As we pass the halfway mark of the year, I continue to be struck by the interconnectedness of the financial services landscape and how it continues to evolve. Community and regional banks continue to engage with third parties to offer innovative, technology-driven products and services to meet the needs of their clients.
The growth in banks' third-party relationships is a prime example of both the rapid pace of change in the financial services industry and the agility required of bankers to stay on top of risk threats and manage the risks presented by these new relationships, products, and services.
Interagency guidance released in June 2023 provides key risk management principles banks can leverage as they navigate the life-cycle of third-party relationships. As a follow up, additional guidance, SR 24-2, was released last May as a companion document to the earlier guidance. The latest guidance is intended to assist community banks is assessing their risks and how to develop and implement a risk-management process tailored to the risk profile and complexity of their relationship(s). This guide applies to all banking organizations with $10 billion or less in consolidated assets supervised by the Federal Reserve. More recently in July, the agencies have issued SR 24-5 to note potential risks related to arrangements between banks and third parties to deliver bank deposit products and services to end users.
To maintain sound risk management of third-party relationships that support higher-risk activities, banking organizations engage in more comprehensive and rigorous oversight to appropriately manage the activities. This oversight addresses critical activities that could have significant customer impacts or affect the bank's financial condition or operations. As said by Brad Waring of our Significant Service Provider program, "Financial institutions are contracting with service providers for an increasingly broad array of products and services from core banking to payments processing, trust services, fraud risk detection, Bank Secrecy Act/Anti Money Laundering, and cloud technologies. The service provider oversight program and the reports FRB Atlanta produces are intended to complement financial institutions' third party service provider programs by providing another view into the effectiveness of service provider risk management programs and cybersecurity controls." Risk can appear in unforeseen places, such as with subcontractors retained by third-party suppliers without notification to the bank along with a lack of clarity regarding roles and responsibilities, including questions such as who has responsibility for handling customer complaints that involve services of the third party.
Another novel risk arises from our globalized era and the level of interconnectedness across the industry. Third-party suppliers and their subcontractors can be located anywhere in the world, including in the cloud, and they might—or might not—be subject to jurisdictional oversight from their home country regulators. In exchange for potential exposure to fraud risk and data breaches, these platforms built on the public cloud allow for closer to real-time data, more accurate reporting, open integrations, speed, and agility. These attributes make it possible for staff to make faster and smarter decisions as they weigh the rewards offered by a third-party provider against the array of operational, preventable, and strategic risks the potential provider could introduce to the bank. When they engage a vendor, banks should ensure that a clear understanding exists of where a bank's data are stored, the controls over the data, and who has access to the data.
You as a banker also have a responsibility: to work proactively and prudently to conduct thorough due diligence on third-party partners before selecting and entering these relationships, which are often complex. This provides management with the information to determine if a relationship helps achieve your organization's strategic and financial goals, as well as evaluate customer satisfaction. Additionally, you can learn how your bank will integrate third-party technology with existing systems and infrastructure and determine whether potential compatibility issues exist. New technology could also require staff with new or different skills.
Lastly, a comprehensive process of due diligence will provide your financial institution with information needed to evaluate whether it can appropriately identify, monitor, measure, and control risks associated with the third-party relationship. As required by the Bank Service Company Act, the federal banking agencies conduct regular examinations of many third-party service providers that are considered critical to the financial sector. As part of our responsibilities conducting this work, our Significant Service Provider Division routinely distributes these examination reports to their established banking clients. Reviewing results of these exams, coupled with a bank's own thorough due diligence and ongoing monitoring, should be a core component of a bank's risk management process.
Banks should routinely consider these recommendation as you evaluate third-party relationships:
- Review the examination reports for existing gaps at your vendors to assess the impact on your institution.
- Keep abreast of software updates in a third party's programs that can fix bugs or improve security.
- Stay current on access management; know who has access, who has authority to make changes in systems, and the currency of access logs.
In closing, as banks continue to partner with third parties to expand product offerings, banking organizations can take immediate steps to proactively manage risk that is perhaps not present in their current protocol. The next product of third-party providers may well involve generative AI services. Some financial services institutions are experimenting with generative AI to see how it can streamline back-office functions and customer service roles, as well as improve fraud detection, inform credit decisions, and monitor and improve Know Your Customer procedures, to name just a few.
Speaking of generative AI, stay tuned to hear more about the topic at our Banking Outlook Conference scheduled for February 27, 2025. You will hear how the Federal Reserve is working to understand AI's application to financial services, assess methods for managing risks arising from this technology, and determine where banking regulators can support responsible use of AI and equitable outcomes by improving supervisory quality.
Sincerely,