By now you’ve probably heard that the federal agencies have finalized the Interagency Guidance on Third-Party Relationships: Risk Management. It replaces existing guidance and aligns vendor management requirements among the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve.
Here’s what this new guidance means for financial institutions:
Vendor Management Lifecycle
The guidance breaks the vendor management lifecycle into five phases.
Planning is a strategic phase. Organizations should consider the business case for outsourcing an activity. Identify risks and controls and determine if the institution will be able to effectively oversee the relationship.
2. Due diligence and third-party selection
Once the financial institution understands third-party vendor needs and the potential risks, due diligence helps an organization assess if a vendor is capable of delivering products and services as promised and complying with laws, regulations and banking policies while operating safely and soundly. The risk and complexity of the third-party relationship determines the degree of due diligence needed.
3. Contract negotiation
Contract negotiation is an organization’s chance to mitigate risk by adding provisions and other addendums. This is especially important for riskier relationships.
4. Ongoing monitoring
Ongoing monitoring is conducted either periodically or continually, depending on how high-risk a vendor. It includes verifying vendor products, services and controls are as expected and escalating issues.
Define causes for termination, costs and how data and intellectual property management along with other terms and conditions for ending a vendor relationship. Have a plan for transitioning to another service provider if needed.
New definition of a critical vendor
Under the new guidance, a critical vendor is one whose failure could create significant risk or greatly impact customers or the institution’s finances or operations.
Access to significant amounts of protected or confidential customer in formation is considered a significant customer impact.
Digging deeper into due diligence and analyzing third-party risk
Vendor risk assessments need to dig into the details. Residual risk is highlighted prominently, and specific factors are listed (compared to the broader categories of risk in previous guidance). Some of those factors include: strategies and goals, compliance, financials, company background, IT security, business continuity and subcontracting.
Linking third-party risk with overall risk management
Vendor management has always been a subcategory of enterprise risk management (ERM), the guidance makes the link explicit saying that banking institutions should be, “integrating third party risk management with the banking organization’s overall risk management process.” A vendor management program should integrate into other elements of risk management including compliance, business continuity, audit, fair lending and IT, among others.
The board should establish the risk appetite for third-party risk management. Management should enact a program that aligns with the statement.
Contracts as a third-party risk control
While contracts have always been addressed by guidance, the new guidance presses deeper into vendor contracts, including areas contracts should define. This includes scope of the arrangement, performance measures or benchmarks, compliance, data management and dispute resolution, among others.
This guidance takes effect immediately. Guidance doesn’t have the force of a regulation, but examiners can use it to cite a financial institution for unsafe and unsound banking practices.
Third-party vendor management is evolving. Make sure your vendor management program is integrated with your ERM program and that it addresses all the areas mentioned in the guidance. Now is the time to proactively evaluate your vendor management program to ensure it aligns with new guidance.
Content provided by Ncontracts