In the latest episode of the Risk Intel Podcast, host Ed Vincent delves into the intricacies of third-party guidance and risk management with expert Shawn Ryan. This insightful discussion focuses on the Third-Party Risk Management Guidance released in May 2024. Shawn sheds light on critical aspects of due diligence, contracting, and monitoring that financial institutions must navigate, especially when dealing with FinTech and RegTech firms.
The May 2024 guidance from the Federal Reserve, FDIC, and the OCC included five critical aspects of third-party risk management: planning, due diligence, contract negotiation, ongoing monitoring, and termination. In Part 1 of this series, Shawn discussed in detail the Planning and Termination stages of third-party engagement. Listen or watch the full episode below or read the summary to learn more.
Shawn Ryan emphasizes that due diligence is a cornerstone of effective TPRM. Regulators are increasingly scrutinizing how Financial Institutions assess the capabilities and reliability of their third-party partners. Shawn advocates for the active involvement of frontline business staff in the due diligence process, rather than relying solely on procurement teams. This hands-on approach ensures that the unique requirements and potential risks of each third-party relationship are thoroughly understood.
“Engaging a third party does not diminish or remove a bank’s responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including consumer protection laws and regulations, just as if the bank were to perform the service or activity itself” - Third-Party Risk Management: A Guide for Community Banks, May 2024
However, Shawn also acknowledges the challenges posed by partnering with less mature organizations, such as start-ups, which may lack comprehensive documentation like SOC2 reports. Flexibility is key in these scenarios, balancing the need for robust due diligence with the practical constraints faced by smaller firms. Shawn also recognizes that a lot of the times, when working with FinTechs, the Financial Institution will have to do a lot of educating to ensure compliance on risk management practices and regulatory expectations.
“I would never suggest that you shouldn’t work with less mature organizations. I think that’s where a lot of creativity and innovation is going to come from … but you have to establish good guard rails and you can do that through due diligence” – Shawn Ryan
Contract negotiations can often be a contentious stage in third-party risk management. Shawn points out that Financial Institutions frequently impose numerous redlines, which can complicate the negotiation process. To mitigate these challenges, he advises focusing on critical elements such as risk management controls, performance expectations, and dispute resolution mechanisms.
Jurisdiction and liability thresholds are often areas of significant negotiation. Shawn recommends approaching these discussions with a balanced perspective, aiming to create a win-win scenario that fosters a positive long-term partnership. Building strong, cooperative relationships from the outset can pave the way for smoother interactions and better risk management outcomes.
“Without proper evaluation, failure is inevitable” – John Wooden
Once a third-party relationship is established, ongoing monitoring is essential to ensure compliance with risk management practices and performance expectations. Shawn stresses the importance of clear roles, responsibilities, and communication channels for effective monitoring. Financial Institutions should have mechanisms in place for escalating and remediating any issues that arise during the course of the partnership
While some institutions may consider outsourcing aspects of their risk management to specialized firms, Shawn reminds us that the ultimate responsibility for managing third-party risk always remains with the Financial Institution itself. Continuous evaluation and adjustment of third-party relationships are crucial to maintaining effective risk management over time.
Shawn Ryan’s insights highlight the delicate balance that Financial Institutions must strike between regulatory compliance and practical flexibility. By fostering strong, cooperative relationships with FinTech and RegTech partners, institutions can navigate the complexities of third-party risk management more effectively. Continual evaluation and adaptation are key to ensuring these partnerships remain beneficial and compliant in an ever-evolving regulatory landscape.
Shawn Ryan also recently spoke on this same topic at the Independent Bankers Association of Texas, Connecting Leader Conference. You can download the full presentation below.
If you are evaluating your Fintech partnership program or BaaS strategy, reach out to the SRA Watchtower team who can provide the knowledge, tools, and strategies needed to navigate regulatory guidance and foster successful third-party relationships.