Navigating Interagency Guidance on Third-Party Relationships in Banking
This article was originally published by New Hampshire Bankers Association in January 2024.
In the ever-evolving landscape of financial services, financial institutions are not only tasked with managing their core operations but also with overseeing a myriad of third-party relationships critical to their service delivery. Recognizing the dynamic nature of managing vendors in banking, on June 6, 2023, the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) have issued an Interagency Guidance on Third-Party Relationships: Risk Management. This guidance serves as a compass for financial institutions for evaluating and monitoring both existing and new vendors, providing a roadmap to enhance risk management practices in the realm of third-party engagements.
The genesis of Interagency Guidance: A response to growing complexities with managing vendors in banking
The financial services industry has become increasingly interconnected, with financial institutions relying on third-party providers for various services, ranging from technology solutions to outsourcing of critical functions, like IT and customer support, or payroll services. While these partnerships bring efficiency and innovation, they also introduce a complex web of risks. In response to this evolving landscape, regulatory bodies collaborated to provide comprehensive guidance aimed at mitigating risks associated with third-party relationships.
Key pillars of interagency guidance
1. Risk Assessment and Due Diligence:
The guidance emphasizes the importance of robust risk assessment and due diligence processes when engaging with third-party service providers. For an existing vendor, this means a potential review and enhancement of current relationships. For new vendors, this underscores the commitment of financial institutions to thoroughly assess the risks associated with any new partnership. Financial institutions are urged to implement comprehensive risk assessment protocols, considering factors such as the criticality of the service provided and the potential impact on the institution’s operations.
2. Contracts and Oversight:
Clear and well-defined contracts are the foundation of successfully managing vendors in banking. For existing vendors, financial institutions are revisiting and potentially updating contractual arrangements to align with the guidance’s recommendations. Contracts should include provisions that would facilitate effective risk management and oversight over specified obligations for both the institution and the vendors. The right to audit and require remediation requirements, for example, will help financial institutions to perform periodic, independent audits of the vendor and request information on the remediation status of any potential findings or identified risks.
For new vendors, this signifies the importance of transparent and comprehensive agreements that clearly outline the responsibilities and expectations in terms of risk management and compliance requirements of all parties involved. Strengthened oversight mechanisms are also a key focus, ensuring that institutions can promptly identify and address emerging risks throughout the life of the relationship.
3. Monitoring and Reporting:
Continuous monitoring is identified as a critical element in the guidance. Existing vendors can expect enhanced monitoring protocols, regarding the third party’s performance and the effectiveness of its controls, designed to provide insights into the performance and risks associated with third-party relationships such as real-time monitoring or dashboards of key performance indicators. New vendors should be aware that ongoing monitoring is a standard practice, demonstrating the commitment of financial institutions to maintain the highest standards of service quality and risk management throughout the partnership.
4. Contingency Planning:
The ability to respond effectively to disruptions is crucial in today’s dynamic environment. Both existing and new vendors should be aware that institutions are revisiting and reinforcing contingency plans to ensure the continuity of services in various scenarios. This includes a focus on business continuity and recovery planning to minimize the impact of disruptions on the delivery of critical services.
Implications and opportunities
For companies already working within the banking ecosystem, the Interagency Guidance represents an opportunity to strengthen the foundation of their relationships with their banking partners. The heightened focus on risk management underscores the commitment of financial institutions to deliver services reliably and securely. Existing vendors should anticipate potential reviews of current contracts, risk assessments, and monitoring processes as financial institutions align their practices with the guidance.
For companies considering a banking partnership, the Interagency Guidance serves as a testament to the industry’s commitment to maintaining the highest standards of risk management. Prospective vendors can view this guidance as a benchmark for evaluating the risk management practices of potential banking partners, such as identifying, assessing, and mitigating, known and emerging threats and vulnerabilities. It provides an assurance that institutions are proactive in addressing the challenges posed by third-party relationships, offering a level of transparency and diligence that aligns with the expectations of vendors seeking reliable and secure financial services.
Finally, the implications to financial institutions can initially translate to more information security and compliance work. However, in the long run, these new requirements will strengthen not only the financial institutions’ information security, compliance, and third-party risk management practices but will also have a positive effect on the entire banking ecosystem and enhance the integrity of the supply chain. Institutions can evaluate their third-party risk management programs as well as conduct third-party risk assessments using internal staff, a trusted partner, or choose a hybrid model where they hire a trusted vendor and utilize their internal staff to interact with the third-party vendor to leverage their knowledge and experience.
A shared journey towards enhanced risk management
Risk Management is an important step that reflects the commitment of regulatory bodies and financial institutions to navigate the challenges presented by an interconnected financial landscape. It also demonstrates an institution’s commitment to their customers’ security and safety. Whether your organization has a mature third-party risk management program or there’s room for improvement, this interagency guidance on managing vendors in banking can help with next steps in third-party risk management program maturity and establish higher information security standard for third-party vendors. As the industry continues to evolve, the guidance serves as a compass, guiding both financial institutions and their vendors towards a future where the complexities of third-party relationships are met with resilience, transparency, and a commitment to excellence.
BNN’s Information Systems & Risk Assurance practice offers a suite of cybersecurity and risk assessment services and can assist financial institutions of all sizes establish and maintain security and compliance in their IT environments. Get in touch with a member of our team to discuss what service or customized package could help you achieve your goals.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.