New Regulatory Guidance for Banks Managing Third-Party Risk. Are You Ready?
On June 6, 2023, the Office of the Comptroller (OCC), the Federal Deposit Insurance Corp. (FDIC) and the Board of Governors of the Federal Reserve issued final joint guidance outlining fundamental principles for how banking organizations should manage their third-party relationships and related risk. The guidance covers risk management practices and considerations across all stages of the relationship lifecycle, focusing on those relationships involving new technologies or direct interactions with end customers.
This joint move from the federal agencies stemmed from observations that the number and types of third-party relationships have increased and grown in complexity in recent years. The agencies’ goal was to provide banking organizations with more consistent guidance around managing their critical third-party relationships to ensure they’re responsibly monitoring and addressing risks, as well as protecting customer data.
Although originally proposed in July 2021, this new guidance goes into effect during a time of increasing volatility in the banking sector—coming in the wake of the collapse of major regional institutions and against the backdrop of a rising tide of data breaches. The recent MOVEit hack provides a stark example, as it generated more than 600 breaches targeting companies that use the popular MOVEit software to send large volumes of sensitive data. This event illustrates how financial institutions have become increasingly susceptible to the vulnerabilities of their third parties, justifying a more cautious approach to managing those relationships.
Guidance places contract considerations front and center
The new interagency guidance covers considerable ground and is organized around the five stages of the third-party relationship lifecycle: planning, due diligence, contract negotiation, ongoing monitoring and termination.
The guidance includes several notable recommendations pertaining specifically to contracts. For example, it devotes an entire section to the contract negotiation stage, in which it addresses 17 separate areas where banks should take a thoughtful approach to understanding and negotiating the terms of the relationship. Some examples of these areas include:
- Ensuring the confidentiality and integrity of information
- Establishing clearly defined performance measures or benchmarks to assist in evaluating third-party performance
- Documenting default and termination procedures
- Stipulating that the third party’s performance is subject to regulatory examination, oversight and supervision
- Defining ownership and license, including the third party’s rights to access and use the bank’s information, technology and intellectual property
The guidance also more broadly discusses governance considerations, including documentation and reporting. It encourages banks to maintain clear documentation of “executed contracts,” along with a “current inventory of all third-party relationships,” and to ensure that “contracts are appropriately reviewed, approved and executed.”
Implications for contract management processes
The new guidance has several important implications for how banks manage their contract processes. Specifically, institutions should focus on addressing the following areas covered in the guidance:
- Clear Inventory: Create a central repository for all third-party relationships that can be easily consulted and queried at all times, especially during agency audits.
- Gap Analysis: Undertake an initial review of all existing third-party contracts to determine if they contain appropriate clauses and provisions that meet banking goals and risk appetite.
- Remediation: Implement contract corrections at scale based on where gaps and risks are identified.
- Periodic Review: Create processes for periodic review of contracts to flag deviations from standard terms.
- Ongoing Contracts: Uplevel existing onboarding processes to mitigate third-party risks and ensure all stakeholders properly review, negotiate and approve terms.
As annual audits approach, banking organizations will want to make sure they’re prepared to answer questions about the new guidance, including, for example:
- Do your contracts contain appropriate provisions to ensure you can audit the business continuity and disaster recovery plans for critical vendors?
- Do your contracts contain provisions ensuring you can audit facilities that house sensitive data?
To best align your contract management practices with this guidance, it’s important to have the right tools and technology at your disposal. By easily storing and organizing all your contracts in one place, contract lifecycle management (CLM) tools ensure you have on-demand access to contractual information at your fingertips while empowering you to systematically make changes at scale.
Modern CLM tools equipped with an intelligent central repository, AI-driven insights and analytical capabilities are designed to support the sophisticated third-party contract management needs of financial institutions, helping support compliance with the latest regulatory guidance.