The Interagency Guidance on Third-Party Relationships: Risk Management published by the OCC, FDIC, and Federal Reserve (the guidance) outlines the agencies’ views on sound risk management practices for all stages of the third-party relationship lifecycle. It states that sound third-party risk management considers the level of risk, complexity, banking organization size, and nature of the relationship with a third-party.
During the planning stage of the third-party relationship, the banking organization conducts a comprehensive evaluation of the associated risks and devises strategies to effectively manage them. Relationships that support higher-risk or critical activities within the organization require heightened scrutiny and planning. Factors to consider include, but are not limited to, the following:
- Analyzing the strategic purpose of the business arrangement and its alignment with the banking organization’s overall strategic goals, risk appetite, risk profile, and corporate policies.
- Evaluating the benefits and risks associated with the business arrangement and devising suitable risk management strategies.
- Considering various aspects of the business arrangement, such as the volume of activity, involvement of subcontractors, required technology, customer interaction, and engagement with foreign based third parties.
- Assessing the estimated costs, including direct contractual expenses and indirect costs related to adapting the organization’s staffing, systems, processes, and technology.
- Examining the impact of the third-party relationship on banking organization employees, including steps required to manage the transition of activities currently conducted internally to the outsourced party.
- Evaluating the potential impact of the third party on customers, including data access, interactions with customers, potential consumer harm, and handling of customer complaints and inquiries.
- Assessing information security implications, including access to the banking organization’s systems and confidential information.
- Considering physical security implications, including access to the banking organization’s facilities.
- Establishing criteria for the selection, assessment, and oversight of the third party, including monitoring their compliance with laws, regulations, and contractual provisions, and ensuring timely remediation of compliance issues.
- Ensuring the banking organization’s capacity to provide adequate ongoing oversight and management of the third-party relationship, potentially adapting staffing levels, risk management, compliance systems, organizational structure, policies, procedures, or internal control systems over time as needed.
- Developing contingency plans in case the banking organization needs to transition the activity to another third party or bring it in-house.