No Relief for Small Banks in Regulators’ Third-Party Risk Management Guidance

Although the spring banking crisis loomed large at Bank Director’s Bank Audit & Risk Conference, panelists flagged another emerging area of focus for regulators: third-party risk management. 

On June 6, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve finalized their interagency third-party risk management guidance, which was first proposed in 2021. The recent publication outlines regulators’ expectations for how banks approach vendors and partnerships, especially with financial technology companies. On June 13, less than a week after its release, panelists at the Chicago event warned more than 200 bankers in attendance, many of whom represent community banks, that the wide-ranging guidance is broad and makes no exemption for bank asset size. The new document replaces and updates the guidance different federal regulators have issued over the years and creates one set of expectations.

“The environment is going to get tougher [for banks], but the biggest thing is stricter enforcement of existing regulation,” said Brandon Koeser, financial services senior analyst at RSM US. He listed “capital, liquidity, credit and partnerships” as the four areas of examiner focus. 

The 2023 guidance came out in response to banks’ increasing use of third parties for quicker and more efficient access to new technologies, human capital, products, services and markets, for example. But using third parties comes with risk.   

Regulators are concerned that using third parties can increase complexity, complicate oversight of bank activities, introduce new risks or increase existing risks in areas like operations, compliance and strategy. “This guidance they put out applies to all third-party relationships, regardless if they’re formal and under contract or if they’re informal relationships. It applies to your vendors, your consultants, your payment processing services partners and fintech partners,” said Erik Walsh, counsel at Arnold & Porter. He added that it makes no carve outs for asset size or complexity.

Walsh says that banks need to identify all their relationships and begin putting into place “properly tailored risk management” that covers the lifecycle of the relationship — from internal planning before searching for a partner to relationship termination. He warned that this can be a “long and complicated” process that raises questions for smaller banks, and that some in the audience could be wondering, “How am I supposed to comply with this guidance?”

Walsh added that the third-party guidance does not have the force of a regulation or a statute but added “no one should let their guard down” and that regulators are “setting supervisory expectations.” He told the audience that third-party relationship oversight and governance starts with the board creating a risk appetite that’s communicated to the management team. Directors also need to set expectations around risk assessments of third parties, including the rigor and methodology of the assessment.  

Even though there’s no safe harbor or carve out for small banks, Arnold & Porter Partner Robert Azarow pointed out that regulators recognize that community institutions face challenges and limitations as they manage these relationships. For instance, they may have a harder time conducting thorough due diligence or contractual negotiations with fintechs. The guidance adds that third parties “may not have a long operational history, may not allow on-site visits, or may not share (or be permitted to share) information,” which can complicate a bank’s due diligence or oversight. Still, Azarow said risk assessments and ratings can help banks understand the potential consequences that arise from these relationships, like a vendor not delivering the promised good or service or a data breach that impacts the organization.

Walsh added that the guidance, although new, has already received criticism from inside and out of the agencies. “[W]hile detailed, I understand that this third–party risk management guidance nonetheless remains principles-based and risk-based. … That said, given the importance of the issue and the length of the guidance, I would support developing a separate resource guide for community banks as soon as practicable,” said Jonathan McKernan, an FDIC director, in a statement.

Federal Reserve Governor Michelle Bowman dissented, in part because of what she sees as gaps in the guidance that will lead to implementation challenges at banks.

“My expectation is that community banks will find the new guidance challenging to implement,” she said in her June 6 dissent. “In fact, our own Federal Reserve regional bank supervisors have indicated that we should provide additional resources for community banks upon implementation to provide appropriate expectations and ensure that small banks understand and can effectively use the guidance to inform their third-party risk management processes.”

Insights Report: The Secret to Success in Banking as a Service

Banking as a service can bring in more revenue, deposits and customers for community banks. But it can also increase compliance burdens and potential risk.

Banking as a service, or BaaS, is an indirect banking relationship where a financial institution provides the back-end servicing for a company that intermediates with retail customers. Today, most of these relationships occur online — the third party brings in customer deposits, payments transactions and loans in exchange for fees associated with the arrangement. In turn, the bank houses the relationship, facilitates the transactions, and takes the lead on compliance and oversight.

“Banks are outsourcing significant compliance duties to the third party, and they’re taking on risks that are new and different from their direct business because they are providing their banking services indirectly,” says James Stevens, a partner and co-leader of Troutman Pepper’s financial services industry group.

Banking as a service isn’t new, although technology has made it easier for institutions to build out this business line. Sioux Falls, South Dakota-based Pathward N.A., a subsidiary of $6.7 billion Pathward Financial, has been in this space for about two decades. The bank sees its legal and regulatory compliance management system as a “core strength” fueling its innovation with partners, says Lauren Brecht, senior vice president and managing counsel of credit and tax solutions at the bank.

That’s because institutions interested in offering a BaaS business line must walk a fine line of responsible innovation and robust third-party risk management. Executives should understand that they can’t outsource their oversight responsibilities. That’s why it’s so important that banks create robust, “top-down” third-party vendor risk management policies and procedures that specifically address BaaS concerns, Stevens says. He also recommends that banks invest in personnel and systems that can handle the oversight and compliance functions “way in advance” of any partnerships.

“Banks are always going to be the ones left holding the bag, from a regulatory and compliance standpoint,” Stevens says. “It’s incumbent upon them to not only do due diligence and establish a good contractual relationship with their partner, but to also have the capability to manage and oversee it over time to manage those risks.”

To download the report, sponsored by Troutman Pepper, click here.

The Banking as a Service Insights report was originally published in the second quarter 2023 issue of Bank Director magazine.

Managing Risk in Fintech Partnerships

Fintech partnerships appeal to banks for a range of reasons, including the ability to adopt a new technology customers want without a dramatic internal overhaul or the opportunity to add new sources of fee income. But bank leaders also need to understand the risks inherent to fintech partnerships. Jame Sloan, chief risk officer at BrightFi, shares some best practices bankers can adopt to better understand and manage third-party risks.

  • Defining Strategic Objectives
  • Third-Party Risk Management
  • Building Ties With Leadership

The Most Important Aspect of Third-Party Risk Management

Third-party risk management, or TPRM, is a perpetual hot topic in banking and financial services.

Banks are outsourcing and using third parties for a range of products, services and activities as the financial services landscape becomes more digital and distributed. A common refrain among regulators is that “you can outsource the activity, but you can’t outsource the responsibility.” Banks can engage third parties to do what they can’t or don’t want to do, but are still on the hook as if they were providing the product or service directly. This continues to be a common area of focus for examiners and has been identified as an area for potential enforcement actions in the future.

Given the continuing intense focus on third party activities and oversight, one word comes to mind as the most critical component of TPRM compliance: structure. Structure is critical in the development of a TPRM program, including each of its component parts.

Why is it so critical? Structure promotes consistency. Consistency supports compliance. Compliance mitigates risk and liability.

Banks with a consistent approach to TPRM conduct risk assessments more easily, plan for third party engagements, complete comprehensive due diligence, adequately document the relationship in a written agreement and monitor the relationship on an ongoing basis. Consistency, through structure, ultimately promotes compliance.

Structure will become increasingly important in TPRM compliance, given that the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued proposed interagency guidance on TPRM last summer. While the guidance has not been finalized as of this publication, the concepts and substantive components have been in play for some time; indeed, they are based largely on the OCC’s 2013 guidance and FAQs on the topic.

Generally, the proposed guidance contemplates a “framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.” Like other areas of risk management, this framework should be tailored based on the risks involved and the size and complexity of the banking organization. Fortunately, interagency guidance will enhance the consistency of the regulatory examination of TPRM compliance across banks of all sizes and charter-types.

The proposed guidance outlines the general TPRM “life cycle” and identifies a number of principles for each of the following stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. The first three stages of this TPRM life cycle benefit the most from a structured approach. These three stages have more stated principles and expectations outlined by the banking agencies, which can be broken down effectively through a properly structured TPRM program.

So, when looking at improvements to any TPRM program, I suggest bank executives and boards start with structure. Going forward, they should consider the structure of the overall program, the structure of each of the stages of the life cycle outlined by the banking agencies and the structure of compliance function as it relates to TPRM. An effective strategy includes implementing a tailored structure at each stage. If executives can accomplished that, they can streamline compliance and make it more consistent throughout the program. Structure provides certainty as to internal roles and responsibilities, and promotes a consistent approach to working with third parties.

How Risk Culture Drives a Sound Third-Party Risk Management Program


risk-10-1-18.pngRisk culture plays a role in every conversation and decision within a financial institution, and it is the key determinant as to whether a bank performs in a manner consistent with its mission and core values. Risk culture is a set of encouraged, acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk.

Third-party risk management (TPRM) is a fairly new discipline that has evolved over the past few years from legacy processes of vendor or supplier management functions previously used by companies to manage processes or functions outsourced to third parties. A “third-party” now refers to any business arrangement between two organizations.

The interagency regulatory guidance (The Federal Reserve Board, OCC, FFIEC and CFPB) says a bank cannot outsource the responsibility for managing risk to a third-party especially when additional risks are created. These risks may relate to executing the process or managing the relationship.

The recent Center for Financial Professionals (CFP) Third Party Risk Management survey “Third Party Risk: A Journey Towards Maturity” underpinned the issue around risk culture given the resourcing dilemma that most organizations face. Getting top-down support and buy-in was an issue posed by respondents in the survey. One respondent stated, “The greatest challenge ahead is to incorporate third party risk management goals into the goals of the first line of defense.” Another respondent stated, “Challenges will be to embed this into the organization, including [the] establishment of roles and responsibilities.” In particular, TPRM teams found it challenging to get buy-in from the first line of defense for the management of cyber risk and concentration risk.

Effective TPRM can only be achieved when there is a risk-centric tone, at the top, middle and bottom, across all layers of the company. Clear lines of authority within a three-lines-of-defense model are critical to achieving the appropriate level of embeddedness, where accountabilities and preferred risk management behaviors are clearly defined and reinforced.

Root cause analyses on third-party incidents and risk events (inclusive of near-misses) should be better used by organizations to reinforce training and lessons learned as it relates to duties performed by the third party. Risk event reporting and root cause analysis allows leadership to identify and understand why a third party incident occurred, identifies trends with non-performance of service-level agreements with the third party, and ensures appropriate action is taken to prevent repeat occurrences as it relates to training, education or communication deficiencies.

Risk culture is paramount to achieving benefits from the value proposition of an effective and sustainable TPRM program, and also satisfies regulators’ use test benchmarks.

Roles and responsibilities must be clearly defined and integrated within a “hub and spoke” model for the second-line TPRM function, the first line third-party relationship managers and its risk partners. Clearly, there is a need for financial institutions to (1) implement a robust training and communication plan to socialize TPRM program standards, and (2) ensure first-line relationships and business owners have been provided training.

Risk culture mechanisms that facilitate clear, concise communication are fundamental components for a successful TPRM program – empowering all parties to fulfill responsibilities in an efficient, effective fashion. The challenge of managing cultural and personnel change components cannot be underestimated. As a result, the involvement of human resources, as a risk partner, is critical to a successful resource model. With respect to cultural change, a bank should observe and assess behaviors with current third-party arrangements. The levels of professionalism and responsibility exhibited by key stakeholders in existing third-party arrangements may indicate how much TPRM orientation or realignment is required.

Key success factors to build a robust risk culture across TPRM include:

  • Clear roles and responsibilities across the three lines of defense and risk partners within the “hub and spoke” model for risk oversight.
  • Greater consistency of practices with regards to treatment of third parties. Eliminate silos.
  • Increase understanding of TPRM activities and policy requirements across the relationship owners and risk partners.

Indicators of a sound TPRM culture and program include:

  • Tone from the top, middle and bottom – the board and senior management set the core values and expectations for the company around effective TPRM processes from the top down; and front-line business relationship manager behavior is consistent from the bottom-up with those values and expectations. 
  • Accountability and ownership – all stakeholders know and understand core values and expectations, as well as enforcement implications for misconduct. 
  • Credible and effective challenge – logic check for overall TPRM framework elements, whereby (1) decision-makers consider a range of views, (2) practices are tested and (3) open discussion is encouraged.
  • Incentives – rewarding behaviors that support the core values and expectations.

Setting a proper risk culture across the company is indeed the foundation to building a sound TPRM program. In other words, you need to walk before you can run.