Tips for Board Oversight of Third-Party Risk Management

It has been almost a year since the federal banking agencies finalized the Interagency Guidance on Third-Party Relationships: Risk Management. While banks have made significant progress incorporating the guidance into their risk management processes, many boards of directors are still getting comfortable with their role in third-party risk management (TPRM).

The guidance makes clear that “management is responsible for developing and implementing third-party risk management policies, procedures, and practices.” However, it also reminds banks that the “board of directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable.” According to the guidance, board oversight of TPRM includes ensuring that:

1. Third-party relationships are managed in accordance with the bank’s goals and risk appetite as well as in compliance with applicable law and regulations.

2. There is appropriate reporting to the board on the bank’s third-party relationships.

3. Management monitors third-party relationships and takes appropriate action to address risks and remedy issues.

The board is also a key component of the overall governance structure in a bank’s TPRM program. Governance includes not only the oversight and accountability that comes directly from the board, but also the completion of periodic independent reviews and maintenance of proper documentation and internal reporting for the TPRM program and the bank’s third-party relationships.

Banks rely on third parties for almost every aspect of their operations. This means boards of directors may find the potential scope of responsibility daunting. However, boards at community and smaller banks can find solace in the guidance’s repeated statement that components of a TPRM program should be “commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”
In continuing to understand and refine their role and scope of responsibility for TPRM, boards of directors should consider the following do’s and don’ts.

Do:
• Ensure the bank evaluates every third-party relationship. Yes, every third-party relationship must be covered by a bank’s TPRM program, no matter how small or seemingly risk free. This does not mean every third party must be treated the same, but it does mean the TPRM program should have a process to score every relationship at its inception. Some relationships may be deemed very low risk and require little or no further action by the bank, while other relationships will flow through the full suite of due diligence and ongoing monitoring. In all cases, the initial risk determination should be documented.

• Include procurement and legal departments in the process. Although these are not separate groups or departments at every bank, the key is to make sure the bank focuses on the role of contracting in TPRM. Many of the principles described in the guidance flow from the negotiations and agreements at the start of the third-party relationship. Even in relationships where the bank has little bargaining power, TPRM should be included in the contracting and onboarding processes.

Don’t:
• Forget the affiliates. Under both the guidance and the market terms principles of Regulation W, services provided to a bank by its affiliates should be included within the scope of a bank’s TPRM program. While some risks are not present in services provided by affiliates — presumably a bank has full insight into the management and ownership of its affiliate — some risks are greater. For example, banks can be less focused on contingency planning and service interruptions when an affiliate is involved.

• Ignore background relationships. Ongoing monitoring is a critical component of TPRM. For some relationships, such as with a bank’s core ledger provider, daily monitoring is built into the nature of the relationship itself. However, monitoring looks different for background relationships, which are those long-standing third-party relationships with ongoing or periodic services, often with automatically renewing contracts. These can include staffing providers, certain utilities and even professional services providers such as a bank’s auditors and law firms. A bank’s TPRM program should have a process to regularly review and update these relationships.