Third-Party Risk Management: Leveraging OCC and FDIC Guidelines for Financial Companies

Organizations today are not islands operating in isolation. Rather, there are high levels of collaboration and dependence across industries and even regions. For example, Apple works with companies in 43 countries across six continents to make its iPhone. Such dependencies also come with risks that can impact an organization’s operation, security, finances, and more.

To reduce these uncertainties, organizations must evaluate the state of third-party companies and their operations and assess the potential ways they can impact them. For example, some pertinent questions include how an organization can protect itself when a partner’s company faces a cyberattack or what will be the impact of a partner’s policy changes. Understanding this impact and preparing for them is essential for business continuity.

Read on as we discuss third-party risks and how you can manage them. We will also assess how the OCC and FDIC guidelines can protect you from these risks.

What is Third-Party Risk?

Third-party risk is the possibility for your organization to experience a negative event, like a data breach or financial loss, due to the actions of a third party engaged in providing services or raw materials for your organization. The more you rely on third-party companies, the greater your risk. But in today’s globalized world, outsourcing to the experts is the most efficient and cost-effective way to conduct business.

Many risks are possible when you work with third parties, but most can be classified across the following categories:

1. Cybersecurity: When cyberattackers infiltrate a vendor’s system, they can use it to launch an attack on your network.
2. Compliance: Certain actions of third-party organizations can expose data, making you non-compliant.
3. Financial: Substandard work and defective components can cause financial and reputational loss.
4. Strategic: Delivery delays and strategies of third-party companies that don’t align with your goals can negatively impact your strategy and operations.

Despite these risks, third-party organizations are essential for smooth and cost-effective operations. To strike a balance between gaining economies of scale and avoiding risks, organizations turn to Third-Party Risk Management (TPRM) strategies.

What is Third-Party Risk Management?

Also known as vendor risk management, supplier risk management, and supply chain risk management, third-party risk management is a set of strategies to safeguard your operations from risks arising from partners and vendors. You must stay on top of the cybersecurity measures, strategic changes, logistical challenges, and other operations of third-party organizations. Accordingly, you can formulate strategies to protect your organization from these potential threats and risks.

TPRM is critical for your overall risk management because any changes in third-party organizations can impact your operations. But with the right strategies to identify, assess, and mitigate risks, you can create a secure and stable operating environment, resulting in improved productivity and profits.

However, TPRM is complex as it involves many factors beyond your control. In particular, these risks are more profound for financial institutions because they can lead to huge financial and reputational losses. This is where it helps to have government guidelines like OCC and FDIC that offer complete guidance in handling third-party risks.

OCC and FDIC: Third-Party Risk Management

The Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) guide banks and financial institutions to implement TPRM strategies. The latest guidelines were published in June 2023 and rescind all guidelines published earlier.

This guideline provides a risk framework for banks and financial institutions to adjust their operations based on the risks across all stages of the third-party lifecycle. For this guideline, a third-party relationship includes outsourced services, referral agencies, merchant processing, affiliates and subsidiaries, and joint ventures. A successful risk management strategy must encompass all these relationships across security, operations, and finances.

While there are no stringent regulations that banks must follow, the guidelines and the framework can help them mitigate risks and improve their compliance. Let’s now dive deep into the provisions of these latest guidelines.

1. Tailored Approach

A highlight of the OCC and FDIC guidelines is the broad scope it takes towards risk management. These guidelines acknowledge that not all banks will have the same resources for risk evaluation and monitoring. This is why it offers flexibility for financial institutions to adopt strategies that are according to their size and resources while at the same time, taking reasonable steps to evaluate third-party risks.

Moreover, these guidelines acknowledge that not all third-party risks are identical and will not need identical risk management or oversight. However, it is each bank’s responsibility to calibrate its risk management processes and strategies based on the likely risks from third-party relationships.

The guidelines state that banks must maintain an inventory of all risk management measures against each third-party relationship and periodically conduct risk assessments of the relationship. Based on the results, banks must alter their existing processes

Critical Activities

The guidelines ask banks to focus on critical activities to mitigate the impact of risks coming from them. For this purpose, critical activities are those that:

• Cause a significant loss if a third party fails to meet expectations.
• Impact end customers greatly.
• Lead to extensive loss in financial condition or operations.

Banks can have additional security measures for these critical activities.

2. Focus on the Complete Lifecycle

What makes these guidelines highly effective is their focus on the complete lifecycle of third-party relationships, including stages like planning, selection, contract negotiation, onboarding, monitoring, and termination. Though the nature and intensity of risk can vary across organizations, focusing on the entire lifecycle can protect you from most of them.

Here are the key aspects of the OCC and FDIC guidelines that apply to a third-party relationship’s complete lifecycle.

Planning

OCC encourages banks to evaluate risks and have a broad plan before entering into third-party relationships. Critical activities require more planning.

The following factors must be considered for planning:

• Understand the strategic purpose of the relationship.
• Identify and assess the risks and benefits.
• Consider the volume of activity, technology needed, interaction levels, location, and more.
• Evaluate the direct and indirect costs involved.
• Understand the impact on your operations, employees, customers, and other stakeholders.
• Closely evaluate the physical and virtual security implications.
• Determine the impact on compliance.
• Create a plan for ongoing monitoring and maintenance.
• Lay down contingency plans.

Due Diligence and Collaborative Arrangements

Due diligence is the set of practices followed to evaluate a third-party organization and its fit for your needs and compliance requirements. To conduct this due diligence, organizations must gather information about third-party organizations including their internal controls, business practices, security processes, compliance levels, and more.

You can gather this information through many sources like reviews, track records of similar engagements, publicly-available disclosures, internal documents, or any other information from a reliable and legitimate source. OCC also acknowledges that it may not be possible to gain access to all the information because of privacy considerations. Hence, financial institutions must make all reasonable efforts to gather as much information as possible, evaluate an organization based on the data, and evaluate the likely risks.

That said, the guideline clearly states that the bank is responsible for identifying and evaluating the risks involved in a third-party relationship and customizing its risk management practices to mitigate the identified risks. This risk strategy must also match the bank’s size and operational complexity.

Consider the following factors for implementing due diligence:

• Third party’s strategies and goals to understand proposed arrangements like mergers and acquisitions.
• Legal and regulatory compliance associated with engaging a third party.
• Collect and review the financial information, including audited statements, annual reports, and filings.
• Evaluation of the third party’s prior experience, customer complaints, and depth of resources.
• Qualifications of key personnel and other human resource policies.
• The prevailing risk management strategies of the third party.
• Information security processes to ensure the stability and reliability of its systems.
• Operational resilience practices that can help the organization recover from internal and external disruptions.
• Incident reporting and management processes.
• Insurance coverage.
• Subcontractors and their relationship with the third-party organization.

Contract Negotiation

Based on discussions, the OCC acknowledges that banking institutions, especially the smaller banks, will have limited negotiating power in certain instances. This is why banks must have collaborative negotiations and contracts that span across the entire life-cycle of the relationship after considering the potential risks involved. As a part of the contract, set out clear roles and responsibilities, and the resulting penalties when either party violates the agreed terms. Also, add the performance measures or benchmarks for continuously evaluating the quality of services or products offered by third parties.

Other aspects to consider are legal audits and their fees, ownership and license, access levels, remediation of audit gaps, and confidentiality and integrity agreements.

Moreover, there must be a periodic review of contracts, and if new risks are identified, you must renegotiate the contract.

Ongoing Monitoring

The OCC guidance recommends banks move away from periodic assessments and instead, implement continuous and real-time monitoring to gain proactive insights into emerging risks. While the agency does not specify any specific type of monitoring, it states that the monitoring practices must align with the identified risks. Also, it states that banks can consider taking help from external third parties to supplement their ongoing monitoring requirements. This monitoring must continue throughout the lifecycle of the third-party relationship.

Termination

Termination completes the lifecycle of the relationship, and OCC guides banks to ensure that this process is also efficient and risk-free. A bank can terminate a third party for various reasons like failure to comply with regulations, a change in strategy, and the decision to look for another service provider.

Regardless of the reason, banks can follow the below guidelines for a smooth termination process:

• Transition in-house or to another company to perform this activity.
• Arrange for the required infrastructure and resources for the transition while meeting the legal and regulatory obligations.
• Costs and fees associated with the termination.
• Managing the risks associated with data retention and IP rights.

Thus, these are the steps involved in managing the lifecycle of third-party relationships and the steps that financial institutions can take to mitigate risks at every stage.

3. Specific Types of Third-Party Relationships

Some types of third-party relationships are riskier than others. Also, the existing TPRM processes may be applied differently, based on the relationship with a specific third party. For example, the risk processes can vary for affiliates and non-affiliates. Similarly, geographical differences can also impact the third-party risk processes. Specifically, the relationship between a traditional bank and a fintech company can be different as well.

Given these variations, the OCC guidelines state that the risk processes should be based on the type of third-party relationship. These processes must be flexible and customizable to meet the specific needs of emerging relationships.

4. Subcontractors

Relationships with subcontractors are always tricky because they involve the sharing of confidential and sensitive information. Hence, banks have the flexibility to manage the risks associated with subcontractors. Also, the processes depend largely on the risk level posed by subcontractors, their nature of work, and their access levels to critical systems and data. Banks must formulate processes according to these factors but must ensure that it is comprehensive enough to mitigate the associated risks.

5. Governance

This guideline focuses on the role of a financial institution’s board of directors and management of third-party risk management. It clarifies the role and authority to formulate TPRM policies, as ultimately the Board is responsible for mitigating risks and ensuring that the bank operates in a safe environment while complying with the applicable provisions.

To mitigate risks and meet the OCC and FDIC guidelines, the Board of Directors can take the following actions:

• Check if the third-party relationships are consistent with the organization’s strategic goals.
• Ensure periodic reporting of the relationships to understand the effectiveness of existing monitoring strategies.
• Identify and remedy significant deterioration in performance.
• Integrate the third party’s risk management processes with the bank’s TPRM.
• Direct the planning and implementation of continuous monitoring.
• Review, approve, and execute contracts.
• Implement and maintain a system of internal controls to manage risks.
• Terminate business arrangements with third parties if there are any violations.
• Ensure appropriate documentation and reporting for both internal and external audits and compliance.

Finally, OCC requests banks to view this guidance along with other relevant guidelines and frameworks like the Computer Security Incident Rule, Third-party Due Diligence Guide for Community Banks, and Model Risk Management. Also, ensure that your processes and workflows align with your organization’s goals, size, and operations.

Overall, the OCC and FDIC guidelines are comprehensive and cover every aspect of TPRM. However, implementing them may require using specialized software that can automate many routine processes, so you can focus on the important aspects and ensure optimal resource utilization.

Next, let’s look at some popular software platforms that help with meeting the OCC and FDIC guidelines.

Best Software for Meeting OCC and FDIC Guidelines

Below are the best software for managing third-party risks based on the OCC and FDIC guidelines:

1. LSEG Risk Intelligence: Its due diligence reports offer complete insights into the potential risks associated with third parties. Using this information, you can better engage with your vendors and partners.
2. ProcessUnity: It automates third-party onboarding and due diligence and empowers organizations to monitor their third-party organizations continuously. Its configurable reporting makes TPRM governance more effective and efficient.
3. Quantivate: This tool provides the insights you need to better evaluate your vendors and partners to get favorable contract terms and mitigate the associated third-party risks.
4. Predict360: This solution offers advanced features to help financial institutions track, manage, and report third-party risks. With a centralized data repository, automated workflows, and advanced business intelligence, Predict360 helps tackle TPRM challenges.
5. UpGuard: It comes with many features like compliance gap detection, vendor risk assessment, remediation, security questionnaire automation, and more. With these features, you can mitigate risks while optimizing your resources.

These tools are comprehensive and automate many of the routine administrative tasks involved in TPRM. You can leverage them to stay on top of third-party risks while meeting regulatory compliance.

Final Thoughts

Organizations do not operate alone, rather they collaborate and partner with many organizations to source raw materials and components, staffing, marketing, security management, legal compliance, and more. Such interconnectedness augurs well from the economics of scale, but at the same time, it can also create more risks for everyone involved. Even if one organization is hacked, it can impact the others in the supply chain, and this is why Third-Party Risk Management (TPRM) is important.

While there are many frameworks, the guidelines issued by the OCC and FDIC are comprehensive and help financial organizations gain from collaboration without getting impacted by the associated risks. In this article, we looked at the key provisions in this guideline and how you can best leverage them to provide a stable and secure environment for your organization to thrive. We also explored some software platforms that can automate many routine processes.

With this information, you are all set to evaluate the risks associated with different partners and vendors and confidently negotiate contracts that give you an advantage. More importantly, you can use this guideline to identify, manage, and mitigate risks throughout the lifecycle of your third-party relationship without incurring heavy fines for non-compliance with mandatory regulations.