This content was published prior to the merger of equals between BKD and DHG on June 1, 2022. See all FORsights for the most up-to-date articles, webinars, and videos.
Financial Regulators Propose Combined Guidance for Third-Party Risk Management: Expectations for an Expanded TPRM Landscape
Expectations for an Expanded TPRM Landscape
The Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) have proposed combined interagency guidance pertaining to third-party risk management (TPRM). The proposed guidance is directed at all banking organizations supervised by these agencies and, if adopted, would replace each agency's existing guidance on this topic.1
Background
On July 19, 2021, a press release announced that the FRB, FDIC, and OCC issued a call for comments on Proposed Interagency Guidance on Third-Party Relationships: Risk Management. While each agency currently has existing guidance on third-party risk management for their respective supervised banking organizations, the proposed guidance aims to create consistency among the agencies and clarify principles on third-party risk management1. The notice states that the proposed guidance is based on the OCC's existing third-party risk management guidance from 2013. The proposed guidance considers the level of risk, complexity, size of banking organization and the nature of third-party relationships.
The proposed guidance aims to provide risk management principles that banking organizations may use to address risk throughout all stages of third-party relationships.
Third-Party Risk Management Lifecycle
- Planning - creating a plan that (1) details the strategy of the banking organization, (2) points out inherent risks of engaging with the third party and (3) shares how the banking organization will choose, evaluate and supervise the third-party
- Due diligence - conducting acceptable due diligence in choosing a third-party
- Contracting - negotiating written contracts that explain in detail the rights and duties of all parties
- Monitoring - monitoring the third party’s activities and performance on an ongoing basis
- Termination - developing contingency plans for discontinuing the relationship.
What's New
Expansion of the Definition of Third Party:
The OCC noted that business arrangements have expanded and grown increasingly complex since the initial release of OCC Bulletin 2013-29. Business arrangements now extend beyond vendors or entities dealing with bank-related functions to encompass relationships such as referral arrangements, appraisal management, professional services, and custodial services. These relationships should thus be recognized and documented appropriately.
Action to consider - Evaluation of how a third-party is defined and update the definition, including downstream impacts (i.e., changes to inventory and related updates)
Oversight and Accountability
The proposed guidance addresses oversight and accountability considerations including:
The role of the Board of Directors (BoD) in ensuring the effectiveness of the TPRM program by requiring the BoD to confirm risk-related to third-parties, ensure alignment with the organization’s strategic goals and objectives and approve all policies related to third-party risk management governance
Action to consider - Ensure strategic alignment and review of the TPRM program including board oversight, and appropriate TPRM reporting and changes to policies and appropriate risk appetite and metrics
Independent reviews of the TPRM policies and procedures to assess if current third-party relationships align with the organization’s business strategy, current oversight and governance of TPRM Lifecycle, and the organization’s response to material breaches or changes in risk appetite
Action to consider - Perform periodic reviews of TPRM Program and appropriate risk monitoring and metrics, including active management to risk appetite.
Organizations should create a central repository to store all listed reporting requirements including:
- A current inventory of all third-party relationships
- Approved plans for the use of third-party relationships risk assessments
- Due diligence results, findings, and recommendations, analysis of costs associated with each activity or third-party relationship
- Executed contracts
- Risk Management and performance reports received from the third-party
- Reports from third parties of service disruptions, security breaches, or other events that pose a significant risk to the banking organization
Action to consider - Perform periodic reviews of TPRM Program and appropriate risk monitoring and metrics, including active management to risk appetite.
The following table summarizes proposed guidance and action items for an organization to consider when evaluating its TPRM program:
| TPRM Lifecycle Phase | Summary of Guiadance From Proposed Regulation | Actions to Consider |
|---|---|---|
| Planning | Identify and assess the risks associated with the business arrangement and commensurate steps for appropriate risk management | Ensure that the planning process for TPRM evaluates the materiality of third-party arrangements including alignment to strategy, risk considerations, and complexity |
| Understand the strategic purpose of the business arrangement | ||
| Determine the organization’s ability to provide adequate oversight and management of a third-party | ||
| Consider the complexity of the business arrangement such as volume of activity, potential subcontractors, technology , and the likely degree of foreign-based third-party activities | ||
| Due Diligence | Degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship | Due diligence activities should be driven by sound methodology based on the materiality, risk level and complexity of the third-party relationship |
| Contracting | Contracts should explain in detail how the rights and duties of all parties is critical for successful management of third-party risk | Assess contracts for appropriateness including language addressing management of third-party risk |
| Monitoring | Ongoing monitoring should continually evaluate all aspects of the third-party relationship previously agreed upon in the contract and escalate any needs of remediation to proper leadership channels and if necessary, Board of Directors (BoD) Banking organizations periodically re-assess existing relationships to determine whether the nature of an activity subsequently becomes critical |
Monitoring process should be appropriate based on the third-party relationship and be continuous and commensurate to the risk level of the third party, including periodic reassessment of existing third parties |
| Termination | In either the case of expiration of contract or premature termination due to inability for a third-party to meet prior agreed-upon obligations, transition plans should be in place to provide efficient transfer of knowledge or resources | Transitions plans need to be documented and in place for third parties, and should be feasible and executable if needed, and potentially tested |
Strategy for Organizational Preparedness
Organizations should take this opportunity to evaluate current TPRM policies and procedures and make updates accordingly. The software and tools utilized throughout the current TPRM Lifecycle should also be re-evaluated to assess current efficiency and identify gaps that should be addressed going forward. Additionally, if not already in place, Business Continuity Plans and Issues Management policies and procedures should be enhanced to ensure operational efficiency.
How We Can Help
Advisory professionals at FORVIS provide services to clients for all aspects of third-party risk management including framework development and implementation, risk assessment, risk mitigation, and Lifecycle development and monitoring. Our team of dedicated domain professionals are prepared to advise on the complexities of third-party risk and achieve strategic business objectives.
