The three federal banking regulators—the Federal Reserve, Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC)—released a draft document, “Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” on July 13. Intended to replace existing guidance promulgated over a period extending back to 2008, the new rules offer the possibility of simplification and clarity in an area of ongoing major focus.
Organizations affected by the guidance may want to evaluate the document and provide feedback during the 60-day comment period.
The good news:
The document does not represent a radical change in direction by the regulators, as many of the key themes remain the same. For example, the document is clear that a risk-based approach is needed, and that a one-size-fits-all program will not replace one tailored for risk.
The not-so-good news:
While the document goes into some specifics on the regulators’ requirements, it will still leave many banking organizations looking for greater clarity. For example, the section on information technology security is limited to a single paragraph. Given the importance of cybersecurity and the rising number and frequency of cyber incidents, more detail on that subject would be expected.
The guidance will obviously affect regulated banks, as well as organizations that provide services to those institutions. The regulators can, and do, expect vendors to meet the standards—a fact sometimes lost on smaller vendors and other organizations eager to do business with financial institutions.
- Suggests a bank may see changes if the FDIC or the Fed was a bank’s primary regulator, based on the OCC’s guidance from 2013. For example, the document notes that a program can be either centralized or decentralized, whereas other regulators have (at least informally) expressed preference for a centralized structure.
- Retains the five-stage third-party risk management life cycle.
- Requires evaluation of third parties’ diversity policies and practices.
- Discusses a number of “pain points” banking organizations have experienced as they execute their programs, which indicates the regulators are listening as they conduct examinations. Addressing the issue of uncooperative vendors, for example, the document provides steps banking organizations should take if they cannot obtain due diligence information, or don’t have sufficient bargaining power to influence contract negotiations. Basically, the document states that banking organizations need a solid alternative plan to manage risk in the absence of cooperation.
- Signals several areas where banking organizations should be ready to defend their risk approach if not following the document’s guidance. For example, when an organization evaluates the financial condition of third parties, the guidance states that the “…analysis required may be as comprehensive as if it were extending credit to the third party.” While we can’t speak for the regulators, they appear to be saying that financial analysis should reach this level for the highest-risk vendors—and if a bank claims to have no such vendors, it should be prepared to defend that claim.
- Defines what constitutes a “third party.” The document states this can be a wide range of entities, and that a contract or payments aren’t necessary for an entity to be considered a third party. Banking organizations should be ready to defend their classification of vendors, and specifically the inclusion or exclusion of nontraditional vendors as third parties.
In short, the proposed guidance could bring greater clarity to the third-party governance process, and when finalized, will serve as a basis for banking organizations to develop a more effective governance program.
RSM’s risk advisory professionals can assist banking organizations as well as their service vendors with third-party governance programs. We have assessed the proposed guidance and developed a more succinct set of requirements that can be used to evaluate your program against it. This is meant as a starting point, as every banking organization will need to tailor their approach to fit their overall risk program.
Our services include:
- Launching new programs.
- Assessing current programs and recommending measures to address any identified gaps.
- Executing due diligence programs.
- Developing policies and procedures.
- Selecting third-party-focused governance, risk and compliance applications.