Compliance Journal May 2024
Special Focus Agencies Release Third Party Risk Management: A Guide for Community Banks Earlier this month, the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) (collectively, the Agencies) released a Third Party Risk Management: Guide for Community Banks (Guide) to assist community banks with developing and implementing thirdparty risk-management practices. The Guide is based upon the Agencies’ Interagency Guidance on Third-Party Relationships: Risk Management which was published in the Federal Register last June. The Agencies intend for the new Guide to be a resource for community banks to consider when managing the risk of third-party relationships. The Guide; however, is not a substitute for the Interagency Guidance. The new Guide focuses on four areas which are summarized below. Included within the focused areas are helpful considerations and information sources for banks to review when managing risk of their third-party relationships. The Guide also provides an illustrative example for each of the main four areas. Risk Management The first area of focus is that of overall risk management of a third-party relationship. Certainly, not all third-party relationships present the same level of risk to a bank. As such, not all relationships require the same level of oversight. A bank is permitted to adjust and update its third-party risk-management practices commensurate with its size, complexity, and risk profile by periodically analyzing the risks associated with each third-party relationship. In taking this approach, bank management need involve those staff members with the requisite knowledge and skills in each stage of the riskmanagement life cycle. In determining whether an activity is higher risk, and therefore involving more oversight of a third party performing any higher risk duties, banks may assess various factors, such as if the third party has access to sensitive data (including customer data), processes transactions, or provides essential technology and business services. Characteristics of critical activities can include those activities that could cause a bank to face significant risk if the third party fails to meet expectations, have significant customer impacts, or have a significant impact on a bank’s financial condition or operations. Third-Party Relationship Life Cycle The Agencies set forth that effective third-party risk management generally follows a continuous life cycle for third-party relationships. The five stages of the life cycle, which include (1) planning, (2) due diligence and third-party selection, (3) contract negotiations, (4) ongoing monitoring, and (5) termination, are surrounded by the governance practices of oversight and accountability, independent reviews, and documentation and reporting. For every stage, a bank’s level or type of oversight may vary, commensurate with its size, complexity, and risk profile as well as with the nature of the specific third-party relationship.