Third-Party Risk Management (TPRM): Final Interagency Guidance

Life Cycle

Planning

• Evaluate and consider risk management before entering into third-party relationships; certain third parties, including those that support “higher-risk” or “critical activities”, may warrant a greater degree of planning and consideration, such as board approval.

• The strategic business purpose for the arrangement; the associated benefits, risks, and costs; potential information security and physical security implications; and contingency planning.

Due Diligence and Selection

• Evaluate whether they can appropriately identify, monitor, and control risks associated with a particular third-party relationship. The scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship.
• Any limitations on due diligence efforts should be documented and alternatives considered to mitigate related risks. (Note: Banking organizations may use external parties, such as consultants or consortiums, to supplement the information gathering.)

• The third party’s: business strategies and goals; ownership structure; financial condition; staffing resources and experience with the relevant activity; governance and risk management; information security management; and reliance on subcontractors. 

Note: The regulators state that where there are collaborative efforts to reduce the burden of due diligence, they do not abrogate the responsibility of the banking organization to manage third party relationships in a safe and sound manner.

Further, where there are challenges collecting information from third parties, the guidance provides that banking organizations should consider taking steps to mitigate risks or determine is the residual risk is acceptable.

With regard to subcontractors, the guidance clarifies that the focus should be on the banking organizations approach to evaluating its third party’s own processes for overseeing subcontractors and managing risk.

Contract Negotiation

• Tailor the level of detail and comprehensiveness of contract provisions based on the risk and complexity posed by a particular relationship.
• Conduct periodic reviews of executed contracts to address pertinent risk controls and legal protections.

• The nature and scope of the business arrangement (rights and responsibilities of each party); performance measures and benchmarks; obligations related to data (e.g., access, retention); right to audit; operational resilience and business continuity; and default and termination.

Ongoing Monitoring

• Confirm the quality and sustainability of a third-party’s controls, escalate significant issues or concerns, and respond to them when identified.
• Conduct on a periodic or more continuous basis, where more comprehensive or frequent monitoring is appropriate for third-party relationships that support “higher risk” activities, including “critical activities”.

• Overall effectiveness of the relationship; changes in financial condition; relevant audit or testing results; compliance; changes in key personnel; changing laws or regulations; and customer complaints and remediation.

Termination

• Assess and execute termination of a third-party relationship.

• Potential alternate third parties; transition timeframes; data-related risks such as access, retention, and destruction; joint intellectual property; and potential impacts to customers.

Governance

Oversight and Accountability

Management:

• Integrating TPRM with overall risk management processes.
• Directing planning, due diligence, and ongoing monitoring activities.
• Reporting periodically to the board or designated committee on TPRM activities.
• Providing that third-party contracts are appropriately reviewed, approved, and executed.
• Establishing appropriate organizational structures and staffing, including level and expertise, to support TPRM processes.
• Implementing and maintaining an appropriate system of internal controls to management risks associated with third-party relationships.
• Assessing whether the banking organization’s compliance management system is appropriate to the nature, size, complexity, and scope of its third-party relationships.
• Determining whether the banking organization has appropriate access to data and information from its third parties.
• Escalating significant issues to the board and monitoring any resulting remediation, including actions taken by the third-party.
• Terminating business arrangements with third parties when they do not meet expectations or no longer align with strategic goals, objectives, or risk appetite.

Board

• Third-party relationship management and consistency with strategic goals, risk appetite, and compliance with applicable laws and regulations.
• Appropriate periodic reporting on third-party relationships.
• Whether management has taken appropriate actions to remedy significant deterioration in performance or address changing risks or material issues identified.

Note: The guidance seeks to avoid the appearance of a prescriptive approach to the board’s role in the risk management life cycle while emphasizing their ultimate oversight responsibility.

Independent Reviews

• Periodically conducted to assess the adequacy of TPRM processes.

• Alignments with the banking organization’s business strategy and internal policies; identification, measurement, monitoring, and control of third party-related risks; engagement of TPRM staff over the life cycle; and conflicts of interest.

Documentation and Reporting

• Processes that support effective documentation and internal reporting.

• A current inventory of third-party relationships identifying those with “higher risk” activities; reports spanning the TPRM life cycle (planning/risk assessments, due diligence reports; executed contracts, performance reports from ongoing monitoring, customer complaints and remediation, service disruptions/security breaches); board reports; independent reviews.