<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Third-Party Service Providers and Vendor Management: What Banks Need to Know About New Guidance

author
5 min read
Jun 9, 2023

Two years after it was first proposed, the Interagency Guidance on Third-Party Relationships: Risk Management has been finalized. This new vendor management guidance from the federal regulatory agencies aligns vendor management requirements among the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve and replaces existing guidance.

What does this new third-party service provider (TPSP) vendor management guidance mean for banks? 

We’re here to break it down for you. 

Table of contents

Overview of Interagency Guidance on Third-Party Relationships 

The new bank vendor management guidance breaks down the vendor management lifecycle in five phases. 

1. Planning 

The planning phase sets the stage for any third-party vendor relationship. It’s the time when a bank should think about why it’s considering outsourcing an activity. There needs to be a clear business case for the decision. Potential risks and controls should be identified, and the bank needs to ensure it has sufficient resources to oversee the relationship.  

2. Due diligence and third-party selection 

The planning phase sets the stage for due diligence and third-party selection. Having established what the bank needs from a vendor and the potential risks of the partnership, due diligence gives a bank the information it needs to decide whether a vendor is positioned to help the bank meet its strategic and financial goals.  

Due diligence helps a bank assess whether the vendor can deliver products and services as promised, comply with laws, regulations and bank policies, and operate in a safe and sound manner. The scope of due diligence depends on the level of risk and complexity the relationship presents.  

3. Contract negotiation 

Contract negotiation is an opportunity for banks to add provisions and other addendums to protect mitigate risk. Riskier relationships require more detailed contracts.  

Read also: What Is Contract Management?

4. Ongoing monitoring 

 Ongoing monitoring is the process a bank uses to:  

  • Verify third-party vendors are delivering products and services as promised 
  • Assess if vendor controls are effective 
  • Escalate and address significant issues 

Gone are the days of reviewing a third-party vendor’s documents once a year, especially for critical and other high-risk vendors. The guidance suggests that “Ongoing monitoring may be conducted on a periodic or continuous basis, and more comprehensive or frequent monitoring is appropriate when a third-party relationship supports higher-risk activities, including critical activities.” 

5. Termination 

A bank needs to outline the terms and conditions of ending a vendor relationship. This includes causes for termination, costs, and how data and intellectual property will be handled. There should also be a plan for how the bank would transition to another service provider. 

Free Guide: The Ultimate Guide to Fintech and Third-Party Vendor Onboarding

Biggest changes to third-party vendor management for banks 

Now that we’ve established the basics of the guidance, let’s take a look at the biggest differences between existing and new guidance. 

New definition: What’s a critical vendor? 

The new vendor management guidance uses a three-prong test to identify critical vendors. A critical vendor is one that will:  

  • Cause a bank to face significant risk if the third party fails to meet expectations 
  • Have significant customer impacts or  
  • Have a significant impact on a bank’s financial condition or operations 

Critical vendors and data security 

The new guidance makes it clear that a third-party vendor with access to significant amounts of protected or confidential customer information could pose a significant impact to customers.   

Digging deeper into due diligence and analyzing third-party risk 

Due diligence remains an integral part of the vendor management lifecycle. The new guidance provides more detail on the factors banks should analyze to determine residual risk before entering a third-party vendor relationship. (In the past these factors varied from regulator to regulator and tended to include much broader categories of risk such as strategic, reputation, operational, transactional, credit and compliance risk.) 

Now banks supervised by the OCC, FDIC, and Fed will need to address these factors: 

  • Strategies and goals 
  • Legal and regulatory compliance 
  • Financial condition 
  • Business experience 
  • Qualifications and backgrounds of key personnel and other human resource considerations
  • Risk management (SOC reports specifically mentioned) 
  • Information security 
  • Management of information systems 
  • Operational resilience 
  • Incident reporting and management processes 
  • Physical security 
  • Reliance on subcontractors 
  • Insurance coverage 
  • Contractual arrangements with other parties 

Takeaway: Make sure your vendor risk assessments are drilling down into the details when conducting due diligence and analyzing residual risk. Be sure to monitor all of these areas and update risk assessments when there are changes.  

New emphasis on linking third-party risk with overall risk management 

While connecting vendor management to the rest of a bank’s enterprise risk management program has always been a best practice, the new guidance makes this link explicit. 

The guidance expects the board to establish a risk appetite for third-party risk management (TPRM) and for management’s vendor management program to align with this statement. This includes policies, procedures and practices.  

As part of its oversight and accountability, the board of directors should be “Integrating third party risk management with the banking organization’s overall risk management process.” 

Related: ERM vs. Vendor Management: What’s the Difference?  

What does that mean? Vendor management should be closely linked to other elements of a bank’s risk management program including compliance, business continuity and resiliency, audit, fair lending, and information security, among others. The actions of vendors can have a significant impact in each of these areas.     

Takeaway: Data from your vendor management program needs to integrate into your other risk management programs. Vendor management isn’t effective in a silo. 

More emphasis on contracts as a third-party risk control 

The contract has always been an important element of third-party vendor management. The new guidance doubles down on this, calling out vendor contracts as a specific risk factor. Depending on the criticality and complexity of the vendor relationship, contracts should clearly define: 

  • Nature and scope of the third-party vendor arrangement 
  • Performance measures or benchmarks 
  • Responsibilities for providing, receiving and retaining information 
  • Audit and remediation rights 
  • Compliance responsibilities 
  • Costs and compensation 
  • Ownership and license 
  • Confidentiality and integrity 
  • Operational resilience and business continuity 
  • Indemnification and limits on liability 
  • Insurance 
  • Dispute resolution 
  • Customer complaints 
  • Subcontracting 
  • Foreign-based third parties 
  • Default and termination 
  • Regulatory supervision 

Takeaway: When negotiating contracts, make sure your bank looks beyond cost and leverages third-party vendor contracts as a source of as many valuable risk management controls as possible.  

Timeline for Interagency Guidance on Third-Party Relationships implementation 

This guidance takes effect immediately, meaning that examiners will use it to guide them when assessing a bank’s vendor management programs. While guidance doesn’t have the force of a regulation, it can be used as the basis for citing a bank for unsafe and unsound banking practices, something we’ve seen regulators do recently. 

That makes it extremely important for banks to assess their vendor management programs in light of the new guidance. 

Final thoughts on bank TPSP guidance 

While the interagency guidance doesn’t revolutionize vendor management, it represents its ongoing evolution as a part of integrated risk management. Vendor management programs should be evaluating a broad range of risks, and these risks should all tie into a bank’s enterprise risk management solution. 

It’s also a critical reminder that regulators are very concerned with third-party vendor management programs at banks. They are probing deeper, asking more questions, and raising their expectations. This is especially true as banks rely more on fintechs, which often lack experience in managing compliance risk and other areas of deep interest to regulators. 

As this guidance takes effect, now is the time for banks to be assessing the maturity of their vendor management programs and how they integrate with the institution’s overall risk management program.

 


Subscribe to the Nsight Blog