The browser you are using is not supported. Please consider using a modern browser.
Article
Did Somebody Say Fourth-Party Risk?
Regulators expect banks to sharpen vendor due diligence, including knowing who their third parties are doing business with.
As technology has evolved, banks have become increasingly reliant on third parties for products and services that allow them to keep pace with innovation in a highly competitive market. Properly managed, these relationships can provide the product diversification and edge that banks need; but, they can also introduce new risks.
Financial institution examiners already routinely scrutinize banks’ third-party arrangements. For years, they have reminded banks they can rely on third parties for a lot of business functions, but can never outsource accountability and risk. Now the three federal safety and soundness regulators have unveiled new interagency guidance that provides direction to banks about additional ways to keep third-party risk in check.
The guidance, published in June by the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp. and the Federal Reserve Board, was two years in the making. That was plenty of time for the new expectations to be aired, debated, and even start to sink in. But even if banks have been expecting the changes for some time, they must be on their toes and make sure they understand what’s new and what is now expected of them.
Successful third-party relationships begin with banks understanding their risks and implementing appropriate strategies to manage them. The guidance identifies best practices in broad areas that include planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.
One of the most noteworthy changes from prior regulatory guidance is an intensified focus on due diligence—the process of investigating and addressing where banks may be exposed to risks. The regulators are asking for more comprehensive due diligence in instances where a third party supports higher-risk activities, including critical activities.
Regulators are also focused on understanding risks that may arise from third parties’ own third parties—that is, subcontractors. Previously, it was enough for banks to audit third-party relationships to understand their cashflow, liabilities, ownership structure, and other key information necessary to construct a picture of the company’s health. Now, banks must consider digging deeper to look at vendor relationships to encompass so-called fourth-party risk.
Guidance, of course, is not the same as regulation. The FDIC, in its summary of the guidance, says it is intended to be “a useful resource to assist banking organizations implementing third-party risk management practices by providing examples of considerations in the planning, due diligence, contract negotiation, ongoing monitoring, and termination stages of managing third-party relationships.”
And there are also signs that what banks are expected to do is still somewhat unsettled. Acting Comptroller of the Currency Michael Hsu has noted publicly that additional resources will be needed to help smaller community banks to manage third-party risks. Federal Reserve Board Member Michele Bowman opposed the guidance, lamenting that the additional resources won’t be available for some time, which “leaves one to wonder why the rush to publish without appropriate tools available for small banks.”
New guidance, like new regulation, is often met with a collective groan from the industry, because it’s one more thing to master and one more hurdle to overcome. That’s where working with vendors like KlariVis is especially valuable. We’ve not only read and understood the guidance—we’ve anticipated it, and therefore we have wasted no time in helping our clients accomplish what it requires. It’s also important to remember that due diligence isn’t just a regulatory exercise that you have to go through. It is first and foremost the investigative work you do to protect your bank based on your individual institution’s risk appetite. It’s worth doing thoroughly and well, and the regulators have just provided a new roadmap for doing just that.