New Guidance for Third-Party Risk Management

US bank regulators have issued interagency guidance on third-party risk management. The new pronouncement combines and updates past guidance issued by the individual agencies. John and Elliot discuss key parts of the guidance and some implications for banks and their vendors.

New Guidance for Third-Party Risk Management - TRANSCRIPT

Elliot Berman: Hi John. How are you today?

John Byrne: Good, Elliot. Pretty interesting and ground-breaking week for a variety of reasons that I'm sure everybody is aware of. A lot also going on in, in our space. We only have time to reference a couple of them, but I thought I would just quickly mention that Chairman McHenry from House Financial Services is putting legislation in that would make the FinCEN director job a presidential appointee. He's the chairman of the committee, so I'm sure there's some potential for something like that passing.

So we'll wait and see. Then also looking at the beneficial ownership legislation, which we know has several parts to it. And he's put in something that says that it cannot be final until all parts of AMLA that relate to beneficial ownership, which obviously also includes the registry are complete. We'll see where that is, but that sort of came out of left field, I hadn't realized that there was any focus on that.

The OCC publish ed they're semi-annual risk perspective, and it's a lengthy document, a couple hundred pages . This will be no surprise to our community, but the key risk themes and four themes they call out, but two of them are operational and compliance risk. The operational risk, they said it is, continues to be elevated. Cyber threats persist. Obviously we're all aware of that. Digitalization of banking products and services expanding especially as banks increase their use of third parties, which we're gonna talk about third party relationships in a minute. And that expansion presents both opportunities and risk.

And then for compliance risk, that's also elevated. And they mentioned in the quick summary, the banks continue to operate a dynamic environment, which compliance management systems are obviously challenged to keep pace with changing products, services, and delivery channels developed in response to customer needs and preferences. That's always a very interesting document and has some valuable communications that you can do internally to your board to your analysts, and obviously your compliance committee.

So we'll see that. But just wanted to highlight a couple of those things.

And the key though is the interagency guidance on third party relationships focusing on risk management. As a third party ourselves we're obviously both very interested in the oversight, but also I would say comforted by the fact that a lot of the coverage here is spaces that we're well familiar with and as is our staff and our leadership.

So what was. What struck you from the guidance? What are some of the key themes?

Elliot Berman: Let me just give our audience hopefully just three sentences of background. So there has been guidance from each of the banking agencies that has been formulated through the years, and this is the first time they've come together in an interagency way. And this interagency guidance was built on the structure that very much followed the OC C guidance that I think was 2013, if I remember correctly. And that guidance was somewhat more prescriptive than the previous guidance from the FDIC and the Fed. One of the things that is likely happen here is that OC C banks will view this as something they need to pay attention to and take a look at any changes.

But state chartered banks that are either Fed members or non-Fed members will have some step up in what they have to do or what the expectation will be as opposed to the prior guidance that they were under. Big picture principles here. One is that the guidance applies to all third party relationships.

And one of the things to remember is this whole idea of third party or vendor management started out as being an IT issue. So way back 20 years ago, there was FFIEC guidance about how to evaluate and manage your relationship with your key IT vendors.

If you're a bank, your core processor at that time was your biggest one, and probably your second biggest one was your internet service provider as you were moving data from facility to facility and to data centres and things like that. One is that this applies to all third party relationships.

Secondly, it's very clear that it's intended to be risk-based. You and I have spent a lot of time talking about what risk-based really means in a lot of different contexts. But clearly this has some parallel to the model risk management guidance that's been out now for a number of years about assessing the real risk to the institution of a particular vendor failure or vendor problem and thinking about how you're going to assess the risk. Both how often and how much due diligence you're going to do based on the magnitude of the risk. So that's another key one. In fact, they state not all relationships present the same level of risk. So that's obviously clearly obvious, but also important.

They also spend a fair amount of time talking about things that look at non vendors. Many of the relationships that banks have with FinTechs are not true vendor relationships, but they're some kind of shared customer relationship or something like that. And these fit too, which is why they're talking about third party risk management rather than purely vendor risk management.

And last, an explicit statement in the guidance that this whole regime does not apply to depositors, other customers who take services, including loan customers. There are risk issues related to them, but this specific guidance does not directly apply in those circumstances.

John Byrne: Yes, and the things that I focused on was both the listing of why there are significant benefits to use of third parties, which we of course completely agree with. And they point out that banking organizations can get access to new technologies, human capital, which is always at a premium delivery channels, obviously access to product services and other markets.

On the other hand though, they say some of the things that they wanna make sure that each banking organization considers is the potential of reduction of direct control over activities. Because that can increase risk if you don't understand how that works. So operational compliance and strategic risks and you know that organizations by working with a third party, they can be exposed to financial loss, disruption. That's why all of the recommendations in the guidance focus on understanding what's, as you say, what's the level of risk, not what's the size of the bank, what's the nature of the relationship?

And then they go as deep in this document as you're trying to understand what the third party does, what's their governance structure? What are their policies and procedures how do they treat. Issues of ethics in that, which I think is great to, to call out those things because, especially in the legal and compliance space, what's their licensing requirements? Are they meeting those?

What's the expertise internally? Do they have people that are SMEs and people that understand operations? So all that stuff seems obvious. But I think the point throughout the document that bears repeating is, as you're overseeing your third party relationship, you need to do as much due diligence as you would do yourself.

Or if you were doing an acquisition, you're doing a merger, what's their experience, what's their financial condition? What's their risk management? What's their IT processes? These things that we're certainly familiar with. I think it's a really good roadmap to both effective oversight, but also what the examiners will be looking for as they approach exams.

Look, looking at third party relationships.

Elliot Berman: Yes, absolutely. Another thing that's interesting, and I think we're gonna continue to see this over and over again in guidance because it's been a little bit of a flashpoint between the industry and the regulators, is an explicit statement that the guidance is guidance and does not have the force or effect of law. And doesn't impose new requirements. I think that's important.

It's easy to put that paragraph in the guidance. At the policy level, at headquarters everybody will clearly acknowledge that, but at least my own experience that's not the experience you have on the ground when the examiners are there. Theminers waive the guidance and say why aren't you doing this particular thing? It's in the guidance. Even though the guidance says these are examples, they're not prescriptions and, you should be looking at your own institution and doing an effective job of applying the principles to your own needs. We'll see if an explicit statement helps that. That'll take us a couple of years before we have enough exam cycles to get, the anecdotal feedback flowing, but be interesting.

John Byrne: And toward the end they also mentioned the importance of having your board, or at least a board committee, overseeing in some fashion these third party relationships and to look at things such as, is the relationship consistent with your own strategic goals and your risk appetite?

So again, seemingly obvious, but making sure that the companies that you're bringing in to do some of the work that you would've done previously have the same mission, have the same goals, have the same structure, have the same or better training so that this relationship not just makes financial sense, but makes reputational and legal sense.

Elliot Berman: Yes. As you think about how to apply this one of the important things is to think through the the third party lifecycle and really see how your risk management tools get applied across the life cycle, all the way from the early introduction through the negotiation stage, and then into contracting. Because at each one of those phases, there's an opportunity to gain information, set the ground rules between the parties, and clearly lay out not just the ground rules, but also the legal obligation to carry out certain things. We know, for example, that some FinTechs who provide banking services do it through a contract with a chartered bank because they don't have their own banking charter.

That's not new. But the bank regulators and the law says that the responsibility for those ultimate customers are the bank's from a legal perspective. And so how you make sure that your FinTech partner understands what they have to do either to provide you with information or in the alternative actually do the work. But do it to the right standard and how the parties are gonna communicate that and test it. That's all the challenge and the implementation of this guidance.

John Byrne: So as everything else we talk about, read the guidance. Make sure you're training your folks on it and like Elliot has said, this is the first time this particular concept has been the basis of an interagency guidance, not individual agencies. So they all signed off on this, so you can be sure it'll be included in potential supervisory findings if there's deficiencies?

Elliot Berman: Yes. So we have a couple other things in the hopper. One is John, I know you are gonna get together with Terry Pesce and have a more in-depth conversation about the guidance and we'll we'll be getting that recorded and processed and then posted over the next week or two.

We also have a webinar coming next week, it's the 22nd and it's on model identification and validation and again, a fair amount of parallel in terms of how you may think about it as with third party management . John, what else do you have coming?

John Byrne: A lot of interesting people that I've chatted with in the past week that we're going to be doing interviews in the next few weeks. Two interviews that will touch on the world of antiquities and cultural artifacts, the use of those for criminal purposes and understanding more about. The provenance, the research into them, why it's impactful when these artifacts get stolen or misused. We have a few folks that we're going to talk to about that.

I have a schedule with a good dear friend from the old days of ACAMS who is now running a program that certifies sanctions experts. So we're gonna talk to her about sanctions related topics on a global scale. So that's coming up in a couple of weeks.

There's a n author that we've interviewed before, Gary Schiffman from Giant Oak who's done a recent article talking about the ethics in compliance regarding algorithms, which is fascinating.

In July we'll be doing a webinar on the FATF plenary in June, which is coming up in a couple weeks. So some exciting things in the hopper . And as we always say, let us know if there's individuals, concepts, topics, or organizations you'd like us to interview, we're more than happy to do that. Global or domestic. We find it all valuable.

All right, Elliot. Have yourself good rest of the week and we'll talk next week.

Elliot Berman: Yes, you be well. Bye-bye.