thoroughness of third-party inventories.

The guidance serves as advice and should not be considered as a legal or regulatory mandate.

The guideline offers banks extensive due diligence concerns and contractual restrictions to consider when entering into third-party relationships. The agencies underline that the examples are not exhaustive, or a checklist and that supervisory guidance is not legally enforceable or creates new legal responsibilities. While the clarification is helpful, banks must be vigilant to ensure that the due diligence and contractual advice remain risk-focused and do not become a de facto checklist of necessary procedures that examiners apply widely to third-party agreements.

Compliance, customer complaints, and damaging consumers are common issues.

The guidance reinforces the agencies' focus on compliance and consumer protection, including the role of a bank's third-party affiliates. It reaffirms that banks cannot outsource their legal obligations and; they must ensure third-party adherence to all laws and regulations. The document frequently mentions the need for legal compliance, highlighting adherence to consumer protection, fair lending, and financial crime laws. It aligns with enforcement trends where banks faced penalties due to third parties failing to meet BSA/AML standards or engaging in deceptive practices affecting banks' CRA ratings.

The guidance provides essential clarification on the supervision of third-party subcontractors

The guidance instructs banks to review how third parties manage subcontractors, focusing on solid controls and risk mitigation, without direct oversight of those subcontractors by the banks themselves. Regulatory standards remain stringent, expecting banks to incorporate subcontractor risks within TPRM policies, possibly by mandating third-party adherence to bank standards, approving new subcontractors, or enforcing additional measures, with some banks contractually monitoring and auditing critical risk points, including "fourth parties."

The agencies define and distinguish the board of directors' and the management team’s roles

The guidance clarifies the distinct roles in third-party oversight, with boards considering alignment with strategic goals and risk appetite, monitoring reports, and addressing significant changes or issues. Management's role includes integrating risk management processes, overseeing due diligence, monitoring, and ensuring proper organizational support for risk management.

More resources are forthcoming, although the exact timing is yet to be determined

According to the guidelines, the authorities intend to create extra resources to help community banks manage applicable third-party risks. However, there does not appear to be a timetable for releasing these supplemental materials from the authorities.

Banks may use consortia, shared services, and other collaborative efforts to improve their due diligence operations

Collaborative initiatives have aimed to expedite the due diligence process over time. The guideline allows banks to employ collaborative metrics but cautions against relying only on them or third-party reviews. Banks should evaluate them as supplementary inputs, considering their distinct risk profiles and demands. The guideline also underlines the need to understand the scope and significance of extra due diligence and incorporate these agreements into the bank's broader third-party risk management (TPRM) operations.

It is uncertain whether the guideline provides a greater stick to banks

The impact of the advice on banks dealing with uncooperative third parties and poor negotiation positions is unknown. It recommends examining factors when examining third parties and notes that some may reject due diligence efforts owing to market power. Banks should identify such restrictions, acknowledge related risks, pursue risk reduction techniques, or consider alternate third parties if risks remain too high. It also advises on contractual conditions while buying that banks may not obtain all clauses, asking them to understand any resulting constraints.

The guidance expands on the oversight responsibilities of regulators

The guideline outlines the agency's authority to examine third-party operations for banks, emphasizing safety, soundness, legal compliance, client protection, and equitable access. It permits corrective measures in cases of legal violations or financial misconduct. It provides critical TPRM program components for review, emphasizing staff knowledge and legal compliance. Examiners will reviewing a management's monitoring of third-party relationships, test transactions for legal compliance, and evaluate risks and risk management efficacy to assure safe and legal operations.

Conclusion

The revised regulatory guideline on third-party risk management emphasizes the need for banks to refine their TPRM strategies. It holds fintech collaborations to the same standards as traditional third-party interactions and underlines the significance of preparing bank people to handle these risks efficiently. Banks must do thorough gap analyses to fix any gaps following these guidelines and improve due diligence and risk management systems.

The emphasis on collaboration, staff knowledge, and stringent regulatory supervision lays out a clear path for banks to guarantee that their third-party relationships are secure, compliant, and consistent with their strategic goals.

On the other hand, banks seeking to align with new TPRM guidelines should choose Predict360 TPRM Software for its efficiency and compliance-oriented features.