Are some community banks struggling to implement the Interagency Guidance on Third-Party Relationships: Risk Management released in June 2023? It’s possible.
The agencies released Third-Party Risk Management: A Guide for Community Banks in May to help community banks develop and implement third-party risk management practices. The guide supplements the Interagency Guidance on Third-Party Relationships: Risk Management, which was released in June 2023.
While the 24-page booklet does not contain new guidance or regulations, it represents an effort by the agencies to make the guidance more digestible by offering considerations, resources, and examples to help bankers (and perhaps fintechs and third-party vendors) through each stage of the third-party risk management lifecycle.
The guide's theme is risk management. It reminds banks that vendor management follows the same principles as other kinds of risk management while providing a freshly worded perspective for institutions that may need help framing key issues.
Here are the key reminders and takeaways.
Vendor management isn’t a one-size-fits-all affair. Some third-party relationships are riskier than others and that level of exposure determines how much oversight of the relationship is needed. (In other words, your bank needs to identify higher-risk and critical vendors and apply enhanced oversight.)
On the other hand, if you’re a vendor that a community bank would deem high-risk or critical, the guide can help you prepare to meet bank expectations by highlighting the types of questions banks will be asking.
Nothing is more intimidating than staring at a blank page and wondering where to begin. The guide helps community banks over that hurdle for each stage of the vendor management life cycle (planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination) by sharing sample questions that community banks should consider and suggestions where some of those answers might be found.
There are also streamlined examples that show the actions a hypothetical community bank might take after answering the questions.
While these lists and examples aren’t meant to be exhaustive, they serve as a starting point and food for thought for both community banks and their third-party partners. It’s a good idea to consider all these questions. There’s a reason why the agencies are providing suggestions – it’s likely there are some institutions that haven’t built out robust programs yet and the agencies want to see them succeed.
By now, every bank should know that its vendor management program should be commensurate with its size, complexity, and risk profile. That also impacts governance.
When examining the risk management lifecycle, remember to note the triangle surrounding it. It represents the three principles of third-party risk management governance: board oversight, independent reviews, and documentation and reporting.
The guide draws from the guidance to define these expectations, translating some of the dense guidance into questions to help banks think about how their third-party risk management program will be governed. This includes areas like policies and procedures, resources, and reporting. It also reminds banks to look to their strategic plans to ensure vendor management decisions align with strategic objectives – a topic I addressed our recent webinar Governance: A Blueprint for Financial Institution Leaders.
The new guide is a helpful tool for community banks that have more questions than answers when it comes to vendor management. Third-party risk management is a complicated topic, and it’s understandable that community banks might need some help breaking down the guidance into practical tips. (The Interagency Guidance is 40 pages of guidance and another 25+ of discussion.)
While the guide is helpful, it may not be enough for some institutions. Many financial institutions use vendor management software like Nvendor to tackle vendor management effectively and efficiently. They rely on compliance management tools like Ncomply to aid them with summaries and action plans for implementing rules and guidance and keeping up with regulatory change. Others invest in training. For example, many community bankers have completed their Nstitute Certified Vendor Management Professional (NCVMP) certification, following a self-paced curriculum based on the 2023 Interagency Guidance.
Satisfying regulators and protecting your institution from third-party risk doesn’t have to be difficult – you just need the right tools. Make sure your institution is asking the questions posed by the guide, and don’t be afraid to ask for help if you need it.
Have more questions about the Interagency Guidance? View our free webinar: “Third-Party Management for Banks: Inside the New Guidance.”