In June this year, the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and Federal Reserve Board (FED) shared a joint statement offering guidance focused on outsourcing and third-party risk management for banking institutions.
These guidelines replace the FED’s 2013 guidance, the FDIC’s 2008 guidance, and the OCC’s 2013 guidance as well as its 2020 frequently asked questions. Its scope is wide ranging, applying to all National Banks & Federal Branches and Agencies, Trust Banks, Federal Savings Associations and also includes Banking as a Service providers.
The guidance offers the views of the OCC, FDIC, and FED on sound risk management principles for banking. It provides a framework for organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships, naming Escrow solutions as an important provision to consider.
The new guidance demonstrates a continued drive towards operational resilience amongst financial services providers, and it will apply to all banking institutions within the United States supervised by these agencies.
The “Third-Party Relationships: Interagency Guidance on Third-Party Relationships: Risk Management” stipulates that banks must review their internal policies, standards and procedures. With the industry’s increased reliance on third-party technology and software, the guidance now requires banks to revise their relationships with software suppliers to include third party risk management principles. This must include independent reviews, documentation and reporting, and oversight and accountability.
The regulators identify 5 key stages where third-party risk management must be considered:
- Planning
- Due diligence and 3rd party selection
- Contract negotiation
- Ongoing monitoring
- Termination
Notably, the agencies recognized the crucial role played by contractual and escrow arrangements between banks and third-party providers. Software escrow agreements emerge as highly efficient, proportionate, and cost-effective measures to mitigate risks associated with technology providers. These agreements offer a minimum level of resilience through legal and technical means, ensuring uninterrupted business operations during service restoration or the implementation of alternative options.
Escrow agreements are directly mentioned in the stipulations for contract negotiation with third parties, however, it applies across all stages of risk management.
The inclusion of Escrow agreements is a progressive step forward in regulating third party risk management. Escrow is a solution that is proportional to each application whilst remaining cost effective, allowing smaller financial institutions to implement it immediately.
John Boruvka, Vice President, US Sales at NCC Group, shared: “These guidelines demand accountability, transparency, and resilience, and it’s exactly what the industry needs. The interagency guidance emphasises the importance of sound risk management principles and provides a consistent framework for institutions to enforce better management practices.
“We are pleased to see the agencies adopt our recommendation to include guidance on practical resilience solutions like Escrow. Its inclusion in third party risk management will be particularly impactful. Escrow agreements are no longer an afterthought for these institutions; they're front and centre throughout the risk management process.
“The guidelines represent a significant step towards accountability and resilience in the financial services sector, especially with general trends showing the increase in the number and type of banking organizations’ third-party relationships. By embracing the principles outlined and incorporating Escrow provisions, banks can enhance their risk management practices and ensure the smooth continuity of their operations.”
Contact
NCC Group Press Office
All media enquires relating to NCC Group plc.