Guidance Issued on Third-Party Relationship Risks

By Richard Roth, J.D., Editor, the CCH Federal Banking Law Reporter.

The Federal Deposit Insurance Corp. has published new guidance addressing how banks should manage the risks posed by significant third-party relationships. The guidance begins by noting that a bank must identify and manage the risks from third-party relationships to the same extent as would be required if the activity were carried out in-house. Indemnity agreements will not relieve a bank from this duty, the FDIC says.

The guidance is aimed specifically at what are termed "significant" third-party relationships, which are relationships:

• that are new or that implement a new banking activity;
• that have a material effect on the bank's revenues or expenses;
• in which the third party performs critical functions;
• in which the third party deals with sensitive customer information;
• in which the third party markets bank products or services;
• in which the third party provides a product or performs a service involving subprime lending or card payment transactions; or
• in which the third party poses risks that could significantly affect earnings or capital.

Risk Management Process

Since using a third party reduces management's direct control over the bank's activities, oversight becomes even more important, according to the guidance. The outlined risk management process has four main elements:

• Risk assessment: The first step is for management to determine whether to enter into a third-party relationship, which involves considering the bank's strategic planning and business strategy. The costs, benefits and risks of the relationship should be analyzed, particularly in the case of a new activity. Management must review its own ability to oversee the relationship and also estimate the long-term financial effect of the relationship.
• Due diligence: Management must determine, both before entering into a relationship with a third party and on an ongoing basis, that the third party is qualified. This determination includes looking at the third party's experience, reputation, financial condition and internal controls. The scope and depth of the due diligence inquiry should be related to the importance of the relationship.
• Contract structuring and review: The bank should have a written contract with the third party that clearly spells out the relationship. According to the FDIC, this contract should prohibit the third party from subcontracting any of its duties unless the bank has the opportunity to perform appropriate due diligence on the subcontractor. The guidance listed a number of other necessary contractual requirements, including performance standards, reporting and audit requirements and information security considerations.
• Oversight: The bank's board should review significant third-party relationships at least once each year, and management should periodically review each third party's operations to ensure that the contract is being fulfilled. The bank's compliance management system should ensure that all third parties are in compliance with federal and state laws and regulations and with the institution's internal policies.

The guidance also reminds banks that, under the Bank Service Company Act, they are required to provide written notice to their federal regulator of contracts under which third parties provide services such as check or deposit sorting and posting, computing and posting interest, preparing and mailing checks, and other bookkeeping or accounting functions.