Two years after it was first proposed, the Interagency Guidance on Third-Party Relationships: Risk Management has been finalized. This new vendor management guidance from the federal regulatory agencies aligns vendor management requirements among the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve and replaces existing guidance.
What does this new third-party service provider (TPSP) vendor management guidance mean for banks?
We’re here to break it down for you.
The new bank vendor management guidance breaks down the vendor management lifecycle in five phases.
The planning phase sets the stage for any third-party vendor relationship. It’s the time when a bank should think about why it’s considering outsourcing an activity. There needs to be a clear business case for the decision. Potential risks and controls should be identified, and the bank needs to ensure it has sufficient resources to oversee the relationship.
The planning phase sets the stage for due diligence and third-party selection. Having established what the bank needs from a vendor and the potential risks of the partnership, due diligence gives a bank the information it needs to decide whether a vendor is positioned to help the bank meet its strategic and financial goals.
Due diligence helps a bank assess whether the vendor can deliver products and services as promised, comply with laws, regulations and bank policies, and operate in a safe and sound manner. The scope of due diligence depends on the level of risk and complexity the relationship presents.
Contract negotiation is an opportunity for banks to add provisions and other addendums to protect mitigate risk. Riskier relationships require more detailed contracts.
Read also: What Is Contract Management?Ongoing monitoring is the process a bank uses to:
Gone are the days of reviewing a third-party vendor’s documents once a year, especially for critical and other high-risk vendors. The guidance suggests that “Ongoing monitoring may be conducted on a periodic or continuous basis, and more comprehensive or frequent monitoring is appropriate when a third-party relationship supports higher-risk activities, including critical activities.”
A bank needs to outline the terms and conditions of ending a vendor relationship. This includes causes for termination, costs, and how data and intellectual property will be handled. There should also be a plan for how the bank would transition to another service provider.
Free Guide: The Ultimate Guide to Fintech and Third-Party Vendor Onboarding
Now that we’ve established the basics of the guidance, let’s take a look at the biggest differences between existing and new guidance.
The new vendor management guidance uses a three-prong test to identify critical vendors. A critical vendor is one that will:
The new guidance makes it clear that a third-party vendor with access to significant amounts of protected or confidential customer information could pose a significant impact to customers.
Due diligence remains an integral part of the vendor management lifecycle. The new guidance provides more detail on the factors banks should analyze to determine residual risk before entering a third-party vendor relationship. (In the past these factors varied from regulator to regulator and tended to include much broader categories of risk such as strategic, reputation, operational, transactional, credit and compliance risk.)
Now banks supervised by the OCC, FDIC, and Fed will need to address these factors:
Takeaway: Make sure your vendor risk assessments are drilling down into the details when conducting due diligence and analyzing residual risk. Be sure to monitor all of these areas and update risk assessments when there are changes.
While connecting vendor management to the rest of a bank’s enterprise risk management program has always been a best practice, the new guidance makes this link explicit.
The guidance expects the board to establish a risk appetite for third-party risk management (TPRM) and for management’s vendor management program to align with this statement. This includes policies, procedures and practices.
As part of its oversight and accountability, the board of directors should be “Integrating third party risk management with the banking organization’s overall risk management process.”
Related: ERM vs. Vendor Management: What’s the Difference?
What does that mean? Vendor management should be closely linked to other elements of a bank’s risk management program including compliance, business continuity and resiliency, audit, fair lending, and information security, among others. The actions of vendors can have a significant impact in each of these areas.
Takeaway: Data from your vendor management program needs to integrate into your other risk management programs. Vendor management isn’t effective in a silo.
The contract has always been an important element of third-party vendor management. The new guidance doubles down on this, calling out vendor contracts as a specific risk factor. Depending on the criticality and complexity of the vendor relationship, contracts should clearly define:
Takeaway: When negotiating contracts, make sure your bank looks beyond cost and leverages third-party vendor contracts as a source of as many valuable risk management controls as possible.
This guidance takes effect immediately, meaning that examiners will use it to guide them when assessing a bank’s vendor management programs. While guidance doesn’t have the force of a regulation, it can be used as the basis for citing a bank for unsafe and unsound banking practices, something we’ve seen regulators do recently.
That makes it extremely important for banks to assess their vendor management programs in light of the new guidance.
While the interagency guidance doesn’t revolutionize vendor management, it represents its ongoing evolution as a part of integrated risk management. Vendor management programs should be evaluating a broad range of risks, and these risks should all tie into a bank’s enterprise risk management solution.
It’s also a critical reminder that regulators are very concerned with third-party vendor management programs at banks. They are probing deeper, asking more questions, and raising their expectations. This is especially true as banks rely more on fintechs, which often lack experience in managing compliance risk and other areas of deep interest to regulators.
As this guidance takes effect, now is the time for banks to be assessing the maturity of their vendor management programs and how they integrate with the institution’s overall risk management program.