Third-Party Risk Management – Exam Expectations for Vendor Oversight

Third-Party Risk Management – Exam Expectations for Vendor Oversight

In June 2023, the federal banking agencies issued final Interagency Guidance on Third-Party Relationships, consolidating and replacing prior guidance from the OCC, Federal Reserve, and FDIC. This update, reflected in OCC Bulletin 2023-17, sets clear expectations for how banks should manage risk across the lifecycle of third-party relationships. Examiners now expect institutions to demonstrate strong governance, risk-based due diligence, and ongoing monitoring of all vendors, including fintechs, cloud providers, and affiliates. Whether a relationship is critical or not, banks must show they understand and control the risks introduced by third parties.

Key Areas of Examiner Focus

  • Risk-Based Due Diligence: Examiners expect banks to tailor their due diligence based on the risk and complexity of the third-party relationship. This includes evaluating financial condition, legal and regulatory compliance, operational resilience, and information security practices. For critical vendors, due diligence should be more in-depth and documented.
  • Contractual Controls: Contracts must clearly define the rights and responsibilities of both parties. Examiners look for provisions that address performance standards, data ownership, confidentiality, audit rights, and termination clauses. For high-risk vendors, contracts should also include business continuity and incident response requirements.
  • Ongoing Monitoring: Institutions must monitor third-party performance and risk throughout the relationship. This includes reviewing service level agreements (SLAs), conducting periodic risk assessments, and tracking compliance with contractual terms. Examiners will ask for evidence of oversight activities, especially for critical or high-risk vendors.
  • Board and Management Oversight: The board of directors is responsible for approving and overseeing the third-party risk management framework. Senior management must ensure that policies and procedures are followed and that risk assessments are updated as relationships evolve. Examiners will review board reporting and governance documentation.
  • Lifecycle Management: The guidance emphasizes managing third-party risk across the full lifecycle: planning, due diligence, contract negotiation, ongoing monitoring, and termination. Examiners expect banks to maintain documentation at each stage and to reassess risks when services change or issues arise.

Regulatory Insights

The Interagency Guidance aligns with the agencies’ broader focus on operational resilience and risk governance. It applies to all banking organizations, regardless of size, and covers a wide range of third-party relationships, including those with affiliates and subcontractors. While the guidance is principles-based, examiners will expect banks to demonstrate that their third-party risk management program is commensurate with the size, complexity, and risk profile of the institution.

Importantly, the guidance does not exempt relationships that are managed by another party or shared across a holding company. Each bank is responsible for its own risk management and must be able to show that it has assessed and is overseeing the risks of each third-party relationship it relies on.

Examiners may also review how banks manage concentration risk, especially when multiple services are provided by a single vendor or when several critical vendors rely on the same subcontractor. Institutions should be prepared to explain how they identify and mitigate these risks.

Finally, banks should ensure that their third-party risk management framework is integrated with other risk management functions, including compliance, information security, and business continuity planning. Coordination across departments is key to effective oversight and regulatory compliance.

As regulatory expectations continue to evolve, banks should review their third-party risk management programs to ensure alignment with the June 2023 guidance. Institutions that can demonstrate a risk-based, well-documented, and actively managed approach will be better positioned for a successful exam outcome.

To learn more about how GLOBAL ABAS can support your compliance program, visit our website or subscribe for future updates.

Comments

Post a Comment

Popular posts from this blog

Key Examination Areas for Collateral-Dependent Loans

Image
Key Examination Areas for Collateral-Dependent Loans Collateral-dependent loans are a common focus during regulatory examinations, particularly when assessing credit risk and loan loss allowances. These loans rely primarily on the sale or operation of collateral for repayment, especially when the borrower is experiencing financial difficulty. Examiners from the OCC, Federal Reserve, and FDIC expect banks to have clear, well-documented processes for identifying, valuing, and managing these loans in accordance with U.S. GAAP and regulatory guidance. This post outlines the core areas examiners typically review and offers practical insights into meeting supervisory expectations. Understanding Collateral-Dependent Loans Under Accounting Standards Codification (ASC) 326-20-35-5, a loan is considered collateral-dependent when repayment is expected to come substantially from the collateral’s operation or sale, and the borrower is experiencing financial difficulty as of the reporting d...
Read more

ACL Measurement for Collateral-Dependent Loans

Image
ACL Measurement for Collateral-Dependent Loans Allowance for credit losses (ACL) is a critical component of a bank’s financial and regulatory reporting. While U.S. GAAP under ASC 326-20 allows flexibility in how ACL is measured, regulatory reporting requirements are more specific when it comes to collateral-dependent loans. Some banks have mistakenly applied discounted cash flow (DCF) or probability of default/loss given default (PD/LGD) methods to collateral-dependent loans for regulatory reporting. However, regulatory guidance requires that the ACL for these loans be based on the fair value of the collateral. This post clarifies the correct approach and highlights examiner expectations. Under U.S. GAAP, banks may use various methods to estimate expected credit losses, including DCF, loss-rate, roll-rate, or PD/LGD models. However, when a loan is deemed collateral-dependent, the accounting standard permits, but does not require, measurement based on the fair value of the collate...
Read more