Due diligence in third party risk management

An effective risk management process includes a continuous lifecycle for all third-party relationships and covers planning, contract negotiation, ongoing monitoring, termination, and due diligence and third-party selection.

An in-depth assessment of a third party’s ability to perform critical activities while complying with regulatory guidelines should be performed before entering into a contract or relationship. Banks should not rely on experience with or prior knowledge of the third party, and the level of due diligence should be equal to the risk and complexity of the relationship.

In practical terms, this means a core system that houses the entire bank’s loan and customer data might require more attention than a relationship contracted to print deposit slips.

Due diligence recommendations from the OCC includes a whole host of criteria for assessing a third party. Here’s an example of some of the recommendations:

Corporate strategies: do they conflict with the bank’s strategy, or will business arrangements planned by the organization affect the bank?

Legality: does the third party have all necessary licenses and audits according to the service agreement?

Financial condition: upon reviewing audited financial statements, does it appear the third party is in good financial health (i.e. growth levels, profitability, debt) to offer uninterrupted service 

Experience: does the third party have a history of satisfactorily providing the service and with the level of expertise required?

Fees: does the license fee or cost structure create financial difficulties for the bank?

Principals of the company: does the third party periodically check the background of senior management and personnel that will participate in the relationship?

Risk management: does the organization have proper internal controls and audit functions in place? A third party’s SOC 1 report is an excellent starting point. A SAS 70 is no longer the relevant audit report. In 2011, the AICPA replaced the SAS 70 with the more comprehensive SSAE 16, also known as SOC 1.

Information security: do the controls at the third party adequately keep data safe and quickly address new threats or vulnerabilities once identified?

Resilience: has the third party made disaster recovery plans for continued service in light of natural disasters, cyber or physical attacks or human error? Have these plans been effective in the past

This list is meant to start the due diligence thought process but may not be conclusive; it’s recommended to read the guidance in its entirety to gauge how the identified risks could apply to a bank’s specific relationship.

A chief financial officer of a privately held bank in the Northeast commented, “The new OCC guidance forces banks to be more cognizant of the relationships they undertake and assess the risk involved with third parties. As banks recover from the financial crisis in 2008, it’s clear the OCC is promoting a more structured approach to mitigate risk.”

While this list may be onerous to administer, it does help bank management and board members understand and execute a thorough vendor due diligence program.

It is management’s responsibility to review and determine whether or not the third party meets expectations. If critical activities are part of the contract, senior management must present the due diligence results to the board for approval when making recommendations on third-party relationships.

For more information on the risk management process and best practices for evaluating third-party relationships, download the whitepaper: Risk Management Guidance on Third Party Relationships.