Government Relations Newsletter: Vol 11 Iss 2: New Guidance for Banks on Third-Party Relationships..
Government Relations Newsletter Volume 11, Issue 2
New Guidance for Banks on Third-Party Relationships and the Impact on Payments Companies
Written by members of the Government Relations Strategic Interest Group (SIG)
In June 2023, the Board of Governors of the Federal Reserve System (the Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (the “Agencies”) adopted final Interagency Guidance on Third-Party Relationships: Risk Management (the “Final Guidance”) for all banking organizations supervised by the Agencies.
Entities involved in merchant payment processing should be apprised of the guidance as their direct and indirect relationships with banks will be influenced by changes or process updates made by those banks in how they approach the four core sections of the Final Guidance: Risk Management, Third-Party Relationship Life Cycle, Governance, and Supervisory Review of Third-Party Relationships.
According to the Agencies, third-party relationships may be with “new or novel structures or features – such as those observed in relationships with some financial technology (fintech) companies.” Particularly as payments companies pursue complex, multi-layered structures and newer models for facilitating payments, the Final Guidance may provide clues into how banks supporting new models and structures will manage their relationships.
Register for the upcoming webinar that will be a follow-up to this Newsletter.
In support of the Guidance, on August 8, 2023, the Federal Reserve announced the establishment of a Novel Activities Supervision Program (Program) to enhance the supervision of novel activities conducted by banking organizations supervised by the Federal Reserve. The Program will focus on novel activities related to crypto-assets, distributed ledger technology (DLT), and complex, technology-driven partnerships with nonbanks to deliver financial services to customers. The Program will be risk-focused and complement existing supervisory processes, strengthening the oversight of novel activities conducted by supervised banking organizations.
An overarching theme of the Final Guidance is that banking organizations are expected to adopt sound risk management practices that are commensurate with the size, complexity, and risk profile of the banking organization, and the nature of its third-party relationships. As such, banking organizations should ensure that they understand how each arrangement with a particular third party is structured to be able to assess the types and levels of risks posed, and to determine how to manage the third-party relationship accordingly. If a third-party is engaged in higher-risk activities, including “critical activities”, the banking organization should have more comprehensive and rigorous oversight of that third-party. The banking organization’s oversight should include, among other things, keeping a “complete inventory of its third-party relationships and periodically conducting risk assessments for each third-party relationship. The banking organization should utilize a “strong methodology to designate which activities and third-party relationships receive more comprehensive oversight.”
Critical activities are characterized as activities that could:
- Cause a banking organization to face significant risk if the third party fails to meet expectations;
- Have significant customer impacts; or
- Have a significant impact on a banking organization's financial condition or operations.
Third-Party Relationship Life Cycle
The Final Guidance states that effective third-party risk management generally follows a continuous life cycle through each of its stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.
Higher risk activities, including critical activities, warrant a greater degree of planning and consideration. The banking organization may want to obtain approval of the Board of Directors before moving forward. It is also important “to involve staff with the requisite knowledge and skills in each stage of the risk management life cycle. A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.”
Due Diligence and Third-Party Selection
It is an important part of the process for the banking organization to perform due diligence on third parties before entering into a third-party relationship. The process should allow the banking organization to obtain information that allows it to “evaluate whether it can appropriately identify, monitor, and control risks associated with the particular third-party relationship. Due diligence includes assessing the third party's ability to: perform the activity as expected, adhere to a banking organization's policies related to the activity, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner.” And, of course, higher risk activities require more comprehensive due diligence. The banking organization should also note the limits of its process, and specifically, they should “identify and document any limitations of its due diligence, understand the risks from such limitations, and consider alternatives as to how to mitigate the risks. In such situations, a banking organization may, for example, obtain alternative information to assess the third party, implement additional controls on or monitoring of the third party to address the information limitation, or consider using a different third party.”
An assessment of legal and regulatory compliance should also be a part of the process. The Final Guidance states that this may include, among other factors, “evaluating the third party's ownership structure (including identifying any beneficial ownership, whether public or private, foreign, or domestic ownership) and whether the third party has the necessary legal authority to perform the activity, such as any necessary licenses or corporate powers.” We note that the banking organization may require money transmitter licenses for certain third parties engaged in the movement of funds. We further note that the banking organization may also consider “whether the third party has identified, and articulated a process to mitigate, areas of potential consumer harm.”
During the due diligence process, the banking organization should review the third party’s history of addressing customer complaints as well as the qualification, background, training and oversight of the key personnel. The banking organization should evaluate the “third party's governance processes, such as the establishment of clear roles, responsibilities, and segregation of duties pertaining to the activity. It is also important to consider whether the third party's controls and operations are subject to effective audit assessments, including independent testing and objective reporting of results and findings.”
When technology is a component of the activities, the banking organization should “review both the banking organization's and the third party's information systems to identify gaps in service-level expectations, business process and management, and interoperability issues.”
The banking organization should evaluate the operational resilience of the third party to determine its ability to “operate and recover from any disruption and incidents both external and internal.” This is especially important if the disruption could adversely impact the banking organization or its customers. The Final Guidance states that in order to assess the third party’s operational resilience, the banking organization may review “(1) the results of operational resilience and business continuity testing and performance during actual disruptions; (2) the third party's telecommunications redundancy and resilience plans; and (3) preparations for known and emerging threats and vulnerabilities, such as wide-scale natural disasters, pandemics, distributed denial of service attacks, or other intentional or unintentional events.”
During the due diligence process, the banking organization should also review the third party’s legally binding arrangements with other parties such as subcontractors.
The Final Guidance identifies preparing, reviewing, and negotiating contracts as a critical stage of the lifecycle. The Final Guidance lists many factors that a banking organization should consider, including the nature and scope of the arrangement, costs and compensation, performance measures or benchmarks, requirements related to information storage, audit and remediation rights, confidentiality, subcontracting, and termination.
Putting clearly defined measures, such as in the form of a Service Level Agreement (SLA), is useful defining the roles and responsibilities of each party. The contract should also require the third party to retain “timely, accurate, and comprehensive information to allow the banking organization to monitor risks and performance and to comply with applicable laws and regulations.”
The third party’s obligation to reveal an information security breach in a timely manner should also be addressed in the contract.
Subcontracting by the third party can result in additional risk due to the lack of a direct relationship between the banking organization and the subcontractor. As such, the banking organization may want to address “when and how the third party should notify the banking organization of its use or intent to use a subcontractor and whether specific subcontractors are prohibited by the banking organization.”
The Final Guidance states that monitoring “enables a banking organization to: (1) confirm the quality and sustainability of a third party's controls and ability to meet contractual obligations; (2) escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and (3) respond to such significant issues or concerns when identified.”
There are various reasons why a contract may be terminated such as “expiration or breach of the contract, the third party's failure to comply with applicable laws or regulations, or a desire to seek an alternate third party, bring the activity in-house, or discontinue the activity.” The termination should be handled efficiently, and there should be a transition plan in place.
This section identifies the typical practices of banking organizations over third-party risk management. Specifically, the banking organization is expected to engage in Oversight and Accountability, Independent Reviews and Documentation and Reporting.
Oversight and Accountability
The Final Guidance distinguishes between the responsibilities of a banking organization’s board of directors and those of its management. The management bears responsibility for developing and implementing third-party risk management policies, procedures, and practices. The board of directors bears the responsibility to oversee the organization’s third-party risk management processes and to hold management accountable.
The Final Guidance states that periodic independent reviews should be conducted, and if any issues or concerns are discovered, there should be escalation, as needed, to the board of directors.
Documentation and Reporting
Banking organizations should maintain proper documentation and reporting on their third-party relationships based upon the complexity and risk involved in those relationships.
Supervisory Review of Third-Party Relationships
The Agencies indicate that they will incorporate the review of third-party risk management processes into their overall standard supervisory oversight.
The Final Guidance lists several factors that the Agencies should consider in their supervisory review such as the ability of bank management to oversee its organization’s third-party relationships, the impact that third-party relationships have on the banking organization’s risk profile and the organization’s compliance with applicable laws and regulations.
* * * * *
This Final Guidance replaces the previous guidance on this subject issued by each individual agency and in conjunction with the Program will enhance the supervision of novel activities conducted by supervised banking organizations, with (with relevance to the Guidance) a focus on complex technology-driven partnerships with non-banks to provide banking services. Overall, the Final Guidance reiterates that banking organizations are ultimately responsible for conducting activities in a safe and sound manner, including activities through all third parties and that banking organizations should adopt risk management policies that are commensurate with the risk posed by each third-party relationship.