In this blog series, we have been discussing the final guidance issued by the OCC, FDIC, and Federal Reserve and how it provides a general framework for how the agencies will conduct supervisory reviews of third-party risk management. The scope of the supervisory review depends on the degree of risk and the complexity of the third-party relationship and any associated products and services.
When reviewing third-party risk management processes, examiners typically conduct the following activities, among others:
- Assess the ability of the banking organization’s management to oversee and manage the banking organization’s third-party relationships,
- Assess the impact of third-party relationships on the banking organization’s risk profile and key aspects of financial and operational performance, including compliance with applicable laws and regulations,
- Perform transaction testing or review results of testing to evaluate the activities performed by the third party and assess compliance with applicable laws and regulations,
- Highlight and discuss any material risks and deficiencies in the banking organization’s risk management process with senior management and the board of directors as appropriate,
- Review the banking organization’s plans for appropriate and sustainable remediation of any deficiencies, particularly those associated with the oversight of third parties that involve critical activities, and
- Consider supervisory findings when assigning the components of the applicable rating system and highlight any material risks and deficiencies in the Report of Examination.
When circumstances warrant, an agency may use its legal authority to examine functions or operations that a third party performs on a banking organization’s behalf. Such examinations may evaluate the third party’s ability to fulfill its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect customers and to provide fair access to financial services. When necessary, the agencies may pursue corrective measures, including enforcement actions, to address any violations of laws and regulations or any unsafe or unsound banking practices on the part of the banking organization or any of its third parties.
In our next blog, we’ll review tips and tools to align your third-party risk management program to the new guidance.