Due Diligence and Third-Party Selection & the New Guidance

Conducting due diligence on third parties is crucial for sound risk management in banking organizations. It involves gathering information about potential third parties to assess their alignment with strategic and financial goals, as well as their ability to comply with policies, laws, and regulations. Due diligence should be tailored to the specific activity and risks associated with the third-party relationship. The level of due diligence should be commensurate with the risk and complexity of the relationship. If limitations arise in obtaining due diligence information, alternative methods should be considered to mitigate risks. Banking organizations can leverage industry utilities or engage in joint efforts to supplement due diligence. However, the responsibility to manage third-party relationships in a safe and compliant manner remains with the banking organization. 

Depending on the degree of risk and complexity of the third-party relationship, a banking organization typically considers the following factors, among others, as part of due diligence: 

• Strategies and Goals

Reviewing a third party’s business strategy and goals helps a banking organization understand how its strategic arrangements may impact operations. This includes mergers, acquisitions, partnerships, and service philosophies. It also considers quality initiatives, employment policies, and diversity practices. This information helps determine if the third party aligns with the banking organization’s corporate policies. 

• Legal and Regulatory Compliance

When engaging a third party, a banking organization must review legal and regulatory compliance considerations to assess risk mitigation. This includes evaluating ownership structure, legal authority, sanctions, expertise, and responsiveness to compliance issues. Additionally, considering potential consumer harm and mitigation processes is essential. 

• Financial Condition

Assessing a third party’s financial condition involves reviewing various financial information sources, such as audited financial statements, SEC filings, and annual reports. This evaluation helps banking organizations determine if the third party has the necessary financial capability and stability to perform the required activities. Additional factors, such as access to funds, expected growth, pending litigation, and debt rating agency reports, also contribute to the overall assessment of the third party’s financial condition. 

• Business Experience

When evaluating a third party, a banking organization considers its resources, experience, and track record in addressing customer complaints or litigation. Changes in activities or business models are also considered. Reviewing websites, marketing materials, and other information helps determine if the third party’s statements accurately represent their capabilities. 

• Qualifications and Backgrounds of Key Personnel and Other Human Resources Considerations

Evaluating the qualifications, experience, and background checks of a third party’s personnel is crucial to assess their capabilities. It is important to identify and remove employees who do not meet suitability requirements or are barred from working in the financial sector. Training ensures employees understand their duties, regulations, and potential risks. Succession planning, redundancy, and accountability processes are also key considerations for a banking organization. 

• Risk Management

Appropriate due diligence involves evaluating the risk management, policies, processes, and internal controls of a third party. This includes assessing their governance processes, such as clear roles and responsibilities. It is important to consider if the third party’s controls and operations undergo effective audit assessments and independent testing. Banking organizations should also evaluate processes for addressing concerns identified during audits or independent tests. Reviewing SOC reports and conformity assessments or certifications by independent third parties can provide valuable insight. 

• Information Security

Understanding the potential security implications is crucial for a banking organization when deciding whether to engage with a third party. This involves assessing the third party’s information security program, including its alignment with the organization’s program. It also includes evaluating controls to limit access to data and transactions, as well as the third party’s ability to identify and mitigate threats. Assessing data, infrastructure, and application security programs can provide valuable insights. Additionally, evaluating the implementation of corrective actions is important. Overall, due diligence helps evaluate the third party’s security measures and address any deficiencies.   

• Management of Information Systems

To effectively support activities with a third party, it is crucial to review and understand their business processes and information systems. This includes evaluating technology components, identifying gaps in service-level expectations, and ensuring interoperability. Additionally, it is important to assess the third party’s processes for maintaining inventories and measuring the performance of their information systems. 

• Operational Resilience

Assessing a third party’s operational resilience practices is crucial for a banking organization. It helps evaluate their ability to operate effectively and recover from disruptions. This assessment is particularly important when the third party interacts with customers, as any impact on their operations could have adverse effects. It is essential to consider options in case the third party’s ability to perform is impaired and to ensure they have appropriate operational resilience and cybersecurity practices in place. This includes disaster recovery and business continuity plans with specified time frames for resuming activities and recovering data. To gain further insight, organizations can review operational resilience testing results, telecommunications redundancy plans, and preparations for various threats. Other factors to consider include dependency on a single provider and potential issues with software programming language or data storage technologies used by the third party. 

• Incident Reporting and Management Processes

Reviewing and considering a third party’s incident reporting and management processes helps determine if there are documented processes, timelines, and accountability for identifying, reporting, investigating, and escalating incidents. This review confirms if the third party’s escalation and notification processes meet the banking organization’s expectations and regulatory requirements. 

• Physical Security

It crucial to assess if third parties have adequate controls in place to safeguard the safety and security of individuals, facilities, technology systems, and data. This includes reviewing their employee on- and off-boarding procedures to ensure proper management of physical access rights. 

• Reliance on Subcontractors

Subcontracting arrangements in banking organizations can pose additional risks. Evaluating the volume, types, and reliance on subcontractors is crucial. Assessing the third party’s risk management capabilities, subcontractor selection and oversight, and effective control implementation is important. Geographic location and dependency on a single provider are also factors to consider. 

• Insurance Coverage

Evaluating the third party’s existing insurance coverage helps a banking organization assess potential losses and their mitigation. Losses can arise from various causes such as dishonesty, negligence, natural disasters, data loss, and more. Examples of insurance coverage include fidelity bond, liability, property hazard and casualty, cybersecurity, and intellectual property. 

• Contractual Arrangements with Other Parties

Third-party commitments can have legal, financial, or operational implications for banks. It’s crucial to assess the binding arrangements between the third party and subcontractors for potential risks to the bank and its customers. 

Check out the table below to see the actions banking organizations need to take to align their third-party risk management programs to the new guidance AND the tools that can help.

Access the full Market Insights series here to learn more. Ready for a more empowering experience? Get in touch with an expert here to get started