QUESTION
I am the Compliance Manager of a bank. We have a mortgage banking platform. I handle our legal and regulatory compliance. Our new Chief Risk Officer wants to review our Third-Party Risk Management policy and procedures. The problem is that we do not have such a policy and procedures.
We have vendor management procedures, which our regulator has accepted. Like me, the CRO is an attorney but he can’t fathom how we could have functioned for so long without this policy, irrespective of the regulator’s evaluation. I respect his view, and he has discussed case law and regulatory requirements with me. But, the fact is, we simply have never created a comprehensive policy just for third-party risk management.
I understand now that a policy for Third-Party Risk Management is an essential requirement that must be drafted and ratified by our Board. The policy must extend to other banks and nonbanks with which we do business. We need some guidance in drafting this policy. The CRO follows your articles, and he asked me to write to you. I have subscribed and encouraged our staff to subscribe.
What are some key features of a policy focused on Third-Party Risk Management?
COMPLIANCE SOLUTION
Third-Party Risk ManagementANSWER
Thank you for subscribing, and I appreciate your Chief Risk Officer reading our articles. We have been publishing these articles for many years, and it is humbling when our subscribers express their gratitude.
Our research of public enforcement actions shows that approximately 25% of them - that’s one in four enforcement actions! - against banks and nonbanks have specifically noted deficiencies in how the target institution managed third-party service provider risks.
If any financial institution does not have a Third-Party Risk Management policy and procedures, it is surely currying legal and regulatory risk. Your CRO is correct!
One other point before I proceed. When a company official tells me that their regulator has never mentioned a particular regulatory violation, though it is a regulatory violation, and thus they intimate that what they’re doing must be ‘acceptable to the regulator,’ the alarms go off. If an institution wants to wait for a regulator to find its policies skimpy, defective, sketchy, inadequate, incomplete, fragmentary, insufficient, and deficient, it will find itself in the midst of a very unpleasant, belated attempt at remediation and possibly even an administrative action.
And remember to implement the procedures and monitor the implementation. A bank examiner will not only review the policy but also determine if the procedures are implemented.
_____________________________________________________________
TPRM Tune-up®
When we conduct
our TPRM Tune-up®, which is a review of a company’s third-party risk
management structure, we work with a set of audit tools that help us evaluate
regulatory compliance, offer recommendations, and provide a risk rating. The
TPRM Tune-up®
is often in demand because third-party risk management is central to safety and
soundness criteria. Contact us here, and we’ll send you the presentation.
_____________________________________________________________
Board and Management Responsibility
Financial institutions are still ultimately responsible for managing their third-party service provider relationships, activities, and associated risks. They must ultimately ensure that all of their operations, in-house or outsourced, are conducted safely and soundly and in compliance with applicable legal and regulatory requirements, including consumer protection and financial crimes laws and regulations, just as if the institution were performing the activities itself.
Regulators look to the company’s Board of Directors as ultimately responsible for providing oversight for third-party risk management and holding management accountable for its role. Management is responsible for developing and implementing third-party risk management policies, procedures, and practices commensurate with the institution’s risk appetite and the level of risk and complexity of its third-party relationships. Internal controls, independent reviews, and documentation are critical components.
Third-Party Risk Management POLICY
There are essential requirements for a Third-Party Risk Management policy (“TPRM Policy”).
The TPRM policy has four principal requirements, which I will outline below. It will be up to you to draft the policy language. Each requirement can have its section and subsections. I will offer some guidance to help with your considerations.
The four TRPM Policy requirements can be elucidated as follows:
1. Risk Management
2. Third-Party Relationship Life Cycle
3. Governance
4. Appendix
TPRM Policy Sections
1. Risk Management
Not all third-party relationships present the same level of risk. Indeed, not all such relationships require the same level of oversight. However, a financial institution should apply rigorous risk management practices throughout the third-party relationship life cycle for third parties that support higher-risk activities, including critical activities.
An institution may adjust and update its third-party risk-management practices commensurate with its size, complexity, and risk profile by periodically analyzing the risks associated with each third-party relationship. It is important to involve knowledgeable and skilled staff in each stage of the risk management life cycle.
Therefore, your company would apply risk management practices in different stages of the third-party relationship life cycle. For instance, an important initial step is identifying third-party relationships that support higher-risk activities, including critical activities.
Generally, to determine if an activity is higher risk, a company would assess various factors, such as if the third party has access to sensitive data (including customer data), processes transactions, or provides essential technology and business services.
2. Third-Party Relationship Life Cycle
Effective third-party risk management generally follows a continuous life cycle for third-party relationships. There are five stages of the TPRM life cycle, all responsive to governance in terms of Oversight and Accountability, Independent Reviews, and Documentation and Reporting.
Here is an outline of the five stages of the TPRM life cycle.
Stage 1: Planning
Careful planning enables a community bank to consider potential risks in the proposed third-party relationship. Managing third-party relationships allows the company to evaluate the extent of risk management resources and practices for effective oversight of the proposed third-party relationship throughout the subsequent stages of the third-party relationship life cycle.
Stage 2: Due Diligence (Selecting the Third Party)
Due diligence is the process by which a company
assesses, prior to entering into a third-party relationship, a particular third
party’s ability to, among other things, perform the activity as expected,
adhere to company policies, comply with all applicable laws and regulations,
and conduct the activity in a safe and sound manner.
The guidelines to develop in the policy is
a clear definition of effective due diligence. We define effective due
diligence as assistance with the selection of capable and reliable third
parties to perform activities for, through, or on behalf of the company. If the
company cannot obtain desired due diligence information from the third party, it
will have to consider alternative information, details, controls, and monitoring;
otherwise, it should consider abandoning the use of the third party.
Conducting due diligence on third parties before selecting and entering into third-party relationships is an important part of sound risk management. It provides management with the information needed about potential third parties to determine if a relationship would help achieve an organization’s strategic and financial goals. The due diligence process also provides the banking organization with the information needed to evaluate whether it can appropriately identify, monitor, and control risks associated with the particular third-party relationship.
Stage
3: Contract Negotiation
Before entering into a contractual relationship with a third party, an institution should consider contract provisions that meet its business objectives, regulatory obligations, and risk management policies and procedures. If a company has limited negotiating power, management needs to understand any resulting limitations and consequent risks. It comes down to risk tolerance, such as whether the contract can still meet the company’s needs, whether the contract would result in increased risk to the company, and whether residual risks are acceptable.
Stage 4: Monitoring
Monitoring cannot be overemphasized when
managing third-party risk. A company’s ongoing monitoring of the third party’s
performance enables management to determine if the third party is performing as
required for the duration of the contract. Our clients use the results of
monitoring to use the derived information to adapt and refine their risk
management practices.
There are three aspects of this stage in
the life cycle, whereby monitoring:
1) Confirms the quality and sustainability of a
third party’s controls and ability to meet contractual obligations;
2) Escalates significant issues or concerns (i.e.,
material or repeat audit findings, deterioration in financial condition,
security breaches, data loss, service interruptions, compliance lapses, or
other indicators of increased risk; and
3) Responds to such significant issues or concerns when and where identified.
Stage 5: Termination
Ending a relationship with a third party occurs for a variety of reasons, such as expiration or breach of the contract, the third party’s failure to comply with applicable laws or regulations, or a desire to seek an alternate third party, bringing the activity in-house, or discontinuing the activity. It is important for management to terminate relationships efficiently, whether the activities are transitioned to another third party, brought in-house, or discontinued.
3. Governance
As I noted above, the life cycle is governed by tripartite activities: Oversight and Accountability, Independent Reviews, and Documentation and Reporting. Here are some tips for each activity.
(A) Oversight and Accountability
The Board of Directors has ultimate
responsibility for providing oversight for third-party risk management and
holding management accountable. The management is responsible for developing
and implementing third-party risk management policies, procedures, and
practices commensurate with the company’s risk appetite and the level of risk
and complexity of its third-party relationships.
(B) Independent Review
The company must conduct periodic
independent reviews to assess the adequacy of its third-party risk management
processes. An institution may use the results of independent reviews to
determine whether and how to adjust its third-party risk management process,
including its policies, reporting, resources, expertise, and controls.
(C) Documentation and Reporting
Documentation and reporting, key elements that assist those within or outside the company who conduct control activities, will vary among financial institutions depending on the risk and complexity of their third-party relationships.
4. Appendix
Consider including an appendix that lists resources. The resources do not have to be comprehensive. Keep adding to the Appendix as you come across resources that help to manage third-party risk management. Of course, there are Acts, regulations, and rules. However, other sources of information may be available, particularly on specific topics.
The use of third parties, especially those using new technologies, may present elevated risks to a financial institution and its customers, including operational, compliance, and strategic risks. Importantly, the use of third parties does not diminish or remove the institution's responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.
Request Information: TPRM Tune-up®.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
