The Future of Vendor Management: What the Proposed Federal Third-Party Guidance Means for Your Bank
It’s been years in the making and now the Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) have finally proposed new vendor management guidance. What does the proposal say? What might it mean for your bank?
The Proposed Interagency Guidance on Third-Party Relationships: Risk Management aims to unify the agencies’ approach to vendor management. While the agencies use a consistent approach to vendor management in their guidance (including critical vendors, oversight, and the vendor management life cycle), they vary in the depth and the details.
The OCC’s 2013 guidance is the most detailed and the basis for the new guidance. It’s built on a three-legged stool approach to vendor management.
The proposed guidance creates a six-step vendor management lifecycle where oversight and accountability are integrated directly into the lifecycle—not as a separate element. This aligns with best practices in other areas of risk management. The steps are:
- Planning for a relationship
- Due diligence and third-party selection
- Contract negotiation
- Oversight and accountability
- Ongoing monitoring
The proposal also seeks to include the OCC’s vendor management FAQ, which was updated in March 2020. Topics addressed include the definition of a vendor, the concept of critical activities, vendor management as a subset of risk management, and the importance of tailoring vendor management to fit each FI’s needs. It provides principles that help banks scale their risk management activities based on their size, complexity, and the concept of critical activities.
What the Proposed Guidance Means to Your Bank: 3 Takeaways
Now that you understand what the proposed guidance aims to accomplish, here’s what you need to know about the future of vendor management.
#1 Nothing is set in stone.
The proposed guidance on managing the risks of third-party relationships is just that: a proposal. It shows us the federal regulatory agencies’ thought process and gives us the opportunity to comment on it. The guidance can change dramatically between now and its final publication. It’s even possible (but not likely) that the agencies will walk it back. There is nothing to implement right now.
But that doesn’t mean you don’t have to think about vendor management. The existing guidance is still in place and being enforced.
#2 When commenting on the guidance, don’t be afraid to ask questions or raise concerns.
In their request for comment, the agencies ask specific questions about the guidance, but don’t feel limited by those constraints. If something seems vague or could benefit from more clarity, speak up. Points to consider include:
- How does this fit in with the agencies’ existing risk management guidance?
- Providing clarity on critical activities (a new term) and remediation strategies needed?
- What are the expectations for remedying concentration risk?
- Can the description of critical activities be clarified and improved with more examples that apply to banks of different size and complexity?
- Can the guidance address expectations for how examiners will evaluate the challenges a bank faces in contract negotiations?
#3 Vendor management is here to stay.
While we don’t know the exact form the final guidance will take, we do know that vendor management is going to remain a hot button regulatory issue for the foreseeable future. It’s not going anywhere, and oversight is likely to increase.
If your bank’s primary regulator is the Federal Reserve or FDIC, it’s a good idea to conduct a mini risk assessment. Go through the OCC guidance and FAQ and ask yourself whether your institution is doing all the things mentioned.
- Is the board and management involved in vendor management?
- Is your system tailored to your bank or is it a generic check-the-box activity?
- Are you viewing vendor management through a lens of risk management?
That’s the direction vendor management is moving, and it’s nice to be able to set your own pace rather than rushing to meet an outside deadline. (It also helps protect your bank from vendor risk, a critical business move even if it weren’t required by regulators.)
OCC banks should review their vendor management programs to understand how they fit into existing guidance and what impact a more risk-based approach to vendor management could have on your program. Your existing vendor management program needs to be able to adapt along with your bank.
We all know why the agencies are so emphatic when it comes to vendor management. Banks rely heavily on third parties to conduct business. These valuable partners also pose a huge risk, exposing banks to everything from cyber and operational risk to compliance and reputation risk.
Having strong vendor management in place is more than just good compliance. It’s good risk management—and that's good business.