Third-Party Risk Management – New Guidance and Common Pitfalls

On June 6, 2023, the FDIC, OCC, and Federal Reserve finalized inter-agency guidance on risk management related to third-party relationships. This guidance is intended to “promote consistency in supervisory approaches” and “replaces each agency’s existing general guidance on this topic and is directed to all banking organizations supervised by the agencies.”  There is no exemption for smaller institutions, making this guidance relevant for all community banks.

The guidance addresses the different stages related to third-party risk management. “Planning” is the first stage and should provide appropriate guidelines, policies and procedures that support the strategic vision and risk appetite of the institution. “Due Diligence” is the next stage that helps to ensure that risks are being identified and properly addressed before moving forward with the relationship. “Contract Negotiation” is the third stage, and is important to ensure that the institution is sufficiently protected and the contractual relationship is properly outlined during and after the contract period. The next stage is “Ongoing Monitoring” which reinforces the need for the institution to ensure that risks are maintained at a reasonable level during the term of the relationship. The final stage is “Termination” which involves dealing with the impact once the relationship ends, including cost, ongoing operations and the security of information once provided to the third party.

All community banks manage third-party relationships. We encourage you to use this recently issued guidance to review your existing policies and procedures. Common pitfalls that we sometimes see include the following:

1. Not recognizing that a third-party relationship exists, and thus not performing appropriate due diligence – “third parties” are not just vendors. Third parties include any individuals or entities that the institution uses to operate its business in some capacity. It also includes anyone or entity in which customer or employee personal information has been shared…at any time.
2. Treating every third party the same – Due Diligence and Monitoring should focus on what is important, and how to mitigate risk to an acceptable level for each third party. Resources, including employee time, can be better utilized if an institution recognizes these differences and does not review the same information for each third party.
3. Accepting contract terms “as is” – Most contracts are written by the third party, and thus may only include terms that protect themselves. Institutions need to have a process in place to ensure that their own interests are protected as well.   Ask for clarification if something doesn’t make sense and be sure that the contract adequately protects your institution, your employees and your customers during the contract term and after the relationship ends.
4. Not considering the impact of termination – Third-party relationships end for various reasons. Before you sign the contract, assess the impact of termination even though it might be many years down the road. Areas to consider include cost, the impact on your operations, and the third party’s responsibility to properly destroy all personal information about your employees and/or your customers.   This includes information that is housed internally by third parties and also information stored by them in the cloud.
5. Insufficient oversight of the relationship – With the routine needs of the banking day, it can be difficult to find time to properly monitor an existing relationship to ensure that the third party is performing according to contract terms, that it is complying with laws and regulations and properly securing your data. Without proper oversight and monitoring in place, the institution could be faced with unintentional compliance violations along with its data being compromised.
6. Allowing contracts to auto-renew – As mentioned, many contracts are written by a third party, and they may include auto-renewal clauses with built-in increases. Also embedded in contract terms may be the amount of time you have to notify them of your intent to not renew. This time period can be over 180 days. Without an organized method to track these and notify third parties that management wants to terminate or re-negotiate the contract, an institution could be losing money by increasing costs unnecessarily.

Third-party risk management is a very important area of the bank due to the types and levels of risk involved along with the associated costs of these relationships. If your third-party risk management program is not running as smoothly as you would like or if you have concerns about this interagency guidance, we can help you. We can guide you in finding practical solutions that are part of a strong and practical program.