Top 10 takeaways from the interagency third-party risk management guidance

All banks should conduct a gap analysis to identify opportunities to strengthen their TPRM programs and align them with the new guidance.

By Krista Shonk

On June 6, the federal banking agencies issued Interagency Guidance on Third-Party Relationships. Taken as a whole, the new interagency guidance signals that banks should continue to enhance their third-party risk management, or TPRM programs, especially those involving critical third parties and relationships that are customer-facing or may otherwise impact consumers.

EXPERT INSIGHT — ABA will host a webinar 3 p.m. October 19 titled, “A Deeper Dive: Applying the New TPRM Guidance and Recent Enforcement Actions.” Presenting will be ABA’s Krista Shonk joined by Jill Czerwinski, managing principal, Crowe LLP, and Heather Hendershott, senior director, third party risk management, Ally Bank.
In addition, the guidance makes clear that partnerships with financial technology firms—regardless of how those relationships are structured—are considered third-party relationships and should be managed as such.

It is also worth noting that the guidance, together with recent consent orders, suggests that banks should be prepared for continued supervisory focus on third-party risk management. Banks would be well-served to make certain that staff has the skills to identify, thoroughly understand, and manage the risk posed by third-parties—even if the bank does not have the in-house expertise to deliver the product or service that the third party provides. For some institutions, this might involve engaging an external party to supplement the bank’s due diligence, risk analysis, and ongoing monitoring.

All banks should conduct a gap analysis to identify opportunities to strengthen their TPRM programs and align them with the new guidance. Below are key takeaways to keep in mind.

1. The guidance applies to more than vendor relationships.

Historically, the terms “vendor risk management” and “third-party risk management” were used interchangeably. However, these labels are no longer synonymous. The guidance applies broadly to all business arrangements, regardless of whether a contract or compensation is involved. This definition encompasses a wide range of interconnections, such as (but not limited to) independent consultants, referral arrangements, merchant payment processing services, affiliates and subsidiaries, fintech partnerships (including those with new or novel structures), data aggregators, joint ventures and other arrangements. Furthermore, the guidance applies to relationships with third parties that are supervised or regulated, including banks that provide services to other financial institutions.

2. The principles in the guidance apply to all third parties (but can be tailored).

ABA has received many inquiries regarding how the guidance applies to various categories of third parties, such as data aggregators, third-party models, artificial intelligence, fintech firms and appraisal relationships. The guidance does not address specific types of third parties. Instead, it articulates third-party risk management principles that apply to all third-party relationships.

This does not mean, however, that banks must manage all third-party relationships in the same way. Instead, the guidance “can be adjusted to the unique circumstances of each third-party relationship.” This approach provides significant flexibility, but it also suggests that banks with less mature TPRM programs may need to refine their practices. In particular, banks would be well served to ensure that their inventories of third-party relationships are complete (particularly in light of the broad scope of third-party relationships) and that they have applied “a sound methodology to designate which activities and third-party relationships receive more comprehensive oversight.”

3. The guidance is guidance. It does not constitute law or regulation.

The guidance contains detailed examples of due diligence considerations and contractual terms that banks should consider in their third-party relationships. The agencies specify that “the examples are not intended to be interpreted as exhaustive or to be used as a checklist” and “underscore that supervisory guidance does not have the force and effect of law and does not impose any new requirements on banking organizations.”

While this clarification is highly positive, banks should monitor whether the due diligence and contracting sections of the guidance remain risk-based or whether they morph into a mandatory checklist of requirements that examiners apply to third-party relationships more broadly.

4. Compliance, consumer complaints and consumer harm are recurring themes.

The guidance also serves as a reminder that the agencies remain highly focused on compliance and consumer protection matters, including activities conducted by a bank’s third parties. Prior regulatory guidance on third-party risk management stated that partnering with third parties does not reduce or remove a bank’s responsibilities to ensure that those activities are performed in compliance with all applicable laws and regulations. The new guidance reiterates—and emphasizes—this point. In fact, the phrase “compliance with applicable laws and regulations” appears 25 times in the 18-page guidance document.

In particular, the guidance emphasizes a third-party’s compliance with consumer protection laws and regulations (and specifically mentions fair lending laws and prohibitions against unfair, deceptive or abusive acts and practices) as well as those addressing financial crime. This is consistent with recent enforcement actions against banks where third parties were not compliant with BSA/AML requirements and cases where banks’ CRA ratings were downgraded because third parties engaged in unfair and deceptive acts and practices.

5. The guidance provides needed clarification regarding the oversight of a third-party’s subcontractors.

The extent to which banks evaluate a third party’s subcontractors (sometimes referred to as “Nth parties”) is a perennial topic among risk managers. The guidance clarifies that banks should focus on a third party’s own processes for selecting and overseeing its subcontractors, ensuring that subcontractors implement effective controls, and managing and mitigating associated risks. Regulators do not appear to suggest that banks oversee subcontractors directly.

This should not be interpreted to suggest that regulators are softening their expectations regarding monitoring and controlling subcontractor risk. To the contrary, multiple sections of the guidance address considerations involving subcontractors, including: Planning, Due Diligence, Contractual Negotiations, and Governance. This indicates that the agencies expect banks to integrate the consideration of risks associated with subcontractors throughout their TPRM programs.

As a practical matter, banks might operationalize this in a variety of ways for critical third parties, such as by requiring third parties to hold their subcontractors and suppliers to the same standards as the bank-third party relationship, requiring bank approval before the third party hires new subcontractors or suppliers, mandating that the bank be able to review the due diligence that the third party conducts on its subcontractors, or requiring that the third party put additional controls in place. Some banks have successfully negotiated the contractual ability to monitor and audit all key risk areas, including critical fourth parties.

6. The agencies clarify and distinguish the roles of the board and management.

The new guidance also differentiates the role of the board of directors and the role of management in third-party oversight. It lists factors that boards of directors typically consider when carrying out their third-party risk management responsibilities, including (but not limited to) an evaluation of whether relationships are managed in a manner that is consistent with the bank’s strategic goals and risk appetite; whether there is appropriate periodic reporting on the bank’s third-party’s relationships; and whether the bank has addressed significant deterioration in performance, changes in risk, or new material issues that have emerged. The guidance also identifies activities typically performed by management, including (but not limited to) integrating third-party risk management with the bank’s overall risk management processes; directing planning, due diligence, and ongoing monitoring activities; and establishing appropriate organizational structures and staffing (level and expertise) to support the bank’s third-party risk management processes.

7. Additional resources are on the way, but timing is TBD.

The guidance states that the agencies plan to develop additional resources to assist community banks in managing relevant third-party risks. However, regulators do not appear to have a timeline for issuing these supplementary materials.

8. Banks may leverage consortiums, utilities or other joint efforts to supplement due diligence.

Over the years, a number of collaborative efforts have attempted to enhance the efficiency of the due diligence process, and the interagency guidance permits banks to leverage these types of arrangements. However, it cautions that banks should not rely exclusively on collaborative due diligence or due diligence conducted by outside parties. Rather, such arrangements should be viewed as supplemental. Because a third party may present a different level of risk to each bank, an institution should “evaluate the conclusions from such supplemental efforts based on the banking organization’s own specific circumstances and performance criteria for the activity.”

In addition, the guidance states that a bank should thoroughly understand the specifics of any supplemental due diligence on which it relies, such as the capabilities of external parties conducting the supplemental due diligence, how such supplemental efforts relate to the bank’s planned use of the third party, and the risks of relying on the supplemental efforts. Finally, such arrangements would constitute a business arrangement and would therefore typically be covered by the bank’s TPRM processes.

9. It is unclear whether the guidance gives banks a bigger stick.

It remains to be seen whether the guidance will help banks to address two key TPRM challenges: uncooperative third parties and limited negotiating power. While the guidance lists factors that banks may consider when evaluating a prospective third party or conducting ongoing monitoring of an existing third party, the agencies acknowledge that some third parties wield significant market power and may decline to respond to certain bank due diligence requests.

In this situation, “it is important for the banking organization to identify and document any limitations of its due diligence, understand the risks from such limitations, and consider alternatives as to how to mitigate the risks.” Or, “if the risks cannot be mitigated, determine whether the residual risks are acceptable or consider using a different third party.”

Similarly, the guidance describes contractual terms that banks may consider when contracting with a third party. However, the agencies acknowledge that a bank may be unable to insist on the full complement of contractual provisions described and should understand any resulting limitations.

10. The guidance elaborates on regulators’ supervisory authority.

The guidance explains how the agencies may use their legal authority to examine functions or operations that a third party performs on a bank’s behalf. In particular, such examinations may “evaluate the third party’s ability to fulfill its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect customers and to provide fair access to financial services.” The agencies may pursue corrective measures, including enforcement actions, when necessary to address violations of laws and regulations or unsafe or unsound banking practices by the bank or its third party.

The guidance also describes the various aspects of a bank’s TPRM program that examiners will review. Some of the items on this list underscore two key themes that are woven throughout the guidance: The expertise of bank staff to manage the third-party relationships; and third-party compliance with applicable laws and regulations. For instance, examiners will:

  • Assess the ability of management to oversee and manage the bank’s third-party relationships.
  • Perform transaction testing to evaluate the activities performed by the third party and assess compliance with applicable laws and regulations.
  • Evaluate risks and the effectiveness of the bank’s risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.

ABA’s Third-Party Risk Management Working Group has been meeting regularly to discuss the implications of the guidance, identify areas in need of additional clarification, and develop recommendations regarding the type of supplementary materials that might be helpful for banks. Bankers interested in participating in the working group should contact me.

Krista Shonk is VP and senior counsel, fair and responsible banking, regulatory compliance and policy at ABA.