Banking Regulators Request Comment on Proposed Guidance for Third-party Risk Management

July 20, 2021

Several federal banking regulatory agencies on July 13 requested public comment on proposed guidance designed to help organizations manage risks associated with third-party relationships and technology-focused entities.

The proposed guidance is intended to assist banking organizations in identifying and addressing the risks associated with third-party relationships and responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance.

The agencies issuing the request include the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency (OCC). Comments must be received within 60 days of the proposed guidance's publication in the Federal Register.

Banking organizations that engage third parties to provide products or services or to perform other activities remain responsible for ensuring that such outsourced activities are conducted in a safe and sound manner and in compliance with all applicable laws and regulations, including consumer protection laws.

The proposed guidance says that use of third parties by banking organizations does not remove the need for sound risk management. On the contrary, the use of third parties may present elevated risks to banking organizations and their customers. Banking organizations’ expanded use of third parties, especially those with new or innovative technologies, may also add complexity, including in managing consumer compliance risks, and otherwise heighten risk management considerations.

The proposed guidance is based on the OCC’s existing third-party risk management guidance from 2013 and includes changes to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies.

The framework provided in the proposed guidance identifies principles applicable to each stage of the third-party relationship life cycle, including:

  • Developing a plan that outlines a strategy, identifies inherent risks, and details how to identify, assess, select and oversee a third party;
  • Performing proper due diligence in selecting a third party;
  • Negotiating written contracts that articulate the rights and responsibilities of all parties;
  • Board of directors’ and executives’ oversight of risk management processes, documentation, accountable reporting and independent reviews;
  • Ongoing monitoring of third-party activity and performance; and
  • Contingency planning for relationship terminations.

A banking organization typically considers the following factors, among others, during due diligence of a third party:

  1. Strategies and Goals: Consider how the third party’s current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures partnerships, joint ventures, or joint marketing initiatives) may affect the activity.
  2. Legal and Regulatory Compliance: Determine whether the third party has the necessary licenses to operate and the expertise, processes, and controls to enable the banking organization to remain compliant with domestic and international laws and regulations.
  3. Financial Condition: Reviews the third party’s audited financial statements, annual reports, filings with the U.S. Securities and Exchange Commission and other viable financial information.
  4. Business Experience: Determine how long the third party has been in business and ass the party’s degree of and its history of managing customer complaints or litigation.
  5. Fee Structure and Incentives: Consider whether any fees or incentives are subject to, and comply with, applicable law.
  6. Qualifications and Backgrounds of Company Principles: Consider whether a third party periodically conducts thorough background checks on its senior management and employees, as well as on subcontractors, who may have access to critical systems or confidential information.
  7. Risk Management: Evaluate processes for escalating, remediating, and holding management accountable for concerns identified during audits or other independent tests.
  8. Information Security: Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. Consider the extent to which the third party uses controls to limit access to the banking organization’s data and transactions, such as multifactor authentication, end-to-end encryption and secured source code management. Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing.
  9. Management of Information Systems: Review the third party’s processes for maintaining timely and accurate inventories of its technology and its subcontractor(s).
  10. Operational Resilience: Determine whether the third party maintains an appropriate business continuity management program, including disaster recovery and business continuity plans that specify the time frame to resume activities and recover data.
  11. Incident Reporting and Management Programs: o ensure there are clearly documented processes, timelines, and accountability for identifying, reporting, investigating and escalating incidents.
  12. Physical Security: Evaluate whether the third party has sufficient physical and environmental controls to protect the safety and security of its facilities, technology systems, data and employees.
  13. Human Resource Management: Review the third party’s processes to train and hold employees accountable for compliance with policies and procedures.
  14. Reliance on Subcontractors: Evaluate the volume and types of subcontracted activities and consider any implications or risks associated with the subcontractors’ geographic locations.
  15. Insurance Coverage: Evaluate whether the third party has fidelity bond coverage to insure against losses attributable to, at a minimum, dishonest acts, liability coverage for losses attributable to negligent acts and hazard insurance covering fire, loss of data and protection of documents.
  16. Conflicting Contractual Arrangements with Other Parties: Obtain information regarding legally binding arrangements with subcontractors or other parties to determine whether the third party has indemnified itself, as such arrangements may transfer risks to the banking organization.

Contact ALTA at 202-296-3671 or [email protected].