Update on Agencies Final Guidance on Third-Party Risk Management

/in , , , , /by

On Tuesday, June 6, 2023, Federal bank regulators issued final guidance outlining the guidelines and factors to consider when managing third-party relationships for financial institutions. The joint final guidance was issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC). Planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination are the steps in the life cycle of third-party relationships that are covered by the final guidance on risk management strategies. The final guidance was released to hopefully improve consistency in the agencies’ supervisory approaches to third-party risk management and replaces each agency’s previous general third-party guidance. Based on the agencies’ consideration of public comments on the proposed guidance announced in July 2021, the final guidance has been simplified and made clearer. The final guidance rescinds and replaces the FDIC’s Guidance for Managing Third-Party Risk issued in FIL-44-2008. The FDIC also withdraws the 2016 proposed guideline on Third Party Lending (FIL-50-2016), which was released for comment on July 29, 2016, because the final guideline covers all third-party interactions, including lending arrangements. The final guidelines want to make clear that business relationships with third parties engaging in lending, payment or deposit activities for the financial institution are evaluated by the financial institution using both the third-party risk management guidance and various risk management processes and rules that apply to the lending and deposit relationship.

The joint guidance was designed to assist financial institutions, especially community banks, in matching their risk management procedures with the type of risk profile of their third-party partnerships, while giving example scenarios. The agencies intend to start working with community banks right away and to create more tools soon to help them manage important third-party risks. Like previous guidance, the complexity, size and size of the financial institution, as well as the nature of the third-party relationship, are all factors considered in the third-party risk management. The final guidance continues to make it clear that if a financial institution uses a third-party, then the third-parties risk falls back to the organization and the financial institution is responsible that the third-party performs all activities in a safe and sound manner.

The guidance also states that the agencies’ routine supervisory procedures will include examining a financial institution’s third-party relationship risk management measures. Supervisors typically evaluate a financial institution’s management’s capacity to supervise and manage its third-party relationships, as well as the impact of those relationships on the bank’s risk profile. They also carry out transaction testing to assess the third party’s performance and compliance with applicable laws and regulations.

In creating and executing risk management procedures for all phases of the life cycle of third-party partnerships, financial institutions may consider the sound principles provided by the guideline, which supports a risk-based approach to third-party risk management. A vendor management software can help with that and also help a company operate more efficiently. A vendor management software assists financial institutions to build better vendor relationships by improving engagement and transparency while reducing risks. Having the most comprehensive solution like Strunk’s Vendor Manager software helps streamline your end-to-end vendor due diligence workflow.

 

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.