What to Know About U.S. Regulators’ Third-Party Risk Management Guidance

In June, the Federal Reserve Board of Governors, Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corp. (FDIC) jointly issued long-awaited third-party risk management (TPRM) guidance that was originally proposed in July 2021. The final guidance rescinds and replaces each agency’s prior third-party guidance.

Geoffrey Lash

Despite a large volume of comment letters, the final guidance includes more prescriptive and clarifying language than was found in the 2021 proposal, thus allowing financial institutions latitude to take a risk-based approach to accommodate varying sizes, complexity and risk profiles.

Specifically, the final guidance provides clarity regarding expectations on managing third-party risk associated with a financial institution’s use of independent consultants, fintech partnerships, outsourcing services, merchant payment processing services, and joint ventures.

Justin Waller

While the specific applicability of these changes isn’t immediately known, there are important clarifications and takeaways from the original guidance that must be acknowledged:

1. Not all third-party relationships present the same degree of risk to a financial institution’s operations. Accordingly, a risk management framework should align to specific circumstances and the level of risk presented by said third-party relationship. The final guidance regarding risk management lifecycle remains unchanged: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.
   
   
2. The final guidance provides clarity regarding the definition and characteristics of critical activities around which third-party engagement would justify more rigorous oversight, if such critical activities would:
   • Cause a banking organization to face significant risk if the third party fails to meet expectations;
   • Have significant customer impacts; or
   • Have a significant impact on a banking organization’s financial condition or operations.
3. Banks should have appropriate oversight over subcontractors and fourth-party relationships. The implied focus is on the bank’s assessment and ongoing effectiveness of the third parties’ oversight and risk management structure. The final guidance specifies that financial institutions should “involve staff with the requisite knowledge and skills in each stage of the risk management life cycle. A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.”
   
   
4. The final guidance allows for financial institutions to consider collaborative agreements (with appropriate due diligence) and use of external parties (i.e. independent contractors and vendors) to support and supplement their business as usual (BAU) monitoring activities. However, each financial institution is ultimately accountable for managing the risks associated with its own third-party business arrangements.
   
   
5. The board of directors plays a crucial role in the governance and oversight of institutions. Accordingly, the final guidance provides clarity for how boards should oversee third party risk management activities, specifically enterprise-wide policies, procedures, practices, frameworks, and standards approved and implemented by senior management. Additionally, the final guidance indicates that financial institutions should have a process to conduct independent assessments of their TPRM processes.

Simon Zais

Financial institutions should prepare for heightened supervisory scrutiny on their TPRM processes. The final guidance applies equally to all financial institutions irrespective of size and complexity (e.g. community banks) as well as bank-fintech partnerships and data aggregator relationships.

While TPRM is a standard component of supervisory exams, financial institutions should expect enhanced scrutiny and take the opportunity to evaluate their TPRM processes and controls.

Geoffrey Lash is a Managing Principal specializing in Capital Markets and FRC advisory for Capco’s financial services clients.

Justin Waller is a Principal Consultant at Capco specializing in Finance, Risk & Compliance solutions for clients in the financial services industry. He also co-leads Capco’s Non-Financial Risk Management offerings in the U.S.

Simon Zais is a senior consultant with Capco specializing in Wealth and Asset Management.