One rule for all

... banks should consider integrating ... their third-party relationship risk management program with their overall enterprise risk management program.”

The day-to-day functions of a financial institution would be impossible without the ability to outsource.

Recently, existing guidance applicable to each specific regulatory agency — the Federal Reserve, the FDIC and the OCC — was replaced with a single rule, the Interagency Guidance on Third-Party Relationships: Risk Management. The Interagency Guidance aligns the regulatory requirements and risk management expectations of third-party relationships among the agencies.

Financial institutions routinely rely on third-party relationships for their day-to-day functions and existence. In today’s ever-growing world of speed and technology, it would be nearly impossible to be successful and competitive without outsourcing to third-party vendors. Financial institutions may rely on outsourcing for a range of products, services and other activities.

Outsourcing allows financial institutions a number of significant benefits, including faster and more efficient access to technologies, human capital, delivery channels, products and services and markets. It can also mean a more cost-effective operational existence overall.

Risk management

Despite the option to outsource certain functions and activities, financial institutions must still adhere to risk management and compliance expectations. The use of third-party relationships does not alleviate the need for sound risk management within an organization. In fact, it’s quite the opposite when it comes to third-party relationships. Third-party relationships — especially those involving new technologies — could present even higher or more elevated risk for financial institutions.

A phrase we commonly use in the compliance industry is “you can contract away the function, but you can’t contract away the compliance responsibility.” Financial institutions must understand their responsibilities to ensure safe and sound third-party relationships and practices in conjunction with the compliance of all applicable laws and regulations, including those that are intended to protect consumers.

The New Interagency Guidance

On June 6, 2023, the federal banking agencies issued Interagency Guidance on Third-Party Relationships: Risk Management. Much of what is outlined in the new Interagency Guidance is already somewhat familiar to the agencies. The core concepts of the Interagency Guidance remain consistent with the individual agency guidance that existed prior.

The new Interagency Guidance provides consistency and an interagency approach to managing third-party risk. This is especially important for those relationships that involve critical third parties and relationships that are customer-facing or may otherwise be impactful to consumers.

The new Interagency Guidance was developed to align with the expectations and best practices in other areas of risk management. It creates a vendor management lifecycle, which includes six steps:

1. Planning for a relationship
2. Due Diligence and third-party selection
3. Contract negotiation
4. Oversight and accountability
5. Ongoing monitoring
6. Termination

Who it applies to

It’s worth noting that the guidance is broadly applicable and applies to all business arrangements. It doesn’t specifically address the various categories or types of third parties, such as artificial intelligence or fintech firms. But the principles within the guidance will apply to all third parties and third-party relationships. That being said, financial institutions must manage all third-party relationships, but not necessarily to the same extent as the principles within the guidance can be tailored to the relationship. The Interagency Guidance provides a number of examples — which should not be interpreted as exhaustive — that financial institutions may consider for their due diligence processes. But the agencies do note that the guidance does not impose any new regulatory requirements.

The focus of the new Interagency Guidance

The new Interagency Guidance may not create any new regulatory requirements for financial institutions, but it is focused on managing various risks associated with outsourcing certain products, services and activities — especially those impacting consumers.

The Guidance is a reminder to financial institutions that consumer protection and compliance remain a priority among the regulatory agencies. The Guidance emphasizes compliance and consumer protections, as those phrases and similar phrases are mentioned numerous times throughout the Guidance.

Financial institutions must be particularly diligent in ensuring they and their third-party service providers abide by and comply with all applicable laws and regulations. This includes ensuring that their financial institution and any third-party service providers do not engage in any unfair and deceptive acts or practices.

Subcontractors clarification

The new Interagency Guidance provides clarification regarding the oversight of a third party’s subcontractors, indicating that financial institutions should focus on the selection and oversight processes of their third party. Financial institutions are not expected to oversee the subcontractors directly.

Management responsibilities

The guidance also clarifies and distinguishes the roles of the board of directors and senior management when it comes to third-party oversight. The Guidance provides various factors that the board of directors may consider for carrying out their responsibilities. Additionally, it identifies activities and responsibilities that management may perform.

Foreshadowing focus

Many see this new Interagency Guidance as a signal to financial institutions that enhanced risk management practices are an area of focus for regulators and are critical to the safety and soundness of an institution. The Guidance, along with other recent consent orders, may be foreshadowing the supervisory focus on vendor management relationships and a bank’s risk management practices for maintaining such relationships.

However your institution interprets the new Guidance, it is essential that a review of its current policies, procedures and risk management practices be conducted to ensure they align with the new Interagency Guidance. Since much of the Guidance seems to highlight due diligence, contracts and the management of third-party risk and relationships, banks should consider integrating — or at least addressing — their third-party relationship risk management program with their overall enterprise risk management program.