New bank guidance expands on advice for handling third parties

The proposed guidance, issued Tuesday by the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), is the first comprehensive advice from the regulators on handling third-party relationships since 2013. However, last year, the OCC issued a Q&A on banks’ relationships with third parties.

In crafting the guidance, federal regulators were cognizant it should apply to all sizes of banking institutions and be commiserate with the risks those third-party relationships pose to critical functions of the institution that enters into them.

The use of third parties by banking institutions has proliferated in recent years. Federal regulators acknowledge there are a variety of sound business reasons for the trend. Advantages include “quicker and more efficient access to new technologies, human capital, delivery channels, products, services, and markets.”

Third parties can “offer competitive and innovative financial products and services that otherwise would be difficult, cost-prohibitive, or time-consuming to develop in-house” and can be used to “enhance their operational and compliance infrastructure, including for areas such as fraud detection, anti-money laundering, and customer service.”

Financial institutions are using third parties to perform a variety of services, including “core bank processing, information technology services, accounting, compliance, human resources, and loan servicing,” the guidance said. “A banking organization may also establish third-party relationships to offer products and services to improve customers’ access to and the functionality of banking services, such as mobile payments, credit-scoring systems, and customer point-of-sale payments.”

But using third parties “does not remove the need for sound risk management. On the contrary, the use of third parties may present elevated risks to banking organizations and their customers.”

The guidance outlined all points in the life cycle of a relationship between a banking institution and a third party: developing a plan to identify risks of the activity with a third party, as well as how to assess, select, and oversee it; performing proper due diligence; negotiating written contracts that articulate the rights and responsibilities of all parties; having bank management oversee its risk management process and engage in independent reviews; conducting ongoing monitoring of the third party’s activities and performance; and developing contingency plans for terminating the relationship.

A banking institution’s level of concern about a third-party relationship should be weighed against whether that relationship involves “critical activities” of the banking institution, the guidance said.

These critical activities could “cause a banking organization to face significant risk if the third party fails to meet expectations; could have significant customer impacts; require significant investment in resources to implement the third-party relationship and manage the risk; or could have a major impact on bank operations if the banking organization has to find an alternate third party or if the outsourced activity has to be brought in-house.”

The guidance suggests banking institutions may collaborate when they use the same third party, even using third-party assessment services on functions like “performing due diligence, negotiating contracts, and performing ongoing monitoring.” Even so, each individual banking institution is responsible for managing its own third-party-related risks.

Subcontractors, information security

There are two areas where the updated proposal noticeably expands on previous guidance from banking regulators:

• On how to find, assess, and evaluate third-party subcontractors (i.e., fourth, fifth, and nth parties); and
• On how to tighten access to a banking institution’s critical data.

Understanding the risk posed by subcontractors is a tricky business, because some third parties don’t disclose all the subcontractors they use. As part of a banking institution’s due diligence process, regulators recommend evaluating “whether additional risks may arise from the third party’s reliance on subcontractors and, as appropriate, conduct similar due diligence on the third party’s critical subcontractors, such as when additional risk may arise due to concentration-related risk, when the third party outsources significant activities, or when subcontracting poses other material risks.”

It is wise, the guidance suggested, for banking institutions to require third parties list all their subcontractors and provide copies of their contracts with them. “Evaluate the potential legal and financial implications to the banking organization of these contracts between the third party and its subcontractors or other parties,” the guidance said.

“Obtain information regarding legally binding arrangements with subcontractors or other parties to determine whether the third party has indemnified itself, as such arrangements may transfer risks to the banking organization,” the guidance continued.

Typically, a material or significant contract with a third party “prohibits assignment, transfer, or subcontracting by the third party of its obligations to another entity without the banking organization’s consent.”

On information security, a bank’s plan for protecting its critical data is only as good as the plan of its third parties. This area is one of expanding risk, where numerous institutions have experienced data breaches through a third party’s vulnerability.

Third parties should be assessed for whether they have “sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities” and “extent to which the third party uses controls to limit access to the banking organization’s data and transactions, such as multifactor authentication, end-to-end encryption, and secured source code management.” Lastly, there should be a clear notification plan in a contract with a third party if a breach occurs.

Comments must be received within 60 days of the proposed guidance’s publication in the Federal Register.