Service Supervision


The steps to building a complete third-party management program

By Keith E. Monson

Due to recent changes from the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau and the Federal Financial Institutions Examination Council’s Appendix J, financial institutions can no longer rely on time-tested third-party relationships without performing enhanced due diligence. Why? Because a bank’s use of any third-party provider now generates new compliance, operational, strategic and legal risks.

CFPB Bulletin 2012-03 and OCC Bulletin 2013-29 outline a number of guidelines that could affect the relationship between banks and third-party vendors.

Unfortunately, the guidelines do not spell out specific requirements in each area. Instead, the rules emphasize that banks should oversee and control every operation that can affect a customer, including defining and managing third-party service provider risks.

Here are three steps for community banks to consider in developing a third-party risk management framework that regulators will appreciate.

1. Know Your Vendors. OCC guidance defines a third-party relationship as any business relationship between the bank and another entity, by contract or otherwise. Examiners, of course, are most interested to know that banks are properly managing vendors that provide “critical” functions or have access to private consumer data. Know your vendors actions include, but are not limited to these:

  • fully reading and monitoring, Service Organization Control reports for critical vendors;
  • noting any exceptions and auditor opinions. If exceptions are noted, ensure sufficient controls are in place to provide reasonable assurance that control objectives were achieved;
  • evaluating the controls in place against your bank’s requirements;
  • ensuring cyber-resilience covers aspects of business continuity plan; and
  • reporting results to the board.

2. Identify Critical Activities. To identify the most critical vendors, community banks should pinpoint activities that pose the highest risks. Critical activities can be defined as bank functions, shared services or other actions that could:

  • cause significant risk if the third party fails to meet expectations;
  • have significant customer effects;
  • require significant investment to implement and manage the third-party risks; or
  • have a major impact on a bank’s operations to find an alternate third party or bring the activity in-house.

3. Implement a Viable Vendor Management Program. Once critical activities and vendors are identified, banks should initiate four actions to be performed throughout any third-party relationship:

  • conducting thorough reviews of the reputation and financial condition of a third-party company, before signing a contract with the company as well as during the term of the service relationship;
  • negotiating contracts that specify the responsibilities and rights of each party, and that allow for contingencies for terminating a relationship should business circumstances or strategies change;
  • monitoring ongoing contractual requirements, including assigning staff with the necessary expertise to oversee each third-party vendor’s activities; and
  • reporting the results of third-party performance reviews to senior management and the board of directors, which are ultimately responsible for the overall risk management process. Boards of directors should regularly evaluate risk factors and adjust strategies to changes in circumstances.

Keith E. Monson ( is chief risk officer for Computer Services Inc., a core processing and technology service provider in Paducah, Ky.