Earlier this month, the FDIC, Federal Reserve, and the OCC issued their final guidance to banking organizations for managing third-party risks. Working with third parties can reduce an organization’s direct control over business activities, which can introduce new risks or increase existing risks, such as operational, compliance, and strategic risks.
To address these concerns, the 68-page guidance provides directions and sets expectations for oversight at all stages in the life cycle of a third-party relationship, from planning and due diligence to vendor selection, negotiations, and termination.
Below we’ll summarize the highlights from the guidance and break down the key information you need to know.
This interagency guidance comes on the heels of heightened scrutiny of the banking industry amidst increasing cybersecurity incidents, as well as ESG regulation lawsuits and investigations. Because large financial firms typically hold sensitive information, they are often targeted for cybersecurity attacks.
In fact, recent data from cybersecurity firm Flashpoint shows that the financial sector experienced the second-highest number of data breaches in 2022, globally, behind government. U.S. banks were hit hardest, with around 9.4 million consumers impacted by data breaches against financial companies.
Because roughly 60% of cybersecurity attacks originate from a vendor, it’s critical that financial institutions in particular are assessing and mitigating third-party risks, from the sourcing stage through the entire contract lifecycle. The new guidance from the FDIC aims to provide “sound risk management principles” for banking organizations to use when developing and implementing risk management practices.
This new interagency guidance rescinds and replaces previous guidance issued by the individual agencies. The guidance outlines principles and standards for comprehensive third-party due diligence and robust governance of risk management processes.
The purpose of the guidance is to:
The guidance applies to any business arrangement between a banking organization and a third-party entity—with or without a contract. Third-party relationships under this guidance include, but are not limited to:
To accomplish this, organizations are expected to:
Maintain a complete inventory of third-party relationships and periodically conduct risk assessments for each. This helps the organization determine whether risks have changed over time and update risk management practices accordingly.
Identify critical activities and third-party relationships that support these critical activities. Banking organizations can assign a criticality or risk level to each third-party relationship, or simply identify critical activities and the third parties that support them.
Involve staff that has the knowledge and skills in each stage of the risk management life cycle. Organizations should rely on internal and external experts across disciplines, such as compliance, risk, or technology, as well as legal counsel.
The guidance is written to apply to all financial organizations, including smaller institutions and community banks. However, the agencies recognize that not all relationships will present the same level of risk. Organizations are expected to tailor their level of oversight and risk management accordingly.
Due diligence is the foundation of a strong third-party risk management program. Choosing the right partners to work with can be the difference between success and failure—or high risk, low risk, and regulatory hot water.
The scope and degree of due diligence should be based on the level of risk and complexity of the third-party relationship. In other words, more comprehensive due diligence is important when a third party supports higher-risk or critical activities.
The FDIC guidance outlines several key areas to focus due diligence efforts. When certain information isn’t available from the third party, organizations should look for alternative data to assess the vendor, implement additional controls, or monitor the third party to mitigate those limitations in data.
Additionally, relying on sources outside of the third party themselves is crucial in performing due diligence. External data, such as real-time supplier intelligence, can provide objective insights on third parties and vendors that organizations are unable to obtain strictly from the vendor themselves.
Below are the main areas to focus due diligence according to the FDIC guidance:
Review the third party’s business strategy and goals to understand:
This information can help organizations determine whether they are aligned on policies, values, and goals.
Review legal and regulatory compliance considerations associated with engaging a third party. This can help the organization evaluate whether it can appropriately mitigate risks associated with the third-party relationship.
This may include:
For instance, evaluating the third party’s ownership structure is important, as global financial firms need to be particularly vigilant about foreign ownership risks, blocklists, and sanctions. That’s why having objective intelligence on a company’s ownership structure and foreign affiliations—and real-time notifications when a risk arises— is critical.
Understanding a third party’s financial condition helps banking organizations evaluate whether the third party has the financial capability and stability to perform.
Financial insights are critical not just to understand the financial health of the company but also to assess their investment (and, therefore, health) into their cybersecurity posture.
“While it’s not a direct financial metric, cybersecurity has a direct financial impact on a company’s performance when something goes south,” explained Steven Tinkey, Head of Portfolio Management at a key Department of Defense agency.
“Cybersecurity is also a leading indicator of future financial performance. As any CEO will tell you, it’s not when you get attacked; it’s about how that attack is able to penetrate and destroy your value.”
A vendor’s overall business experience can inform how well they are equipped to perform the service or activity.
The guidance recommends assessing:
Unqualified or unverified staff can lead to costly mistakes and even legal repercussions for banking institutions.
Banking organizations should consider factors such as:
Having access to reliable data that alerts procurement, risk, and compliance teams on politically exposed people, personnel, and labor-related lawsuits, is critical for mitigating risk.
As Ingmar Mester, Director of Supplier Management at Hapag-Lloyd explains:
“No supplier is going to call you beforehand to tell you something bad is going to happen, so having a [supplier intelligence platform] to minimize and mitigate risk earlier in the process is invaluable.”
Third parties should have their own risk management programs in place. When considering a vendor, organizations should evaluate the effectiveness of a third party’s overall risk management, including policies, processes, and internal controls.
Information security is a top concern for banking organizations, and that concern must extend to any third parties they contract with. Due diligence here involves assessing the third party’s information security program and its consistency with the banking organization’s information security program.
Assessing the third party’s data, infrastructure, and application security programs, including the software development life cycle and results of vulnerability and penetration tests, can provide valuable information regarding information technology system vulnerabilities.
Gathering a mix of survey data directly from the third-party vendor can help organizations understand internal processes, but it’s also important to gather independent data on the vendor’s security posture for a complete picture of the IT risk landscape.
Review the third party’s business processes and information systems that will be used to support the activity. When technology is a major component of the third-party relationship, banking organizations should review both companies’ information systems to identify gaps in service-level expectations, business process and management, and interoperability issues.
Operational resilience refers to how well a third party can operate through and recover from any disruption or incidents, both internal and external.
To gain additional insight into a third party’s resilience capabilities, a banking organization may review:
Review the third party’s incident reporting and management processes to determine whether there are clearly documented processes, timelines, and accountability for identifying, reporting, investigating, and escalating incidents.
Does the third party have sufficient physical and environmental controls to protect the safety and security of people (such as employees and customers), its facilities, technology systems, and data? Organizations should also review the third party’s employee on- and off-boarding procedures to ensure that physical access rights are managed appropriately.
Supply chains are complex, and many third-party vendors work with their own subcontractors to get work done. Banking organizations need to have a clear picture of their n-tier suppliers, including the volume and types of subcontracted activities and the degree to which the third party relies on subcontractors. This helps inform whether such subcontracting arrangements pose additional or heightened risk to the organization.
Does the third party have existing insurance coverage? If so, what does it cover? Understanding this helps a banking organization determine the extent to which potential losses are mitigated.
Insurance coverage may include:
A third party’s commitments to other parties can have legal, financial, or operational implications to the banking organization. That’s why it’s important to understand and evaluate the third party’s legally binding arrangements with other parties to determine whether they may create or transfer risks to the banking organization or its customers.
There are a variety of ways to structure third-party risk management processes. Organizations may disperse accountability for their third-party risk management processes among their business lines or centralize the processes under their compliance, information security, procurement, or risk management functions. No matter how an organization structures risk management, robust governance should include clear oversight and accountability, independent reviews, and documentation and reporting.
Oversight and accountability support risk management by minimizing adverse financial, operational, or other consequences. The board of directors is ultimately responsible for providing oversight for third-party risk management and holding management accountable.
As part of this responsibility, the board should:
Conduct periodic independent reviews to assess the adequacy of third-party risk management processes. These reviews should consider factors such as:
The results of independent reviews can help organizations determine whether and how to adjust their third-party risk management process, including policies, reporting, resources, expertise, and controls.
Banking organizations should properly document and report on their third-party risk management processes and specific third-party relationships throughout their life cycle. Documentation and reporting will vary depending on the risk and complexity of their third-party relationships.
Maintain thorough documentation and reporting including:
Due diligence requires in-depth supplier evaluation and information gathering. And as regulatory and cybersecurity risks continue to increase pressure on banking institutions, it’s more important than ever to have a robust supplier intelligence solution.
While third-party risk management solutions help remedy many of the problems outlined in the FDIC guidelines, they often rely heavily on limited and biased first-party data. Comprehensive supplier intelligence like Craft gathers objective data and insights in real-time from multiple sources across risk domains such as cybersecurity, operational, regulatory, and financial risk.