Third-Party Risk Management: Compliance Tools for Financial Institutions

Financial institutions’ reliance on third parties continues to increase, while regulatory expectations consequently get stricter. Fortunately, recently published toolkits and guides from the regulatory agencies can help even the smallest risk management department strengthen their third-party management. 

On June 6, 2023, the Federal Reserve System (the Fed), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) released new interagency guidance around third-party risk management (TPRM). Although the guidance didn’t substantially increase requirements, it underscored the importance of managing risks associated with third-party relationships and emphasized that this must be more than a box-checking effort. 

Following the 2023 guidance, these agencies, as well as the Financial Stability Board (FSB), released resources to help financial institutions, particularly smaller ones, navigate third-party risks in accordance with regulatory standards. It should be noted that these guides are not prescriptive requirements or checklists to be implemented; rather, they are toolkits that may be utilized when designing your own risk management processes. 

The Financial Stability Board Toolkit 

On December 4, 2023, the FSB released a resource toolkit for financial institutions and service providers to enhance their third-party risk management programs. The toolkit emphasizes that each financial institution is different and that third-party relationships should be handled according to risk and the service provided. The toolkit specifically focuses on critical services and the potential impact of their disruption on the financial institution. Accordingly, the toolkit emphasizes a financial institution’s need for an enhanced business continuity strategy that incorporates third-party testing. 

The Agencies’ Resource Guide 

On May 4, 2024, the FDIC, OCC, and Fed released their own resource guide for third-party risk management. This guide is explicitly aimed at community institutions. It follows the guidance surrounding third-party management closely, walking through the familiar stages including: 

• Risk management 
• Due diligence 
• Contract negotiation 
• Ongoing monitoring 
• Termination 

Rather than specifying requirements around controls or outcomes, the guide provides points of consideration at each stage. It describes illustrative risks that an institution may consider, and controls or evidence it may collect from a third-party to gain assurance over those risks. As with the FSB’s toolkit, this guide notes that each financial institution and its relationships are different based on the level of risk, complexity, and size of the financial institution. 

How Can Wolf Assist? 

It may seem overwhelming trying to juggle the needs of your customers while managing each of the third-party relationships needed to support the business. The FSB’s toolkit and the agencies’ guide provide useful, actionable information for smaller institutions seeking to manage their third-party risk effectively. However, they also underscore the increasing emphasis regulators place on this process, indicating that third-party risk will continue to be a focus of examinations. That’s why it is crucial to get this right. 

Wolf’s IT Advisory practice conducts a thorough review of your current policies and procedures surrounding third-party management to ensure compliance with regulatory standards and industry best practices for risk mitigation. Additionally, our WolfPAC software provides an integrated platform for your entire third-party management function, built on a methodology tailored to financial institutions, regulatory requirements, and practical needs.  

Are you interested in leveraging Wolf’s services to manage third-party risk within your financial institution? Reach out to our experts today!