Supervisory Reviews & the New Guidance

In this blog series, we have been discussing the final guidance issued by the OCC, FDIC, and Federal Reserve and how it provides a general framework for how the agencies will conduct supervisory reviews of third-party risk management.  The scope of the supervisory review depends on the degree of risk and the complexity of the third-party relationship and any associated products and services.

When reviewing third-party risk management processes, examiners typically conduct the following activities, among others:

• Assess the ability of the banking organization’s management to oversee and manage the banking organization’s third-party relationships,
• Assess the impact of third-party relationships on the banking organization’s risk profile and key aspects of financial and operational performance, including compliance with applicable laws and regulations,
• Perform transaction testing or review results of testing to evaluate the activities performed by the third party and assess compliance with applicable laws and regulations,
• Highlight and discuss any material risks and deficiencies in the banking organization’s risk management process with senior management and the board of directors as appropriate,
• Review the banking organization’s plans for appropriate and sustainable remediation of any deficiencies, particularly those associated with the oversight of third parties that involve critical activities, and
• Consider supervisory findings when assigning the components of the applicable rating system and highlight any material risks and deficiencies in the Report of Examination.

When circumstances warrant, an agency may use its legal authority to examine functions or operations that a third party performs on a banking organization’s behalf.  Such examinations may evaluate the third party’s ability to fulfill its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect customers and to provide fair access to financial services.  When necessary, the agencies may pursue corrective measures, including enforcement actions, to address any violations of laws and regulations or any unsafe or unsound banking practices on the part of the banking organization or any of its third parties.

Having reviewed in detail the expectations for supervisory reviews contained in the recent guidance, we turn now to best practices banking organizations should consider as they prepare for the reviews by the three agencies.  These practices include the following core practices:

• When designing documentation and reporting frameworks, banking organizations should consider regulatory agencies and the intended audience. Each deliverable should effectively address a component of the interagency third-party risk management objectives.
• Banking organizations should familiarize their boards with the applicable agency rating system and explain how supervisory findings impact the bank’s risk profile.
• Banking organizations must collaborate with third-party partners to prepare for supervisory reviews. This often involves educating regulators about the products and services offered in connection with each partnership, as well as any associated risks and rewards to markets and consumers.

It is important that banking organizations keep their third-party partners informed of supervisory reviews and findings, and ensure they are prepared to cooperate in resolving any identified issues. Additionally, they must ensure their third parties maintain appropriate tracking and documentation as evidence of remediation activities that address any supervisory findings.

In our next post, we will examine the expectations for oversight and accountability of the third-party risk management process.

Access the full Market Insights series here to learn more. Ready for a more empowering experience? Get in touch with an expert here to get started.