Financial institutions are increasingly ramping up partnerships with third-party organizations to improve banking technologies that promulgate efficiencies and cost-savings or add new banking products to drive revenues.
As these partnerships increase, the risk to the banking system is also increasing. In June, the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve and the Office of the Comptroller of the Currency released finalized interagency guidance over third-party risk management practices that financial institutions must consider when entering into business arrangements with third parties.
Although the final guidance — which was issued and went into effect June 6, 2023 — did not differ significantly from the third-party risk management proposal released in July 2021, there were some notable adjustments. Two of note were the need for financial institutions to establish a complete inventory of all third-party relationships and to call out such relationships with fintech organizations that interact directly with an institution’s customers.
The principles-based guidance allows institutions to look at their third-party relationships using a risk-based approach. Higher-risk activities, including critical activities, should receive more comprehensive and diligent oversight from management. While larger banks already have a number of these risk management practices in place, the guidance formalizes such practices. Smaller community and regional banks will likely have more work to do to follow this guidance, which will be particularly relevant for institutions with significant relationships with fintech companies.
The guidance describes the process institutions should use throughout the life cycle stages of the third-party relationship and what practices management should employ to appropriately govern the risks through those stages.
THIRD-PARTY RELATIONSHIP LIFE CYCLE
The guidance provides five key points that institutions should integrate into their risk management procedures over the entire life cycle of a business arrangement with a third party:
1. Planning: Before conducting business with a third party, an effective plan to determine the type of risk and related complexities involved is essential. Once the institution identifies such risks, it can design and establish necessary mitigation techniques.
The guidance specified that to understand the risks associated with a third party, an institution should carefully consider the following in the planning process:
- The strategic purpose of the arrangement
- Benefits and risks of the relationship
- The volume of transactions involved
- Related direct and indirect costs
- The impact of the relationship on employees and customers
- The physical and information security implications
- Monitoring the third party’s compliance with laws and regulations
- Ongoing oversight of the relationship
- Potential contingency plans
Once an institution fully evaluates all factors, it can build a risk matrix to visualize whether the exposure involved in the relationship would be within the institution’s risk tolerance levels.
2. Due diligence: The new guidance states that the level of due diligence an institution needs to perform on a third party should be proportionate to the risk associated with the potential relationship. Where the arrangement points to greater complexities or higher risk to the bank, the bank should deploy more thorough due diligence procedures. No matter the arrangement, institutions need to evaluate their ability to identify, assess, monitor and mitigate risks that arise.
If a financial institution is unable to perform the appropriate due diligence on a prospective third party without proper alternatives considered to support the relationship, the bank may likely need to forego the relationship.
3. Contract negotiation: Important to any third-party relationship is the negotiation of a contract that allows the bank to perform continuous and effective risk management practices. If there is difficulty in negotiating these imperative aspects with the third party, the institution needs to analyze the related risk and weigh whether it is acceptable to enter into a relationship.
Importantly, the board of directors should be aware of negotiations to dispel its oversight responsibilities, whether through direct involvement or updates from an approved negotiating delegate.
4. Ongoing monitoring: Ongoing monitoring is imperative as institutions navigate a rapidly changing banking environment. Rising interest rates, tightening credit and liquidity constraints show that risks affecting financial service companies today look significantly different than they did a year ago. Technological advancements continue evolving at a swift pace, and the evolution of tools such as artificial intelligence brings different considerations and capabilities to the industry with unique risks. Establishing different techniques or mechanisms to track the risk landscape and determine the emerging risks are just as important to monitoring as a cadence of regular reviews over current risks.
The agencies did not outline “any specific approach to ongoing monitoring. Rather, the guidance continues to state that a banking organization’s ongoing monitoring, like other third-party risk management processes, should be appropriate for the risks associated with each third-party relationship, commensurate with the banking organization’s size, complexity and risk profile and with the nature of its third-party relationships.”
5. Termination: Lastly, if an institution has decided the relationship has run its course, terminating it efficiently and timely will be beneficial. The institution should consider transitioning any service provided through the relationship to another third party or bringing it in-house.
In addition to the points above about the broader third-party risk management life cycle, the regulators highlighted three critical governance practices for such relationships:
Oversight and accountability: The guidance indicates that the board of directors is ultimately responsible for the oversight of third-party risk management. This responsibility includes providing management with guidance on the acceptable level of risk appetite to enter into such third-party relationships, as well as approving management policies and procedures.
Independent reviews: Critical to the process is conducting independent, periodic reviews to assess the adequacy of the risk management process. The guidance further calls out that such reviews should assess management’s processes, procedures and controls for adequacy and effective operation.
Documentation and reporting: To support compliance with the new guidance, institutions will need to thoroughly document their third-party risk management processes, procedures and outcomes of related independent reviews.
Risk management necessitates perpetual enhancement. It is a continuous, forever-evolving process of identifying, assessing and managing risks that affect the company. As institutions continue to partner with third parties to offer new capabilities, remaining vigilant by incorporating the five key points from the guidance is essential. These techniques help safeguard the stability, trust and sustainability of the financial services industry.
Brandon Koeser is a senior analyst in RSM’s cutting-edge Industry Eminence Program, positioning him to understand, forecast and communicate economic, business and technology trends shaping the industries RSM serves. Brandon’s focus is on advising financial institution and capital markets leaders and clients on business conditions, industry trends and regulatory developments influencing their ecosystems across North America.
Angela Kramer is a certified public accountant and senior assurance manager at RSM US, LLP, where she serves companies in the financial services industry. As a senior analyst, Angela focuses on the financial institutions sector of the financial services industry. She works alongside the firm’s chief economist and other program participants to analyze trends and themes shaping the landscape for middle market businesses.