Is your vendor risk management program ready for the regulator?

Financial services regulators impose strict expectations when it comes to management of third-party risks. While fever runs hot across the economy over cyber risk exposures and information security, banks are expected to manage all types of risks that their vendors pose.

In June 2023, the board of the Federal Reserve, the FDIC and OCC issued the Interagency Guidance on Third-Party Relationships[1]. It replaces previous operational risk management guidance from each of the agencies and supports the standards for safety and soundness of banks.

The guidance covers the following key sections:

• Risk management
• The third-party relationship lifecycle
• Governance
• Supervisory reviews of third-party relationships

Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:

Risk management

The guidance acknowledges that not all third-party relationships have the same level of risk. Third parties who support critical activities should subject to more frequent and comprehensive risk assessment and oversight. While this sounds obvious, there are two things to note:

• Entities should retain a complete inventory and conduct periodic risk assessments on all their third party relationships
• Identifying the third parties that support critical activities requires a solid understanding of how those critical activities are delivered and the resources that support them (which might be provided by or managed by those third parties)

Risk management must be conducted throughout the lifecycle of the third-party relationship and integrated throughout that lifecycle.

The third-party relationship lifecycle

Planning

Managing third-party risk should not be an afterthought after a decision is made. Potential risks must be considered upfront, as part of the decisions to engage with the vendor. Beyond the risks of a specific vendor are the risks relating to the type of arrangement itself. For example, if you’ve decided to outsource a critical activity, you may need a comprehensive assessment of the internal processes that require change, and the effect it might have on your people. Larger arrangements might require long lead times for transition, that if not carefully managed (particularly where the perception of job security is in question) could result in benefits not being realized, or worse.

Banks must also consider contingency arrangements if a critical service provider fails or needs to exit. If you are outsourcing, consider whether you can effectively bring the activity back in-house in a timely manner if you also lose your institutional knowledge.

Due diligence and selection

Once there is general agreement that a critical activity can be conducted or supported by a third party, sufficient due diligence must be conducted before selecting a third party. The guidance provides a comprehensive list of factors to address during that due diligence:

• Strategies and goals – Assessing the third party’s strategies and goals, and how they align with the bank
• Legal and regulatory compliance – This includes assurance that the third party has legal authority to perform the activities, and that they have expertise to assist the bank maintain its own compliance
• Financial condition - Notably this section implies a focus on publicly available or audited financial statements, rather than information provided by the third party
• Business experience - Evaluating business experience of the third party, including its previous history in delivering the services being offered
• Qualifications of key personnel - Collecting and evaluating and information on the qualifications and backgrounds of key personnel to support assessments of capability, as well as considering the third parties own approach to background checks and training
• Risk management -Assessing the third party’s own risk management governance, processes and assurance practices
• Information security - Reviewing the third party’s information security management systems, particularly in regard to its effect on the confidentiality, integrity and availability of the banks data.
• Management of information systems - How information systems are managed by the third party to ensure service level expectations (and customer outcomes) will be met
• Operational resilience - The third party’s approach to operational resilience, including their approach to business continuity, in order to gain an understanding of their ability to respond to operate through and recover from incidents
• Incident reporting and management processes - Assessing how the third party reports, manages and escalates incidents
• Physical security - Assessing whether sufficient physical security is in place to protect relevant resources, including its approach to physical access rights
• Reliance on subcontractors - Evaluating the third party’s reliance on subcontractors, and how the third party manages risk related to subcontracting
• Insurance coverage - The level of insurance coverage to cover risk exposure by the third party
• Contractual arrangements with other parties - Assessing the implications that other contractual arrangements the third party engages in might have on the bank

I’ll give you a minute to catch your breath.

While the guidance does not prescribe how the due diligence needs to be performed, it will need to be sufficient to identify those risks and determine how they will be managed. The bank may be willing to take on a higher-risk third party, but only if it determines it has the resources to monitor the vendor more regularly and obtain sufficient assurance on how the vendor is managing its own risks.

Contract negotiation

It’s noteworthy that “This guidance addresses any business arrangement between a banking organization and another entity, by contract or otherwise.” That said, you might have trouble demonstrating that you’ve met safety and soundness requirements without a suitable contract in place for third parties supporting critical activities.

While acknowledging it differs based on each arrangement, 18 specific factors are listed and discussed in the guidance, ranging from benchmarking through to confidentiality.

Negotiation over some of these clauses may be on the back of initial due diligence. For example, how robust do your audit rights need to be? How involved do you want to be in their business continuity arrangements?

Ongoing monitoring

While performing ongoing monitoring sounds obvious, ongoing monitoring is an activity that can be challenging without the right tools, and also easily forgotten or perpetually falling to the bottom of the ‘to do’ pile. Without the right tools, there may not even be any visibility into the status of third-party monitoring across the bank.

The guide suggests that monitoring enables:

• Confirmation of the third party’s ongoing ability to meet contractual arrangements
• Escalation of significant issues or concerns
• Responding to those significant issues when they arise

I’d suggest thinking more proactively – monitoring for change that might warrant an adjustment of controls or other actions in order to reduce the likelihood that significant issues occur in the first place.

The guidance suggests that monitoring usually includes:

• Review of reports of the third party’s effectiveness of its controls
• Periodic visits and meetings with the third party to discuss performance and operational issues
• Regular testing of the banks controls that manage risks related to third parties

This is where programs can fall short, especially if there are inconsistent processes, tools, and lack of visibility.

Termination

The guidance expects banks to terminate agreements in an efficient manner, and manage any risks to the bank, including impact on customer. This links us back to the planning stage of the lifecycle – preparing contingency or transition plans in advance will help reduce impact.

Beyond that, it’s also integral to ensure that offboarding and termination processes are sufficiently followed, particularly in relation to access to data and destruction of information. If these are not managed effectively, you may still suffer from information security breaches long after the relationship has ended.

Governance

While the guidance provides some more details of responsibilities, it broadly requires:

• Oversight and accountability of the third-party risk management framework by the board, including setting risk appetite, approving policies, and ensuring that procedures and practices are put int place to support them
• Management responsibility for developing and implementing those policies, procedures and practice in accordance with the risk appetite and business strategy
• Independent reviews to assess the adequacy of the banks third-party risk management processes
• Documentation and reporting on the risk management process, including an inventory of all third party relationships, documents related to each third party (risk assessments, due diligence, and contracts to name a few), and periodic reports provided to the board

The guidance doesn’t suggest that specific roles must perform particular tasks, acknowledging that some vendor management frameworks will be more distributed than others – though in nearly all cases multiple people or teams will be involved throughout the lifecycle. What is important is that those roles and responsibilities are clear in your organization, and that processes are designed to ensure a seamless flow of information.

Supervisory reviews of third-party relationships

The guidance closes with how the agencies will exercise their supervisory roles. This can include assessing how the bank manages its third-party relationships, and reviewing the risk profile of those third parties.

Of note is that it may include transaction testing of activities performed by the third party to assess compliance with laws and regulations, and may use its legal authority to examine third parties functions directly. I’d suggest banks will want to include their own relevant controls and testing to avoid surprises.

Key questions and next steps

Given the robust content of the guide, here are some key questions to ask about whether you are regulator-ready:

• Do you have processes in place to identify the resources required (people, information, systems, and other assets) to support your critical activities, enabling you to effectively identify those owned or managed by third parties?
• Does your due diligence consider each of the areas articulated in the guidance? Do you have standards and processes that define the level of detail needed for each type of engagement? Do you make it easy for third parties to respond to due diligence enquiries?
• Not all third parties are created equal – is the frequency of your risk assessments commensurate with the risks posed, driven by a standard risk management process and automation?
• Independent reviews of your third party risk program will be at the cost of the bank - do you have frameworks, processes and tools in place that enable efficient reviews and reduce costs to the bank?
• Are roles and responsibilities clear to enable effective governance? Is it clear who owns each third party relationship, and who is responsible for specific tasks throughout the third party lifecycle?

If you want to know more about your vendor risk profile, download our Vendor Risk Management eBook for a detailed step-by-step guide of to build an effective vendor risk management program.

Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:

[1] https://www.federalreserve.gov/supervisionreg/srletters/SR2304.htm