Blogpost

New Integrated Third-Party Risk Management Guidance from the OCC, Federal Reserve, and FDIC

Regulators have developed “principles-based guidance that provides a flexible, risk-based approach to third-party risk management that can be adjusted to the unique circumstances of each third-party relationship.”

On June 6th, less than 20 months after comments closed, the Federal Reserve, The Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) published integrated third-party risk management (TPRM) guidance which supersedes the agencies’ prior outsourcing guidance.  The new guidance is principle-based and designed to support effective third-party risk management for any type of third-party relationship, no matter how those relationships are structured. The guidance has been crafted to be relevant to all financial institutions (FIs), both small and large. The guidance is largely derived from previous OCC direction and will be familiar to OCC-regulated institutions.

The agencies state up front that “supervisory guidance does not have the force and effect of law and does not impose any new requirements on banking organizations.” That said, as many practitioners know, the sometimes-fuzzy line between guidance and regulation may still blur at examination time, and principles-based guidance (or regulation) often brings with it some degree of interpretation risk.

The new guidance suggests that larger and more complex organizations should consider other relevant guidance, such as the 2020 paper “Sound Practices to Strengthen Operational Resilience” when implementing their third-party risk management practices. Among other points, that guidance suggests how the largest firms should address those third-parties providing public and critical infrastructure services, such as energy and telecommunications services. That’s a subject that should be on the radar for financial services companies no matter their size.

Regulators have addressed many of the comments from the 2021 request for comments. Below, I run through the most prominent issues raised.

Defining “Business Arrangement” and “Third-Party”

Many commentators thought that these too terms were overly broad. The final guidance largely leaves the definitions unchanged, except for the elimination of the customer exclusion from the definition of “Business Arrangement.” That elimination drew public dissent from FDIC Director Jonathan McKernan who thought the elimination added confusion. The FDIC’s letter accompanying the guidance states: “Business relationships with third parties engaged in lending, payment, or deposit activities for the benefit of the bank or through the bank should be evaluated by banks using both the third party risk management guidance and the various risk management processes and rules that apply to traditional lending and deposit relationships.” The guidance also makes clear that both terms include services offered by affiliates, subsidiaries, and joint ventures.

Refining “Critical Activities”

Commentators asked for more clarity around the term “critical activity” and regulators responded by eliminating concepts such as “significant investment” “significant bank function” from the term’s description. Instead, the revised definition focuses only on activities that could:

    • Cause a banking organization to face significant risk if the third-party fails to meet expectations.
    • Have significant customer impacts, or
    • Have a significant impact on a banking organization’s financial condition or operations.
Subcontractors

Some commentators asked regulators to make clear that banking organizations are not expected to perform due diligence and oversight of subcontractors (see, for example, BPI Comment Letter – Interagency Guidance on Third Party Relationships, page 3). However, final language states that, on a risk-adjusted basis, contracts should include provisions for periodic independent audits of the third party and its relevant subcontractors. The guidance suggests that it is “important to obtain and evaluate information regarding the third party’s legally binding arrangements with subcontractors or other parties to determine whether such arrangements may create or transfer risks to the banking organization or its customers.” Also on a risk-adjusted basis and, as appropriate, current inventories of third party relationships should include related subcontractors and capture the full suite of characteristics typically found in an FI’s inventory entry.

Regulatory Supervision of Third Parties

At a time when regulators around the world are increasing their supervision of critical third parties (see, for example, the EU’s Digital Operational Resilience Act – DORA. It is perhaps not a coincidence that the new consolidated guidance states that critical third-party contracts should stipulate that “the performance of activities by third parties for the banking organization is subject to regulatory examination and oversight, including retention of, and access to all relevant documentation and other materials.”

Independent TPRM Program Reviews

Carried over from earlier guidance aimed at larger FIs, the consolidated guidance continues to stress the importance of conducting independent reviews to assess the adequacy of third-party risk management programs. Among other points, the regulators urged firms to structure these reviews to determine whether the risks of third-party relationships are appropriately identified, measured, monitored and controlled. The guidance also stresses the need “to assess whether appropriate staffing and expertise are engaged to perform risk management activities throughout the third-party risk life cycle, including involving multiple disciplines across the banking organization.”

Using External Resources for Due Diligence

The guidance clearly recognizes the benefits in leveraging outside organizations to supplement an organization’s own due diligence on third- parties throughout the life cycle.  The regulators stress that since “the activity to be performed by the third party may present a different level of risk to each banking organization, it is important (for FIs) to evaluate the conclusions from such supplemental efforts based on the banking organization’s own specific circumstances and performance criteria for the activity.”  The guidance states that using external parties to supplement its own due diligence efforts does not relieve the responsibility of the banking organization to properly manage its third-party relationships.

Contract Negotiations When Banking Organizations Have Little or No Leverage

This guidance deviates from recent regulatory direction outside the U.S. in not mandating that vendor contracts specify specific audit rights. The guidance recognizes the increasingly common situation, especially in cloud services, where small or even medium size organizations are not able to negotiate due diligence rights equivalent to what FIs have taken as standard operating procedure. The guidance suggests that banking organizations may gain leverage by negotiating contracts as part of a group. If negotiations do not reduce perceived risks to acceptable levels, the guidance suggests employing other third parties or conducting the activity in-house.

Board of Director Roles and Reporting

Another area where there were extensive comments was the role of the board in third party risk management oversight. Many commentators suggested board and executive management responsibilities should be further clarified. The guidance continues to state that:

    • The board has ultimate responsibility for providing third risk management and holding management accountable.
    • The board approves appropriate policies and ensures that sound procedures and practices are in please.
    • The board should be aware of and – as appropriate – may approve contracts for higher risk activities.

Commensurate with the sector’s rapid move to cloud service providers and other large outsourcing partners, final language underscores the importance of board awareness of situations where an organization is dependent on a single provider for multiple activities.

What Is Shared Assessments Doing?

The Shared Assessments Regulatory Committee met on June 8th to review the new guidance at a high level.  The Shared Assessments Regulatory Committee will host an open discussion session focused on the new integrated guidance on July 25th. All members are invited to attend. Please contact Jessica Calzada to receive meeting details.

Additionally, Shared Assessments is:

  • Mapping Guidance within our current products
  • Revising all products as appropriate (SIG, SCA, etc.)
  • Incorporating guidance into educational materials