Due diligence for third-party relationships took center stage in final joint guidance from federal bank regulators.
The Federal Reserve, Federal Deposit Insurance Corp. and Treasury Department said that sound risk management must take into account the level of risk, complexity and size of the bank. The nature of the third-party relationship must also be considered.
The 68-page guidance covers any business arrangement between a bank and another entity, including fintechs. While it addresses the various stages of the relationship, the guidance provides significant direction for handling due diligence (which made up 10 pages of the document).
“The use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations,” the guidance said.
The agencies said a key element of effective risk management should involve applying a sound methodology to designate which activities and third-party relationships receive more-comprehensive oversight.
The guidance made it clear that due diligence should be conducted for every third-party relationship, even if the bank has previous experience with, or knowledge of, the other entity.
“Due diligence should be tailored to the specific activity to be performed,” the guidance stated. “The scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship. More-comprehensive due diligence is particularly important when a third party supports higher-risk activities.”
Banks should identify and document any limitations to their due diligence, understand the risks and consider alternatives to mitigate those risks. In those cases, banks should obtain alternative information, implement more controls, monitoring the third party – or consider another provider.
Due diligence should cover a third parties’ policies, processes, internal controls and strategic alignment with the bank. “This would include an assessment of the third party’s governance processes, such as the establishment of clear roles, responsibilities and segregation of duties pertaining to the activity,” the guidance said.
The guidance also covered due diligence for information security, including a third party’s consistency with the bank’s program. It is also important to know how the outside provider monitors, identifies, assesses and addresses emerging threats and vulnerabilities.
The joint guidance replaces each agency’s existing general guidance. It is directed toward all banks supervised by the agencies.