Better Third-Party Risk Management via FHFA Guidance

After the housing crisis, Fannie Mae, Freddie Mac and the Federal Home Loan Banks were largely focused on credit and market risk. Now with an increasing awareness of cybersecurity, IT security, data, and operational risk, oversight of third-party providers has become increasingly important.

So important, in fact, that the Federal Housing Finance Agency (FHFA) issued new guidance, "Oversight of Third-Party Provider Relationships" for Fannie, Freddie, the FHLBanks, and the Office of Finance (OF).

What Is a Third-Party Relationship?

The FHFA defines a third-party provider relationship as “a business arrangement between a regulated entity and another entity that provides a product or a service.”

It doesn’t apply “when a FHLBank provides products or services to its members or housing associates.”

What Does the Guidance Say?

The guidance is basically a “greatest hits” album of third-party risk management guidance from the agencies, including the Federal Reserve, Office of the Comptroller of the Currency and the FDIC. The agency almost could have cut and pasted it. It features all of your favorites from the third-party risk management life cycle including:

• Risk assessment
• Due diligence in third-party provider selection
• Contract negotiation
• Ongoing monitoring
• Termination

It also highlights key elements including:

• Board and senior management responsibility
• Policies, procedures and internal standards
• Reporting

The guidance notes that the degree of risk management, including due diligence, should correspond to the level of risk and the complexity of the relationship. It also says that third-party relationship management should be a part of a regulated entity’s overall enterprise risk management (ERM) program.

The Vast Reach of Third-Party Vendor Management

If I’ve said it before, I’ll say it again. Third-party vendor management touches nearly every area of an institution. Don’t believe me? Look at the list of related FHFA guidance on the subject:

• Prudential Management and Operations Standards
• Cloud Computing Risk Management
• Oversight of Multifamily Seller/Servicer Relationships
• Information Security Management
• Internal Audit Governance and Function
• Data Management and Usage
• Information Technology Investment Management
• Oversight of Single-Family Seller/Servicer Relationships
• Operational Risk Management
• Model Risk Management
• Contingency Planning for High-Risk or High-Volume Counterparties

What Does This Mean?

Increased attention on third-party relationships isn’t likely to end anytime soon. Vendor management isn’t a fad. It’s an increasingly important area, one that links guidance on everything from cloud computing, data and information technology to operational risk management, oversight of vendor relationships, and internal audit and governance.

If you’ve been holding off on formalizing your approach to vendor management, this is another sign that you need to get on board.

Related: Creating Reliable Risk Assessments