Third-Party Service Providers and Vendor Management: What Banks Need to Know About New Guidance

Michael Berman

5 min read

Jun 9, 2023

Two years after it was first proposed, the Interagency Guidance on Third-Party Relationships: Risk Management has been finalized. This new vendor management guidance from the federal regulatory agencies aligns vendor management requirements among the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve and replaces existing guidance.

What does this new third-party service provider (TPSP) vendor management guidance mean for banks?

We’re here to break it down for you.

Overview of Interagency Guidance on Third-Party Relationships
Planning
Due diligence and vendor selection
Contract negotiation
Ongoing monitoring
Termination
Biggest changes to third-party vendor management for banks
New definition: What’s a critical vendor?
Digging deeper into due diligence and analyzing third-party risk
New emphasis on linking third-party risk with overall risk management
More emphasis on contracts as a third-party risk control
Timeline for Interagency Guidance on Third-Party Relationships implementation
Final thoughts on bank TPSP guidance

Overview of Interagency Guidance on Third-Party Relationships

The new bank vendor management guidance breaks down the vendor management lifecycle in five phases.

1. Planning

The planning phase sets the stage for any third-party vendor relationship. It’s the time when a bank should think about why it’s considering outsourcing an activity. There needs to be a clear business case for the decision. Potential risks and controls should be identified, and the bank needs to ensure it has sufficient resources to oversee the relationship.

2. Due diligence and third-party selection

The planning phase sets the stage for due diligence and third-party selection. Having established what the bank needs from a vendor and the potential risks of the partnership, due diligence gives a bank the information it needs to decide whether a vendor is positioned to help the bank meet its strategic and financial goals.

Due diligence helps a bank assess whether the vendor can deliver products and services as promised, comply with laws, regulations and bank policies, and operate in a safe and sound manner. The scope of due diligence depends on the level of risk and complexity the relationship presents.

3. Contract negotiation

Contract negotiation is an opportunity for banks to add provisions and other addendums to protect mitigate risk. Riskier relationships require more detailed contracts.

Read also: What Is Contract Management?

4. Ongoing monitoring

Ongoing monitoring is the process a bank uses to:

Verify third-party vendors are delivering products and services as promised
Assess if vendor controls are effective
Escalate and address significant issues

Gone are the days of reviewing a third-party vendor’s documents once a year, especially for critical and other high-risk vendors. The guidance suggests that “Ongoing monitoring may be conducted on a periodic or continuous basis, and more comprehensive or frequent monitoring is appropriate when a third-party relationship supports higher-risk activities, including critical activities.”

5. Termination

A bank needs to outline the terms and conditions of ending a vendor relationship. This includes causes for termination, costs, and how data and intellectual property will be handled. There should also be a plan for how the bank would transition to another service provider.

Free Guide: The Ultimate Guide to Fintech and Third-Party Vendor Onboarding

Biggest changes to third-party vendor management for banks

Now that we’ve established the basics of the guidance, let’s take a look at the biggest differences between existing and new guidance.

New definition: What’s a critical vendor?

The new vendor management guidance uses a three-prong test to identify critical vendors. A critical vendor is one that will:

Cause a bank to face significant risk if the third party fails to meet expectations
Have significant customer impacts or
Have a significant impact on a bank’s financial condition or operations

Critical vendors and data security

The new guidance makes it clear that a third-party vendor with access to significant amounts of protected or confidential customer information could pose a significant impact to customers.

Digging deeper into due diligence and analyzing third-party risk

Due diligence remains an integral part of the vendor management lifecycle. The new guidance provides more detail on the factors banks should analyze to determine residual risk before entering a third-party vendor relationship. (In the past these factors varied from regulator to regulator and tended to include much broader categories of risk such as strategic, reputation, operational, transactional, credit and compliance risk.)

Now banks supervised by the OCC, FDIC, and Fed will need to address these factors:

Strategies and goals
Legal and regulatory compliance
Financial condition
Business experience
Qualifications and backgrounds of key personnel and other human resource considerations
Risk management (SOC reports specifically mentioned)
Information security
Management of information systems
Operational resilience
Incident reporting and management processes
Physical security
Reliance on subcontractors
Insurance coverage
Contractual arrangements with other parties

Takeaway: Make sure your vendor risk assessments are drilling down into the details when conducting due diligence and analyzing residual risk. Be sure to monitor all of these areas and update risk assessments when there are changes.

New emphasis on linking third-party risk with overall risk management

 While connecting vendor management to the rest of a bank’s enterprise risk management program has always been a best practice, the new guidance makes this link explicit.

The guidance expects the board to establish a risk appetite for third-party risk management (TPRM) and for management’s vendor management program to align with this statement. This includes policies, procedures and practices.

As part of its oversight and accountability, the board of directors should be “Integrating third party risk management with the banking organization’s overall risk management process.”

What does that mean? Vendor management should be closely linked to other elements of a bank’s risk management program including compliance, business continuity and resiliency, audit, fair lending, and information security, among others. The actions of vendors can have a significant impact in each of these areas.  

Takeaway: Data from your vendor management program needs to integrate into your other risk management programs. Vendor management isn’t effective in a silo.

More emphasis on contracts as a third-party risk control

The contract has always been an important element of third-party vendor management. The new guidance doubles down on this, calling out vendor contracts as a specific risk factor. Depending on the criticality and complexity of the vendor relationship, contracts should clearly define:

Nature and scope of the third-party vendor arrangement
Performance measures or benchmarks
Responsibilities for providing, receiving and retaining information
Audit and remediation rights
Compliance responsibilities
Costs and compensation
Ownership and license
Confidentiality and integrity
Operational resilience and business continuity
Indemnification and limits on liability
Insurance
Dispute resolution
Customer complaints
Subcontracting
Foreign-based third parties
Default and termination
Regulatory supervision

Takeaway: When negotiating contracts, make sure your bank looks beyond cost and leverages third-party vendor contracts as a source of as many valuable risk management controls as possible.

Timeline for Interagency Guidance on Third-Party Relationships implementation

This guidance takes effect immediately, meaning that examiners will use it to guide them when assessing a bank’s vendor management programs. While guidance doesn’t have the force of a regulation, it can be used as the basis for citing a bank for unsafe and unsound banking practices, something we’ve seen regulators do recently.

That makes it extremely important for banks to assess their vendor management programs in light of the new guidance.

Final thoughts on bank TPSP guidance

While the interagency guidance doesn’t revolutionize vendor management, it represents its ongoing evolution as a part of integrated risk management. Vendor management programs should be evaluating a broad range of risks, and these risks should all tie into a bank’s enterprise risk management solution.

It’s also a critical reminder that regulators are very concerned with third-party vendor management programs at banks. They are probing deeper, asking more questions, and raising their expectations. This is especially true as banks rely more on fintechs, which often lack experience in managing compliance risk and other areas of deep interest to regulators.

As this guidance takes effect, now is the time for banks to be assessing the maturity of their vendor management programs and how they integrate with the institution’s overall risk management program.

Free Webinar: Third-Party Vendor Management for Banks

Subscribe to the Nsight Blog

All Topics Risk & Compliance Product Insight Banks Lending Compliance Credit Unions Risk Management Fair Lending Nfairlending Cluster: Risk Management Compliance Lending Compliance Management Integrated Risk Blog Nrisk Regulatory Compliance Management News & Updates HMDA Risk Mortgage Lenders Ncomply Vendor Management Business Resiliency CRA Lending Compliance Blog Vendor CFPB Ncontinuity Third-Party Vendor Management Business Continuity Cybersecurity Fintech NVendor Strategic Planning Ncyber Ntransmittal Audits & Findings Company Culture OCC Regulatory Updates Audit Nverify Regulatory Compliance Exams FDIC Compliance Management Findings Nfindings NCUA Contract Management Employee Intranet Contract FRB Business Continuity Management FFIEC Findings Management Ncontracts manager Third-Party Vendors Vendor Risk Enterprise Risk Management ABA Bank Access Control Audit Findings Board Portal Call Report Due Diligence Efficiency Employee Engagement Exam findings FIEC Inc. 5000 Internal Audit Management Nboardportal Verify Wealth Management

Solutions

Risk Solutions

Vendor Solutions

Compliance Solutions

Lending Compliance

Risk Performance Management

Software Solutions

Risk Management Software

Vendor Management Software

Compliance Management Software

Continuity Management Software

Fair Lending Compliance Software

Findings Management Software

Audit Management Software

Cybersecurity Assessment Software

1071 Compliance Software

Employee Network/Intranet Software

Accredited Certification Program

Banks

Credit Unions

Mortgage Lenders

Fintech

Wealth Management

Nsight Blog

Webinars

Ncast Podcast

Regulatory Pulse

Events

Nsider Community

Dig into our Nstitute Certified Vendor Management Professional Training!

Featured Resources

Webinar: What Does Resilience Look Like?

Regulatory Pulse March 2024

Webinar: The Future of Risk Management

9 Fair Lending Compliance Training Essentials

Podcast: Succeeding All Together, Banking and Company Intranets

Book: The Upside of Risk

Resource Hub

About Us

News

Leadership

Partnerships

Join the Team

Ncontracts Highlights

Ncontracts Launches Nstitute & the Certified Vendor Management Professional (NCVMP) Certification

Ncontracts named Top Workplace for Third Consecutive Year in 2023

Ncontracts and CBANC Release New Report

Event: Ngage 2023 Nashville