Banks should customize their risk management practices proportionally to their size, complexity, risk profile and third-party relationships, federal regulators said earlier this month in an interagency report.
The 68-page report, from the Federal Reserve, Office of the Comptroller of the Currency and the FDIC, was issued nearly two years after it was first introduced. The statement detailed how banks should conduct third-party risk management during contract negotiations, set clear expectations on how they assess and monitor third parties, and finalize plans if a contract is terminated.
Banks are still liable for ensuring that third parties operate “in a safe and sound manner and in compliance with applicable laws and regulations, including but not limited to those designated to protect consumers — such as fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices — and those addressing financial crimes.
Third parties could include data aggregators, merchant payment processors, consultants and cloud computing providers. “As part of sound risk management, a banking organization analyzes the risks associated with each third-party relationship and adjusts its risk management practices, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships,” the regulators wrote.
OCC Chair Michael Hsu signed the guidance, which was approved by five of the six Fed governors. Only Michelle Bowman disapproved, saying it failed to mitigate regulatory burdens on community banks and left uncertainty on whether they can rely on previous third-party risk management standards. She noted the lack of an implementation timeline for the agencies to unveil additional resources for smaller banks to manage relevant risks.
“Although this guidance suggests that a sound third-party risk management framework should be appropriately tailored to a bank’s level of risk, complexity and size, it does not provide the necessary clarity or supplemental tools to facilitate small bank implementation,” she added.
In a prepared statement, Independent Community Bankers of America President and CEO Rebeca Romero Rainey supported Bowman’s dissent, noting the ICBA recommends consolidating third-party risk management guidance and “structuring the guidance so it can be further tailored.”
The regulators, however, said the guidance clearly outlined that standards can be tailored to the size of the bank. “Banking organizations have flexibility in their approach to assessing the risk posed by each third-party relationship and deciding the relevance of the considerations discussed in the guidance,” they wrote.