No Relief for Small Banks in Regulators’ Third-Party Risk Management Guidance

Although the spring banking crisis loomed large at Bank Director’s Bank Audit & Risk Conference, panelists flagged another emerging area of focus for regulators: third-party risk management.

On June 6, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve finalized their interagency third-party risk management guidance, which was first proposed in 2021. The recent publication outlines regulators’ expectations for how banks approach vendors and partnerships, especially with financial technology companies. On June 13, less than a week after its release, panelists at the Chicago event warned more than 200 bankers in attendance, many of whom represent community banks, that the wide-ranging guidance is broad and makes no exemption for bank asset size. The new document replaces and updates the guidance different federal regulators have issued over the years and creates one set of expectations.

“The environment is going to get tougher [for banks], but the biggest thing is stricter enforcement of existing regulation,” said Brandon Koeser, financial services senior analyst at RSM US. He listed “capital, liquidity, credit and partnerships” as the four areas of examiner focus.

The 2023 guidance came out in response to banks’ increasing use of third parties for quicker and more efficient access to new technologies, human capital, products, services and markets, for example. But using third parties comes with risk.

Regulators are concerned that using third parties can increase complexity, complicate oversight of bank activities, introduce new risks or increase existing risks in areas like operations, compliance and strategy. “This guidance they put out applies to all third-party relationships, regardless if they’re formal and under contract or if they’re informal relationships. It applies to your vendors, your consultants, your payment processing services partners and fintech partners,” said Erik Walsh, counsel at Arnold & Porter. He added that it makes no carve outs for asset size or complexity.

Walsh says that banks need to identify all their relationships and begin putting into place “properly tailored risk management” that covers the lifecycle of the relationship – from internal planning before searching for a partner to relationship termination. He warned that this can be a “long and complicated” process that raises questions for smaller banks, and that some in the audience could be wondering, “How am I supposed to comply with this guidance?”

Walsh added that the third-party guidance does not have the force of a regulation or a statute but added “no one should let their guard down” and that regulators are “setting supervisory expectations.” He told the audience that third-party relationship oversight and governance starts with the board creating a risk appetite that’s communicated to the management team. Directors also need to set expectations around risk assessments of third parties, including the rigor and methodology of the assessment.

Even though there’s no safe harbor or carve out for small banks, Arnold & Porter Partner Robert Azarow pointed out that regulators recognize that community institutions face challenges and limitations as they manage these relationships. For instance, they may have a harder time conducting thorough due diligence or contractual negotiations with fintechs. The guidance adds that third parties “may not have a long operational history, may not allow on-site visits, or may not share (or be permitted to share) information,” which can complicate a bank’s due diligence or oversight. Still, Azarow said risk assessments and ratings can help banks understand the potential consequences that arise from these relationships, like a vendor not delivering the promised good or service or a data breach that impacts the organization.

Walsh added that the guidance, although new, has already received criticism from inside and out of the agencies. “[W]hile detailed, I understand that this thirdu2013party risk management guidance nonetheless remains principles-based and risk-based. … That said, given the importance of the issue and the length of the guidance, I would support developing a separate resource guide for community banks as soon as practicable,” said Jonathan McKernan, an FDIC director, in a statement.

Federal Reserve Governor Michelle Bowman dissented, in part because of what she sees as gaps in the guidance that will lead to implementation challenges at banks.

“My expectation is that community banks will find the new guidance challenging to implement,” she said in her June 6 dissent. “In fact, our own Federal Reserve regional bank supervisors have indicated that we should provide additional resources for community banks upon implementation to provide appropriate expectations and ensure that small banks understand and can effectively use the guidance to inform their third-party risk management processes.”