Vendor and Third Party Management What Boards of Directors and C-Suite Executives Need to Know
Regulatory stakes are rising at a pace that exceeds many financial institutions’ ability to respond. Similar to FACTA, Anti-Money Laundering and other “Know Your Customer” guidance, regulators expect institutions to know their third parties. Since October 2013, the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), the Consumer Financial Protection Bureau (CFPB) and the Federal Financial Institutions Examination Council (FFIEC) have issued new guidance for the management of third party risk. Now within the scope of virtually every regulatory exam are scope, consistency, and execution rigor of processes that proactively identify, assess, manage and control third party risk. The responsibilities of the board of directors and executive management have expanded accordingly.
The consequences for failure are severe. Many large and mid-sized financial institutions have received multiple Matters Requiring Attention (MRAs), and some institutions have received Matters Requiring Immediate Attention (MRIAs) or Consent Orders. Regulatory attention is already starting to intensify for smaller institutions.
The CFPB and the Department of Justice (DOJ) have levied multi-million dollar fines for violations.
Control deficiencies and service failures by third parties can seriously impact customers, exposing institutions to reputation risk, financial loss and litigation.
Third party risk management has recently become a component of regulatory safety and soundness assessments, an indicator of management capabilities. “Serious deficiencies may result in management being deemed less than satisfactory”1. , affecting the institution’s CAMELS rating.
A degree of collaboration is starting to occur across the financial services sector and some best practices in third party management are emerging. Even so, there is wide disparity in scope, processes and practices. Regulators are not satisfied with the current state, but some acknowledge that third party risk management is a new focus, one with a steep learning curve.
Context for Action
Financial institutions rely extensively on third parties in almost every aspect of their operations. With significant barriers to entry and highly specialized expertise, multiple institutions collectively rely on a core group of third parties to deliver critical services domestically and internationally, creating institution-specific and systemic concentration risk.
A degree of collaboration is starting to occur across the financial services sector and some best practices in third party management are emerging
A third party “is any business arrangement between a bank and another entity, by contract or otherwise”2; and “all entities that have entered into a contractual relationship with a financial institution to provide business functions and activities”. 3 This encompasses traditional goods and services vendors, and non-vendor relationships such as debt buyers, agents, joint ventures, resellers and correspondent banking relationships.
Financial institutions also buy and sell services to each other and rely on shared utilities for many services. With the 2008 crisis still clearly visible in the rear-view mirror, it is easy to understand why regulators are focused on preventing institution-specific and system-wide crises, and seek early warning for potential failures.
What You Should Know
A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.4 In SR-19 “Guidance on Managing Outsourcing Risk”, the FRB describes what are typically understood to be the responsibilities of the board of directors and senior management for effective governance and management of third party risk.
What’s new can be found in OCC Bulletin 2013-29 “Risk Management Guidance for Third Party Relationships”. In OCC Bulletin 2013-29 strategies, activities and contracts (referred to as “relationships”) that involve critical third parties require board approval, including a review of a summary of due diligence results and management’s recommendations5. This is a significant departure from the historical role of the board of directors, particularly in larger banks.
Regardless of board requirements, both the FRB and OCC expect a significant increase in the level of involvement by senior management in the assessment and decisions relating to third party relationships, the activities of the first, second and third lines of defense and the level of detail in risk oversight activities.
Critical Success Factors
Regulators expect institutions to have an evidence-based, risk-centric, risk-adjusted program that actively manages a wide range of third party risks. This is not is not a “check the box” compliance exercise.
“Risk-centric” means investing in tools, processes, practices, skills and technology that enable proactive identification, assessment, management and control of risk.” Risk-adjusted” means that risk controls and work effort are commensurate with criticality and the identified level of risk.
Every relationship should be assessed and assigned a tiered (sometimes referred to as “ranked”) Inherent Risk rating. Management effort should be concentrated on critical relationships that are material and/or high risk. These must be closely managed and periodically reassessed.
Regulatory guidelines highlight six to eight primary risk factors. Once sub-risks are included, many institutions assess twenty or more risk factors. Primary risk includes information security, information technology, reliance on subcontractors, physical security, resilience, human resource management, incident reporting and insurance coverage. Sub-risks include business continuity management, model, fraud, country, anti-bribery, privacy, financial reporting, anti-money laundering, credit, scalability, transaction volumes, business background, and risks specifically pertaining to an outsourced function.6
Three Lines of Defense
The first line of defense is the line of business. Accountable executives and their teams develop business strategies, establish and manage third party relationships, and execute controls developed in the second line of defense. They are expected to proactively manage risk and performance of all third parties throughout their lifecycle.
The second line of defense consists of Operational Risk, a Third Party Management organization, Procurement, Legal and specialized risk experts. Each function has accountability for creating risk-adjusted Standards and procedures, and executing their management responsibilities to identify, assess, and control third party risk.
Internal Audit is the third line of defense. Audit is responsible for performing periodic independent reviews of third party management processes and critical relationships. Their results must be reported to senior management and the board of directors.
2 OCC Bulletin 2013-29, page 1: “Summary”
3 FRB SR-19, CA 13-21, page 1: “Purpose”
4 FRB SR-19, CA 13-21, page 2: “Board of Directors and Senior Management Responsibilities”
5 OCC Bulletin 2013-29, page 13: “Board of Directors”
6 OCC Bulletin 2013-29, page 6: Risk Management”; FRB SR-19, page 43 “Due Diligence and Selection of Service Providers”, FFIEC Outsourcing Technology Services: page 5 “Risk Management”
About the author: Linda Tuck Chapman, CPO Emeritus & President, Ontala Performance Solutions Ltd., is subject matter expert in third party management, outsourcing governance and sourcing optimization. You can contact her at firstname.lastname@example.org or 416.452.4635