June 20, 2023. Sacramento, California. One interesting aspect of bank mergers and acquisitions happens during an integration, when two banks merge their policies and procedures to create one consolidated entity. It is especially interesting when you are the acquired bank, and you get a chance to see how different organizations work from the ground up. When my New York bank employer was acquired by a bank in North Carolina, one of the first big changes I encountered was the way my new employer handled vendors, known in the banking world as third-party relationships. I came from a world of extensive vendor risk evaluations and negotiations of master service agreements that could take 6 months, and my new bank simply maintained a list of approved consultants. Why? It took me a whole year to understand how banks develop their programs for managing vendors and what is changing in the new interagency guidance issued in June 2023. The guidance is issued jointly by the Federal Reserve, FDIC, OCC, and NCUA, and one of the first things to understand is that these different bank regulators set standards and oversee different kinds of financial institutions. Each of these regulators previously issued their own guidance on how financial institutions should manage the risks associated with their third-party relationships for vendors, but the jointly issued a proposal in 2021 and then the final guidance in 2023 to unify these separate standards. For any environmental risk manager, managing vendor relationships with engineering and environmental firms is a big part of our job. We want to make sure that we have a range of firms that can work on all the different types of projects that come up during due diligence and portfolio management. In addition, some banks use the same vendors to help with purchasing and leasing their bank offices and branches. My previous vendor program also included goals for contracting work to small and disadvantaged firms. Under the new guidance program, each financial institution will evaluate risks with third party and vendor relationships, such as engineering and environmental firms, to assess how they work with the bank and what kinds of information they use or generate. The amount of money contracted to third parties is also an important element of evaluating risk. Based on that risk evaluation, vendors are classified according to the potential risk their work carries with respect to the bank’s ability to do business and protect sensitive financial and personal information. In my experience, engineering and environmental firms used in due diligence activities are usually ranked as a low risk by banks, and the amount of review and oversight is at the low end of the spectrum. That can still be a lot of work for vendors, who often must respond to questionnaires and provide information about their scope of work, their subcontractors, and their data security measures in order to do work for banks. In recent years, the biggest focus in my vendor management programs has been on how information is exchanged between the bank and the engineering firm, how the engineering firm uses and stores that data, and whether data considered to be personal information or sensitive is then protected by the engineering firm.
The new guidance goes into effect as of June 2023 and will drive more consistency across the financial services industry. Engineering and environmental firms should be able to develop standardized packages to submit for review to all their current and prospective bank customers. All financial institutions will be expected to have a comprehensive list of vendors, to rank them according to the risk posed from their services, have executed contracts or master services agreements, to independently evaluate performance, and properly close out relationships that are no longer appropriate or serving the bank’s needs. For state-chartered banks and smaller institutions, this may involve more robust vendor risk evaluation programs and more robust oversight and accountability of vendors. The guidance mentions diversity policies and practices in directing banks to integrate third party management into its broader strategies and goals, but the degree of work and cost involved in meeting all the requirements (even for low-risk vendors) will exclude some small firms owned by minorities, veterans, and other under-represented groups unless they get up to speed on the standards laid out in the third-party relationship guidance. You can find the interagency guidance in the Federal Register for June 9, 2023, cited as 88 FR 37920.
0 Comments
|
Marty WaltersPrincipal Consultant ArchivesCategories |