Supervisory Reviews & the New Guidance

In this blog series, we have been discussing the final guidance issued by the OCC, FDIC, and Federal Reserve and how it provides a general framework for how the agencies will conduct supervisory reviews of third-party risk management.  The scope of the supervisory review depends on the degree of risk and the complexity of the third-party relationship and any associated products and services.

When reviewing third-party risk management processes, examiners typically conduct the following activities, among others:

• Assess the ability of the banking organisation’s management to oversee and manage the banking organisation’s third-party relationships,
• Assess the impact of third-party relationships on the banking organisation’s risk profile and key aspects of financial and operational performance, including compliance with applicable laws and regulations,
• Perform transaction testing or review results of testing to evaluate the activities performed by the third party and assess compliance with applicable laws and regulations,
• Highlight and discuss any material risks and deficiencies in the banking organisation’s risk management process with senior management and the board of directors as appropriate,
• Review the banking organisation’s plans for appropriate and sustainable remediation of any deficiencies, particularly those associated with the oversight of third parties that involve critical activities, and
• Consider supervisory findings when assigning the components of the applicable rating system and highlight any material risks and deficiencies in the Report of Examination.

When circumstances warrant, an agency may use its legal authority to examine functions or operations that a third party performs on a banking organisation’s behalf.  Such examinations may evaluate the third party’s ability to fulfil its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect customers and to provide fair access to financial services.  When necessary, the agencies may pursue corrective measures, including enforcement actions, to address any violations of laws and regulations or any unsafe or unsound banking practices on the part of the banking organisation or any of its third parties.

Having reviewed in detail the expectations for supervisory reviews contained in the recent guidance, we turn now to best practices banking organisations should consider as they prepare for the reviews by the three agencies.  These practices include the following core practices:

• When designing documentation and reporting frameworks, banking organisations should consider regulatory agencies and the intended audience. Each deliverable should effectively address a component of the interagency third-party risk management objectives.
• Banking organisations should familiarize their boards with the applicable agency rating system and explain how supervisory findings impact the bank’s risk profile.
• Banking organisations must collaborate with third-party partners to prepare for supervisory reviews. This often involves educating regulators about the products and services offered in connexion with each partnership, as well as any associated risks and rewards to markets and consumers.

It is important that banking organisations keep their third-party partners informed of supervisory reviews and findings, and ensure they are prepared to cooperate in resolving any identified issues. Additionally, they must ensure their third parties maintain appropriate tracking and documentation as evidence of remediation activities that address any supervisory findings.

In our next post, we will examine the expectations for oversight and accountability of the third-party risk management process.

Access the full Market Insights series here to learn more. Ready for a more empowering experience? Get in touch with an expert here to get started.