On June 6th, the Federal Reserve, FDIC, and OCC released new interagency guidance on third-party risk management. The new guidance, based on existing OCC guidance from 2013 and 2020, calls for a level of due diligence that might be a surprise to institutions regulated by the Federal Reserve or FDIC. Even OCC-regulated banks will find some new requirements in the new guidance.
The biggest shock may be regarding the definition of a third party. The new guidance defines a third-party relationship as “any business arrangement between a banking organization and another entity, by contract or otherwise”, and goes on to state that “a third-party relationship may exist despite a lack of a contract or remuneration.” This definition will impact institutions regulated by the Federal Reserve and FDIC, as the previous definition did not require consideration of third parties with whom the bank did not have a contractual relationship. It is my experience that most institutions outside of OCC regulation would NOT include third parties that do not have a written contract or exchange of money. Banks will need to work harder to develop an inventory of third parties without relying on accounts payable or contract management systems.
The new guidance focuses on a third-party relationship life cycle, mostly adopted from previous OCC guidance. The stages of this lifecycle are Planning, Selection, Contract Negotiation, Monitoring, and Termination. While many of the topics in this lifecycle were addressed by the other agencies in previous guidance, there will be some adjustments needed. For instance, the new guidance requires much deeper due diligence prior to selecting a third party and many banks will need to add this to their program.
During contract negotiation, new areas of focus in the new guidance include the requirement that contracts provide notification to the bank of any events that pose a significant risk to the bank or customers of the bank, a requirement that boards have awareness of new contractual relationships involving high-risk activities, and a recommendation that a prohibition on the transfer of third-party obligations without prior consent be considered.
During ongoing monitoring, the new guidance adds many more potential items than previous guidance for monitoring and states that the scope of monitoring of any third party should be based on the inherent risk of the relationship. Banks will need to ensure that their inherent risk determination is sound and that the new items be considered for monitoring.
Finally, while the concept of termination was addressed in previous FDIC and Federal Reserve guidance as a contractual issue, the new guidance urges institutions to include planning for termination as a part of the lifecycle, based on the degree of complexity and risk of the relationship.
It will take some time for the banking community, especially those banks that are regulated by the FDIC or Federal Reserve, to assimilate the concepts from the new guidance into their programs. If you want some help in this process, we've been working for over a year to design a third-party management module that will help institutions comply with this new guidance. Please contact us at support@bedelsecurity.com to learn more!