Federal regulators are seeing banks enter a growing number of third-party relationships to provide technology services, so it is important for those institutions to make sure their third-party risk management practices are sound to avoid potential supervisory problems down the road, representatives from four banking agencies said today during a panel discussion at the Financial Crimes Enforcement Conference in National Harbor, Maryland.
The FDIC, Federal Reserve and Office of the Comptroller of the Currency in June issued interagency guidance for financial institutions on third-party risk management. Speaking at the conference, Donna Murphy, deputy comptroller for compliance risk policy at the OCC, said that most banks understand that they need to perform due diligence before entering any business relationship with a third party. “The guidance is very clear that due diligence should include not only the business side of it, but also the risk management side,” she said. “Who’s going to be responsible? Is it the company that you’re bringing on? What are their policies, processes and procedures? Their risk management and controls? And who’s responsible for compliance between the bank and the third party, and how’s that going to work? All those things need to be really clear, and then as the relationship moves forward, there needs to be continual monitoring and review of those issues.”
It is important to have a contractual relationship that outlines what the third party is responsible for and what the bank is responsible for, said Lisa Arquette, associate director of the FDIC’s Division of Risk Management Supervision. “What we have found is that unless a bank has double-checked, [third parties]may not be collecting all of the required information at account opening on behalf of the bank,” she said. A bank’s obligation, she added, “is to make sure that they understand the relationship, have a strong contract, double-check and make sure that things are happening as they should. And that’s usually what we see.”
The Fed has seen situations where a bank does not have enough access to the information that third parties collect to meet their reporting obligations, said Suzanne Williams, deputy associate director at the Fed. “Transactions that flow through your bank—whether or not they originated directly with you or originated outside at a third party—you are responsible for monitoring that for suspicious activity,” she said. “And you need to make sure from the start that you have access to sufficient information to be able to do that and meet that obligation.”