Planning & the New Guidance

The Interagency Guidance on Third-Party Relationships: Risk Management published by the OCC, FDIC, and Federal Reserve (the guidance) outlines the agencies’ views on sound risk management practices for all stages of the third-party relationship lifecycle.  It states that sound third-party risk management considers the level of risk, complexity, banking organization size, and nature of the relationship with a third-party.   

During the planning stage of the third-party relationship, the banking organization conducts a comprehensive evaluation of the associated risks and devises strategies to effectively manage them. Relationships that support higher-risk or critical activities within the organization require heightened scrutiny and planning.  Factors to consider include, but are not limited to, the following: 

• Analyzing the strategic purpose of the business arrangement and its alignment with the banking organization’s overall strategic goals, risk appetite, risk profile, and corporate policies. 
• Evaluating the benefits and risks associated with the business arrangement and devising suitable risk management strategies. 
• Considering various aspects of the business arrangement, such as the volume of activity, involvement of subcontractors, required technology, customer interaction, and engagement with foreign based third parties. 
• Assessing the estimated costs, including direct contractual expenses and indirect costs related to adapting the organization’s staffing, systems, processes, and technology. 
• Examining the impact of the third-party relationship on banking organization employees, including steps required to manage the transition of activities currently conducted internally to the outsourced party. 
• Evaluating the potential impact of the third party on customers, including data access, interactions with customers, potential consumer harm, and handling of customer complaints and inquiries. 
• Assessing information security implications, including access to the banking organization’s systems and confidential information. 
• Considering physical security implications, including access to the banking organization’s facilities. 
• Establishing criteria for the selection, assessment, and oversight of the third party, including monitoring their compliance with laws, regulations, and contractual provisions, and ensuring timely remediation of compliance issues. 
• Ensuring the banking organization’s capacity to provide adequate ongoing oversight and management of the third-party relationship, potentially adapting staffing levels, risk management, compliance systems, organizational structure, policies, procedures, or internal control systems over time as needed. 
• Developing contingency plans in case the banking organization needs to transition the activity to another third party or bring it in-house. 

Check out the table below to see the actions banking organizations need to take to align their third-party risk management programs to the new guidance AND the tools that can help.

Access the full Market Insights series here to learn more. Ready for a more empowering experience? Get in touch with an expert here to get started.