On June 6, 2023, the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. (collectively, the “Agencies”) issued final interagency guidance that provides granular recommendations for how banks and other regulated financial institutions should manage risks associated with third-party relationships (the “Guidance”). The Guidance replaces prior guidelines that were released by the Agencies on July 19, 2021.
1. Introduction
The Guidance is designed to assist banking organizations with managing the risks associated with third-party relationships, including specific risks that may arise in the context of technology services. However, the Guidance applies to all of a financial institution’s third-party relationships (defined in the Guidance as “any business arrangement between a banking organization and another entity, by contract or otherwise”). The Guidance emphasizes that banking organizations are ultimately responsible for managing their activities (including activities conducted through a third party) in a safe and sound manner. Specifically, the Guidance provide a risk management framework that can be utilized by banking organizations when developing their third-party risk management practices.
2. Third-Party Relationship Life Cycle
The Agencies maintain that effective third-party risk management generally follows a continuous life cycle for third-party relationships, while simultaneously recognizing that not all third-party relationships present the same level of risk, and that a banking organization’s risk management approach should be tailored to match the specific facts and circumstances presented by each third-party relationship. The Guidance provides risk management principles applicable to each of the following five stages in the life cycle of third-party relationships: (i) planning; (ii) due diligence and third-party selection; (iii) contract negotiation; (iv) ongoing monitoring; and (v) termination. We summarize each of these five stages as follows:
a. Planning
In the Guidance, the Agencies emphasize that effective planning is a fundamental part of sound risk management and allows a banking organization to evaluate and consider how to manage risks before entering into a third-party relationship. The Agencies note that certain third-party relationships which support a banking organization’s higher-risk activities typically require a greater degree of planning and consideration, and it may be prudent to present such plans for approval by a banking organization’s board of directors (or similar leadership).
The Agencies offer a non-exhaustive list of factors that banking organizations should typically consider in an effort to manage risks prior to entering into a third-party relationship, such as (a) the strategic purpose of the business arrangement and how the arrangement aligns with a banking organization’s overall strategic goals, objectives, risk appetite, risk profile, and broader corporate policies; and (b) the benefits and the risks associated with the business arrangement and determining how to appropriately manage the identified risks.
b. Due Diligence and Third-Party Selection
The Agencies also highlight the importance of conducting due diligence before entering into a relationship with each third party. The Agencies include a list of factors that they recommend banking organizations should consider when conducting due diligence, which include reviewing the third-party’s: (a) overall business strategy and goals; (b) legal and regulatory compliance; (c) financial condition by reviewing available financial information; (d) prior business experience; (e) qualifications and backgrounds of the key personnel and other human resources considerations; (f) overall risk management; (g) information security practices; (h) business processes and information systems that will be used to support the activity; (i) operational resilience practices; (j) incident reporting and management processes; (k) physical and environmental controls; (l) reliance on subcontractors; (m) insurance coverage; and (n) contractual arrangements with other parties.
c. Contract Negotiation
The Agencies also provide a list of sound risk management principles that they recommend banking organizations assess during the contract negotiation stage. Depending on the degree of risk and complexity of the third-party relationship, the Agencies advise that a banking organization should typically consider and address the following factors, among others, during contract negotiations: (a) the nature and scope of the business arrangement between the parties; (b) clearly defined performance measures to assist in evaluating the performance of a third party (which are often set forth in a service level agreement); (c) ensuring the third party has an obligation to retain and provide timely, accurate, and comprehensive information to allow the banking organization to monitor risks and performance, and to comply with applicable laws and regulations; (d) establishing the banking organization’s right to audit, and requiring remediation when issues are identified in such audits; (e) obligating the third party to comply with applicable laws and regulations; (f) the costs and compensation for the third party relationship; (g) the extent to which the third party has the right to use the banking organization’s information, technology, and intellectual property; (h) the confidentiality and integrity of the information being disclosed to the third party, such as when and how the third party will notify the banking organization of any information security breaches or unauthorized intrusions; (i) the continuation of the third party’s performance of the activity in the event of problems affecting the third party’s operations, including degradations or interruptions in delivery; (j) whether indemnification clauses specify the extent to which the banking organization will be held liable for claims or be reimbursed for damages based on the failure of the third party or its subcontractor to perform; (k) whether any limits on liability are in proportion to the amount of loss the banking organization might experience as a result of third-party failures, or whether indemnification clauses require the banking organization to hold the third party harmless from liability; (l) whether the types and amounts of insurance are included in the contract; (m) whether the contract includes a dispute resolution process; (n) whether the banking organization or the third party is responsible for responding to customer complaints or inquiries; (o) subcontractor management; (p) choice-of-law and jurisdictional provisions that provide dispute adjudication under the laws of a single jurisdiction, especially where the third party is based outside the United States; (q) stipulating what constitutes default, identifies remedies, allows opportunities to cure defaults, and establishes the circumstances and responsibilities for termination; and (r) stipulating that the performance of activities by third parties for the banking organization is subject to regulatory examination and oversight, including appropriate retention of, and access to, all relevant documentation and other materials.
d. Ongoing Monitoring
The Guidance notes that effective third-party management should be ongoing throughout the duration of the third-party relationship, and include: (1) reviewing the third party’s performance and the effectiveness of its controls; (2) periodically visiting and meeting with third party representatives to discuss performance and operational issues; and (3) regularly testing the banking organization’s controls that manage risks from its third-party relationships, particularly when supporting higher-risk activities.
Depending on the degree of risk and complexity of the third-party relationship, the Agencies advise that a banking organization should typically consider the following factors, among others, as part of ongoing monitoring: (a) the overall effectiveness of the third-party relationship, including its consistency with the banking organization’s strategic goals, business objectives, risk appetite, risk profile, and broader corporate policies; (b) changes to the third party’s business strategy and its agreements with other entities that may pose new or increased risks or impact the third party’s ability to meet contractual obligations; (c) changes in the third party’s financial condition, including its financial obligations to others; and (d) relevant audits, testing results, and other reports that address whether the third party remains capable of managing risks and meeting contractual obligations and regulatory requirements.
e. Termination
Last, the Guidance recommends that, to the extent a banking organization needs to terminate a third-party relationship, the banking organization does so in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued. When deciding on options for effectively transitioning the services it is terminating, the Guidance suggests that a banking organization typically considers the following factors, among others, to facilitate termination: (a) options for an effective transition of services; (b) relevant capabilities, resources, and the time frame required to transition the activity to another third party or bring in-house; (c) costs and fees associated with termination; (d) managing risks associated with data retention and destruction, information system connections and access control, or other control concerns that require additional risk management and monitoring after the end of the third-party relationship; (e) handling of joint intellectual property; and (f) managing risks to the banking organization, including any impact on customers.
3. Implications Moving Forward
The recommendations contained in the Guidance sheds light on the Agencies’ increased focus on third-party risk management in general, and on financial technology service providers specifically. It also underscores the vulnerabilities the Agencies see in the risk management of these third party relationships. To ensure compliance with the Guidance, banking organizations should review their existing policies and procedures to assess whether they appropriately reflect a risk-based approach to third-party risk management, and bank organizations’ leadership should consider whether any changes are needed to meet the expectations outlined in the Guidance.
Moving forward, banking organizations should expect a heightened focus by the Agencies on third-party risk management practices, as the various federal regulatory agencies incorporate the Guidance into their routine supervisory review activities. Moreover, since the Guidance specifically states that examiners will perform various assessments of regulated entities’ risks implicated by their third-party relationships (including conducting transaction testing and reviewing the results of such testing), banking organizations would be well advised to begin re-assessing, and, where appropriate, bolstering their third-party risk management processes in anticipation of examiners’ exercising a greater degree of scrutiny in this area.
Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.
