New third-party risk guidelines mean big changes for many institutions

With the release of the Proposed Interagency Guidance on Third-Party Relationships: Risk Management (IG) in July 2021, the three federal banking regulators—the Federal Reserve (Fed), the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC)—signaled commitment to combining their third-party governance guidance going forward. With this shift, many institutions will need to rethink their third-party risk programs to account for more detailed regulations and more extensive reporting requirements.

Third-party relationships have been a trouble area within financial institutions for some time. During the mortgage crisis, many banks experienced third-party issues that contributed to process failures, but the banks still retained ultimate responsibility, regardless of whether they insourced or outsourced key functions. Significant regulatory tension has existed ever since, and regulators believe banks still may not be taking third-party risk seriously enough.

The foundation for new guidelines

While the IG document appears to be based on the OCC’s previously issued guidance, it differs from the legacy versions of the Fed and the FDIC. Here we compare the new IG document to the Fed’s version.

While the IG document conveys no drastic changes in tone or direction, at over 90 pages it clearly differs from the approximately 12 pages of text in the Fed’s version (Guidance on managing outsourcing risk, Dec. 5, 2013, updated Feb. 26, 2021).

The increased length is primarily due to inclusion of frequently asked questions as well as greater detail on most topics. For example, the IG document expands the right-to-audit provision, which allows a banking organization to perform some level of internal control assessment of a third party:

Legacy Fed document	IG document
Right to audit	The right to audit and require remediation
Agreements may provide for the right of the institution or its representatives to audit the service provider and/or to have access to audit reports. Agreements should define the types of audit reports the financial institution will receive and the frequency of the audits and reports.	The contract often establishes the banking organization’s right to audit, monitor performance, and provide for remediation when issues are identified. Generally, a third-party contract includes provisions for periodic, independent, internal, or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the banking organization’s in-house functions to monitor performance with the contract. An effective contract provision includes the types and frequency of audit reports the banking organization is entitled to receive from the third party (for example, SOC reports, Payment Card Industry (PCI) compliance reports, and other financial and operational reviews). Contract provisions reserve the banking organization’s right to conduct its own audits of the third party’s activities or to engage an independent party to perform such audits.

Legacy Fed document

IG document

Right to audit

The right to audit and require remediation

Agreements may provide for the right of the institution or its representatives to audit the service provider and/or to have access to audit reports. Agreements should define the types of audit reports the financial institution will receive and the frequency of the audits and reports.

The contract often establishes the banking organization’s right to audit, monitor performance, and provide for remediation when issues are identified. Generally, a third-party contract includes provisions for periodic, independent, internal, or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the banking organization’s in-house functions to monitor performance with the contract. An effective contract provision includes the types and frequency of audit reports the banking organization is entitled to receive from the third party (for example, SOC reports, Payment Card Industry (PCI) compliance reports, and other financial and operational reviews). Contract provisions reserve the banking organization’s right to conduct its own audits of the third party’s activities or to engage an independent party to perform such audits.

Key areas of focus

In addition to providing greater detail than the Fed guidance, the IG document covers several new topics of importance to banking organizations. With new expectations such as increased board involvement, organizations may need to make big changes in the design and daily management of their third-party risk programs.

Critical activities and third parties – While both the Fed and the IG documents emphasize the need for risk-based approaches to third-party governance, the latter includes over 60 mentions of the concept of “critical activities and third parties.” The OCC version, on which the IG document appears to be modeled, defines “critical activities” as significant bank functions or other activities that could:
- Cause a banking organization to face significant risk if the third party fails to meet expectations
- Have a significant impact on customers
- Require significant investment in resources to implement the third-party relationship and manage risk
- Have a major impact on bank operations if the banking organization must find an alternate third party or if the outsourced activity must be brought in-house

The regulators expect to see more planning, due diligence and oversight around third parties involved with critical activities. The IG document outlines approximately 15 board responsibilities, such as significant involvement in third-party oversight, including approval of contracts. It appears that risk management around critical activities involving third parties should be considered almost a “program within a program” and that diligent identification of these activities may be crucial to the success of a banking organization’s third-party governance program.

Diversity – A requirement to assess third parties’ diversity efforts during due diligence is now included in the IG document, whereas Fed guidance was mute on this topic.
Uncooperative vendors – The new document wisely covers this category, which includes third parties that fail to provide requested due diligence documentation or whose contract terms are extremely rigid. Anyone who has been in the trenches of a third-party governance program knows this is a frequent and troublesome topic. The IG document calls for banking organizations to develop alternate means of assessing the risk posed by a third-party vendor if the desired internal controls cannot be applied. Merely logging an open issue for the lack of required documentation may not be sufficient—regulators apparently want to see a “plan B.”

How to protect your organization

Given the depth of the IG document and its introduction of new topics, banking organizations that previously followed the Fed’s written guidance will need to carefully analyze the new requirements and compare them to their current programs.

While the new regulations may not affect an organization’s internal resources, they may require a thorough gap analysis of a third-party governance program. RSM can initiate a detailed assessment of vendors, identify vulnerabilities and develop a plan to fix holes in a program.

Regulators will continue to focus heavily on third-party risk programs for some time. Regulators are looking for a lot more detail, and adequate preparation to meet these new expectations will enable institutions to better protect operations and avoid additional regulatory scrutiny.

This article was written by RSM US LLP and originally appeared on 2022-01-13.
2021 RSM US LLP. All rights reserved.
https://rsmus.com/what-we-do/services/risk-advisory/new-third-party-risk-guidelines-mean-big-changes-for-many-institutions.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

Pugh CPAs is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how Pugh CPAs can assist you, please call 865.769.0660.

Let's Talk!

Call us at 865.769.0660 or fill out the form below and we'll contact you to discuss your specific situation.