Suggestions for Enhancing Third-Party Risk Management at Community Banks
By John Eckert
6/20/2024
John Eckert has focused on third-party risk management as a national bank examiner for the Office of the Comptroller of the Currency, as an industry risk manager, and as an advisor. Here, he draws on his multifaceted experiences to provide tips for community banks on optimizing their compliance with the interagency third-party risk guidance.
The recent issuance of a third-party risk management guide for community banks (“guide”)—which followed last year’s new interagency guidance—emphasizes the criticality of addressing third-party risk at every institution. The introduction to the guide, issued May 3 by the FDIC, Federal Reserve, and the OCC, notes in bold:
“Engaging a third party does not diminish or remove a bank's responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including consumer protection laws and regulations, just as if the bank were to perform the service or activity itself.”
From my perspective as a former examiner, former bank risk manager, and now an advisor specializing in third-party risk management (TPRM), this article offers tips on how community banks can ensure that third parties operate in ways that comply with the current guidance—and how to optimize third-party risk management practices in general. Before I get started, an important note: As stated by the agencies,the new guide does not serve as a substitute for the interagency guidance. Rather, it provides beneficial supporting information for a community bank to consider as it manages the risk of its third-party relationships. I especially like the examples provided for the TPRM life cycle components. Utilizing the community bank guide to assist in understanding the interagency TPRM guidance should result in the bank developing an effective TPRM program with the benefit of being well prepared for a regulatory examination.
Getting Started
In case you went directly to Section IV of the June 2023 Interagency Guidance to dig into the “Text of the Final Interagency Guidance on Third-Party Relationships” in your own reading of the document, I strongly encourage you to read Section II containing the summary of the comments on the proposed guidance and the reasoning for the agencies’ conclusions. There are also references there to other regulatory publications that can provide instruction as you move forward to enhance your TPRM program.
Designating a Leader
While the guidance does not specify a preferred structure to manage a third-party risk management process, I have found that no matter its complexity, a bank needs a designated leader with full responsibility for managing the TPRM program. That leader may delegate applicable duties and accountabilities to business line management, including the direct management of third-party relationships. Another approach is appointing “vendor managers” in the business lines, with the number of third-party relationships assigned to each commensurate with the level of risk. Regardless of how the function is structured, an individual or team should ultimately be responsible for the oversight of every third-party relationship.
Policies and Procedures
The oversight and accountability section of the interagency guidance contains language that’s of no surprise: No matter the size and complexity of the bank, it needs to have a TPRM policy and related documentation to support its practices. Every examination and internal audit request for information will seek a current, board-approved version of the bank’s TPRM policy and most likely its procedures.
Mapping the guidance’s risk principles to identify potential policy and procedure gaps is advisable. The bank’s size and complexity need to be taken into account when considering the extent of adopting the principles. Also, it would be beneficial for the bank to ensure TPRM terms and definitions are consistent across all the bank’s applicable policies and procedures.
The guidance identifies several key examples regarding the need for “processes that support effective documentation and internal reporting.” I am going to add one more point: Make sure your policies, procedures, and other governance documentation are current and aligned to your actual practices.
Establishing Efficient and Appropriate Governance Routines
Executive management should be engaged in addressing critical and high-risk third-party relationship activity. But involving executive-level management in all third-party activities is not an effective use of their time and may affect the overall stature of the TPRM program. I recommend establishing a business-department meeting routine for overseeing third-party relationships rated low and moderate risk.
During my tenure on a large bank’s TPRM team, one key governance routine was the third-party risk committee. It included designated executive management, including the chief risk officer, the TPRM leader, and TPRM managers.
The committee focused on critical and high-risk third-party relationships needing executive management review and approval. The scope included vendor management presentations for new relationships, periodic updates on selected third parties, and identification of specific third-party policy and performance exceptions. There was a uniform issue-management process for determining whether to accept, remediate, or terminate a relationship, referred to as the “ART” process. The process produced effective documentation to support management action and reporting risk to the board.
Risk Identification
How a bank rates the risk level of a third-party activity is key—and will be evaluated by regulators. The guidance provides a few characteristics for the bank to include in its assessment but leaves it to the bank to conclude which activities are considered critical.
So, what distinguishes a critical activity? First, there is no uniform list of critical activities. Each bank is unique and needs to assess the risk involved for each third-party activity. The TPRM Guidance box in the Risk Management section of the guide (Page 3) provides good examples of critical activity factors for the bank to consider when determining the risk level of a third-party activity. Examples of factors that distinguish a critical activity include:
In my experience, the number of critical third-party relationships at a community bank is relatively small. I have experienced situations where third parties that were considered critical did not meet the guidance’s characteristics for a critical third party. The bank’s TPRM policy needs to establish risk criteria that delineate the factors for determining the appropriate level of risk of the third-party activity. While the expectation is to identify the level of risk posed by the third-party activity at the enterprise level, that needs to be supported by bank staff with the requisite knowledge and experience to manage risks throughout the third-party lifecycle. This includes being able to effectively evaluate the risk of the activity in the planning and due-diligence stages.
Managing a Current Third-Party Inventory
The guidance states: “Maintaining a complete inventory of [banks’] third-party relationships and periodically conducting risk assessments for each third-party relationship supports a banking organization’s determination of whether risks have changed over time and [its efforts] to update risk management practices accordingly.”
But maintaining a current inventory, tracking all activity, and keeping up to date on industry and regulatory changes can be a challenge. In my career, I have been on both sides when regulators have encouraged the use of automated processes to reduce the risk of error. I have observed processes that were internally developed, a component of an application such as a GRC tool, and standalone applications.
These automated processes should be designed to capture and manage all TPRM related data. An internally developed process, such as creating a database, can align to the TPRM program requirements, but require appropriate internal expertise to manage. That expertise may rely on a few people or a sole individual. Utilizing an external application allows a TPRM team to draw on a larger group of application developers and subject matter experts. These applications also generate management reports and custom information to provide to auditors and regulators —and can assist in change management (such as making timely updates after the launch of the interagency guidance).
I have also seen TPRM tools that are not sufficiently utilized or updated. The key to efficiently managing an automated TPRM application is ensuring staff have significant experience with the application and a firm understanding of TPRM program requirements to effectively manage the risk. Another point to keep in mind: The methodology should be—as is consistently messaged throughout the guidance—commensurate with the bank’s size, complexity, risk profile, and the nature of its third-party relationships.
The Third-Party Relationship Life Cycle
The third-party relationship life cycle includes planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination. The rest of this article will cover these aspects of the TPRM process.
Planning
Regarding the planning stage of the life cycle, the regulators have issued instructive guidance on managing the risks associated with offering new, modified, or expanded services. The related OCC Bulletin 2017-43 includes a section on third party relationship risk management. A key question to consider in the planning stage relates to the level of activity and duration: Does the bank plan to fully outsource or co-source the activity, and will there be a time when it plans to return it to internal operations? This section of the guidance also addresses contingency planning should the bank need to transition the activity to another third party or manage it internally.
Due Diligence and Third-Party Selection
Regarding due diligence, the interagency guidance can be supplemented by a wealth of information from other industry sources. Of note is the recent community bank TPRM guide as well as the guidance on conducting due diligence for fintechs from the Fed, FDIC, and OCC.
Because completing due diligence requires considerable resources in terms of time and talent, banks are increasing their engagement with another set of third parties to conduct it—especially in the fintech space. When outsourcing due diligence, the bank must still thoroughly evaluate the information provided.
Regardless of who performs due diligence, the guidance notes several factors that warrant close attention, such as:
One final point on due diligence: It needs to be completed before the bank selects a third party.
Contract Negotiation
When dealing with critical and high-risk third parties, contract negotiation is an arduous process. The guidance notes that a bank may not get the conditions it wants, leaving the existence of “resulting limitations and consequent risks.” In practice, legal counsel is often involved in negotiations alongside the necessary bank stakeholders. The guidance provides several essential demands banks might require. For example, the ownership and license section raises the possibility of requiring control over source code—which would be essential if a technology oriented service provider decides to no longer support a bank- specific program.
On a related note, as an advisor, a key topic of discussion with banks that are about to engage a third party is identifying where data is maintained and what safeguards exist to retrieve it. In other words, know the answers to “who and where is your data?”
Monitoring
After executing the contract, it is time for ongoing monitoring. One thing I often hear in my risk management network is the “ongoing due diligence” to refer to monitoring. To be clear, due diligence is a point-in-time event, while ongoing monitoring is a continuous process that occurs between the initial due diligence and the next “check-up.”
The guidance provides a comprehensive list of monitoring factors to consider. Several can be covered in periodic monitoring, but there is a need to constantly be aware of external events that may involve a third party—and which could require immediate action to remediate an actual or potential concern. Most likely a community bank does not have the resources to maintain its own “early warning system.”
Some banks use services such as Bloomberg and Dun & Bradstreet and social media-monitoring tools for timely alerts on specified third parties. This relieves the staff of a routine of scanning several media sources to maintain awareness of its third parties’ activities.
Termination
The guidance offers several factors to consider regarding the termination phase of the TPRM life cycle. Several should be anticipated in the planning, due diligence, and contracting phases. While the guidance’s focus is on the bank facilitating the termination, remember that the third party may decide to terminate the relationship if, for example, a bank fails to uphold its part of the contract.
Final Thoughts
John Eckert is a former OCC National Bank Examiner with experience ranging from Community to Large Bank supervision and serving as a Director of Governance and Operational Risk Policy when the OCC issued its TPRM Bulletin 2013-29. His career continued with being part of a large bank TPRM management team and he is currently engaged as a Senior Risk Advisor for Risk Management Solutions Group (https://riskmsg.com).John can be reached at jeckert@riskmsg.com.