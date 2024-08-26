Third-party risk management remains a top priority for US federal and state regulators, who have recently imposed enforcement actions against financial institutions. This resulted in millions in civil money penalties for violations of the Bank Secrecy Act (BSA) and for weak third-party risk management controls.
Recent actions illustrate that regulators are increasingly holding financial institutions accountable for their third-party relationships, including fintech entities. Regulatory agencies expect that institutions are establishing risk-based practices to conduct adequate due diligence on these third parties and continually monitor, assess and control the risks of these relationships.
Throughout the last 18 months, regulators have stepped up their focus, issuing detailed guidance and several consent orders and on third-party risk management.
In June 2023, The Office of the Comptroller of the Currency (OCC), Federal Reserve Board, and the Federal Deposit Insurance Corporation (FDIC) released interagency guidance on third-party risk management for financial institutions. This guidance is to be used as a roadmap that lays the foundation of regulatory expectations. It aims to effectively manage risks associated with their third-party relationships and best practices.
Less than a year later, the OCC issued a consent order against a south Atlantic regional bank after identifying weaknesses in its third-party risk management program.
The FDIC determined a northeast fintech engaged in unsafe and unsound banking practices. It issued a consent order relating to, among other things, the bank’s failure to have internal controls and information systems appropriate for its size. The order also addressed the nature, scope, complexity and risk of its third-party relationships.
The FDIC also issued a consent order instructing a midwestern regional bank to develop appropriate policies and procedures for third-party risk management. It also called for the improvement of due diligence and monitoring of third parties who complete anti-money laundering (AML) and countering the financing of terrorism (CFT) responsibilities.
Institutions often rely on third-party service providers to run their FCC controls. Historically, third-party services were limited to identifying negative news, sanctions screening and transaction monitoring. Recently, these services have expanded to include processes such as customer identity verification, electronic data proofing, generative artificial intelligence in enhanced due diligence case management, alert investigations and risk assessments.
Institutions might have stringent ongoing internal process monitoring. However, without extending those standards and practices to third parties, firms risk onboarding the wrong customer, closing the wrong alert, or failing to file a suspicious activity alert. Institutions that conduct adequate due diligence or periodic vendor risk assessments can avoid compliance risks introduced by third parties.
Despite the benefits gained from using third parties, it is essential that financial institutions recognize retain and manage FCC risks imposed by third parties. To do this, they must implement a third-party risk management program that facilitates managing risks and monitoring third parties’ activities to help ensure compliance with their regulatory obligations.
The lifecycle for helping ensure adequate oversight and management over third-parties incorporates three key risk management components: due diligence review, ongoing monitoring and risk assessments.
Many financial institution scan enhance their standard compliance review as part of due diligence during the contract phase with a new third-party relationship. As described in recent interagency guidance, this includes evaluating the effectiveness of a third party’s overall risk management, including policies, processes and internal controls. It also involves checking their alignment with the policies and expectations surrounding the activity.
Due diligence should also include a review of the technologies they employ to verify whether the party is potentially introducing new or other risks. The financial institution’s compliance unit can conduct initial testing to check the quality of the services provided. This is also done to help ensure that the third party is set up to operate within the risk tolerance threshold of the institution.
The interagency guidelines establish standards for information security, safety and soundness for ongoing monitoring of best practices. Regulators expect financial institutions to monitor third parties’ performance throughout the relationship. This is done to help ensure they perform to expectations, identify any necessary changes in the relationship, and enable resulting changes to risks and their controls. Key risk management activities in the ongoing monitoring phase include:
A financial institution can better determine its risk profile to more accurately identify financial crime compliance risks by enhancing existing annual AML and BSA risk assessments. They can identify risks imposed by third parties and introduce controls to mitigate the risks. They can also map relationships to regulatory requirements and document key third-party data points.
Not all third parties can warrant as much due diligence and monitoring, but an assessment of overall third-party risks can help an institution determine the appropriate risk-based approach.
Regulators have made it clear that they are focusing on how institutions manage third-party, financial-crime risks. Financial institutions need efficient and effective programs in place to conduct due diligence on third parties and continually monitor, assess and control the risks that stem from these relationships.