On July 19, 2021, the Office of the Comptroller of the Currency (“OCC”) in conjunction with the Federal Deposit Insurance Corporation (“FDIC”) and the Board of Governors of the Federal Reserve System (the “Federal Reserve”) published proposed guidance (“Interagency Guidance” or “Guidance”) with respect to the management of third-party relationships in the banking sector. OCC, FDIC and the Federal Reserve invited feedback from interested parties with respect to the proposed guidance through September 17, 2021.
If adopted, the proposed Interagency Guidance would apply to “any business arrangement between a banking organization and another entity, by contract or otherwise.” This intentionally expansive definition means that banking organizations would be required to implement a comprehensive third-party risk management (“TPRM”) framework that accounts for the full lifecycle of its relationships with suppliers, vendors, financial technology (fintech) providers, affiliates, and even holding companies. Although long a critical component of the U.S. Department of Justice’s (“DOJ’s”) own guidance on the evaluation of corporate compliance programs more generally, the proposed Interagency Guidance is the first cohesive attempt by U.S. regulators to require more formal TPRM practices from entities operating specifically in the U.S. banking sector.
The Guidance emphasizes that banking organizations adopt a risk-based approach to TPRM that encompasses five aspects:
- Appropriate planning
- Due diligence and third-party selection
- Contract negotiation
- Ongoing monitoring
- Termination of the third-party relationship
In the planning phase of the TPRM lifecycle, banking organizations are required to identify and assess the risks associated with the proposed business arrangement and take “commensurate steps for appropriate risk management.” The planning phase includes due consideration of the business arrangement’s strategic purpose, its complexity, the risk posed by the arrangement to the organization, and the potential benefit to be derived from the relationship. The planning phase further includes an assessment of the proposed arrangement’s impact on the banking organization’s other strategic initiatives, its employees, and its customers.
The Interagency Guidance also stresses the need for situationally appropriate due diligence based on the risk posed by the potential business arrangement. In this context, the new Interagency Guidance echoes the DOJ’s own repeated emphasis on risk-based due diligence. Because not all third party relationships are equal in significance or risk, the Guidance emphasizes the need for banking organizations to allocate more due diligence resources to proposed business arrangements that pose the highest or most critical risks to the organization holistically. In conducting such due diligence, the Guidance notes that banking organizations should broadly assess a third party’s ability to perform the activity expected, adhere to the banking organization’s policies, comply with all applicable laws and regulations, and operate in a safe and sound manner.
Contract negotiation constitutes another critical component of the TPRM lifecycle as addressed in the Guidance. Among other things, banking organizations are required to consider a full panoply of contractual provisions, including performance metrics and benchmarks, inspection and audit rights, confidentiality obligations, indemnification, insurance requirements, and default and termination triggers. When the proposed arrangement involves a foreign party, the Guidance specifically notes that careful consideration should be given to choice of law provisions and that the banking organization retain local counsel to carefully scrutinize the enforceability of each contractual provision in conjunction with other ramifications implicated by the third party engagement (e.g., compliance with applicable privacy laws and jurisdictionally-specific regulations addressing the cross-border flow of information).
Ongoing monitoring of the third party relationship is another essential component of the recently published Guidance. Once the third party is engaged, it is incumbent upon the banking organization to conduct periodic audits and performance reviews in conjunction with the provision of services by the third party. In this vein, the banking organization should require the third party to furnish it with periodic audit and control testing reports, and if necessary, conduct physical site visits and engage representatives of the third party to confirm the “quality and sustainability” of its controls and capacity to meet agreed upon service-level expectations. Notably, the Guidance requires that the banking organization dedicate sufficient staff with the requisite “expertise, authority and accountability” to perform periodic monitoring. Because many banking organizations lack specific TPRM expertise, it is conceivable that impacted organizations may need to supplement their existing independent audit and/or compliance functions with additional personnel to appropriately manage third party relationships.
Last, but by no means least, is the Guidance’s stipulation that the organization carefully consider the ramifications of terminating a third-party agreement. In so doing, the Guidance specifies that the banking organization carefully consider what capabilities, resources and time are required to transition the activity undertaken by the third party either laterally to another third party or centrally within the banking organization itself. The banking organization must also consider the risks associated with data retention and/or destruction, information connection and access control issues, disposition of joint intellectual property rights, and other concerns that require engagement with the third party well after the arrangement has been concluded.
The key takeaway from the proposed Interagency Guidance is that banking organizations, like all other organizations generally, face similar risks and challenges from the engagement of third parties. In an era of increased enforcement activity involving an organization’s intermediaries, agents and service providers, it is critical that banking organizations proactively mitigate the risk associated with such engagements. Because banking organizations are a critical component of the international economic infrastructure, it is all the more important that these risks be managed in a professional, diligent, and consistent manner.
Learn how compliance solutions from Diligent can help your organization seamlessly manage third parties.