Transcript | Implications of U.S. Banking Regulators’ Final Guidance on TPRM – with Brian Kostek, Kathryn Hardman and Helen Smith

Welcome to today’s Powerful Insights podcast. My name is Brian Kostek. I’m a managing director within Protiviti's Risk and Compliance group and lead our third-party risk management sub-solution within that work. We focus primarily on helping financial institutions and healthcare and technology companies assess, build and implement third-party risk management programs.

We’ll be focused today on the discussion around the recently released final interagency guidance from the U.S. banking regulators. That guidance was released after a long comment period and two years of waiting for the finalized proposal to come out. With that, we’ve got two industry experts on the line today to talk about the impact within their organizations and how organizations are addressing the changes that are coming out of the interagency guidance. Let me introduce Kathryn Hardman, director of third-party risk management and model risk governance at Veritex Bank, and Helen Smith, head of third-party risk management at First Citizens Bank. Thank you both for being here today.

Thanks for having us.

Kathryn, we’ll start with you. Based on your read of the interagency guidance, what are the big topics, from your perspective, that were addressed in the revised guidance, and how are you addressing those in your program today?

Some of the big takeaways are the definition of a third party, and that is inclusive of a business arrangement, which they don’t further define, which leads us to define, and that could be with or without a contract. Another big takeaway is defining critical and ensuring that how we’re defining critical is consistent throughout our policies and our standards. In FRBSR 1319, the word critical was only used four times, whereas in this interagency guidance, it’s used 16 times. They very much were enforcing the word critical. In fact, it’s on the bank to define what that is.

The other big takeaway is that if you're moving from FRB 1319, seven risk domains were specifically discussed in those risk assessments, and three items of due diligence — and the interagency guidance moved to 14. For the smaller banks, or banks that maybe weren’t on the OCC guidance, having to expand those domains that we’re looking at both on the risk assessment side and the due diligence side, The planning piece is a little more robust, especially for smaller banks to be able to do robust planning that is very prescriptive.

And then last, on the contracting piece, there were three additional provisions that weren’t previously included on the FRB side that we will now have to incorporate.

Have you already looked at how you’re going to have to address the program?

We’ve started to differentiate between a payee and everybody else — a payee being someone or a business that you might pay one time that’s a commodity-type purchase. Or maybe you’re buying T-shirts for an event to use to help advertise, or what have you. Or maybe there are loan-specific payees through, like, title companies — being able to carve those things out.

And then, what you’re left with, everything else, and then having to then classify everything else into categories of what services they do, what risk they could bring to the bank, and then boiling that down even further to be those higher-risk services, even if a contract is not involved. Maybe we use a service from a particular company every year, but we don’t have a full contract in place because our intent is to continue to use them. It would behoove us to go ahead and bring them under the third-party risk umbrella. 
 

Helen, you’re coming from FCB, which is more traditionally an FDIC-regulated institution — a similar premise to what Kathryn discussed in terms of larger changes with the guidance, from the FDIC historical guidance to where this is today. How are you adjusting to the new requirements or new guidance, and what are you doing to implement that within your program?

From our perspective, we always had a look back to the OCC, because it was always more prescriptive than the FDIC and the Fed guidance. This new interagency guidance for us is harmonizing the expectations, and it aligns the regulators. In our world, it’s been more helpful because so often, when we would bring up OCC guidance, we’d consistently be told, “You’re not regulated by them. You’re regulated by other regulators.” For us, this is now that consistent, streamlined approach.

The challenge is, as we’ve gone into this interagency guidance, it’s taken away some of that prescriptiveness, and it’s become broader and there is more opportunity for interpretation. In fact, you’ll see the liberal use of the word consider throughout the entire documentation. Our read of that is because this interagency guidance is for all banks of all sizes. How you consider that guidance and how you interpret it and how you implement it into your organization is based on the size, the complexity, of the organization you’re working in. The big takeaways for us, as it relates to how we’re going to really embed it within our organization, sits between the definition of vendors.

That’s exactly what Kathryn just mentioned as well. What is that interagency definition, or how are we interpreting that? From our perspective, we’re attaching this with a full comprehensive inventory. For us, it’s how we're going to segment the risk between those types of relationships and how they’re going to be managed, which is going to be different. That’s our key takeaway. 
 

The one question — and you alluded to it, but ‘'ll add quickly — is that the regulators certainly go out of their way to make this a principles-based document, meaning there’s flexibility and approach, but you also then have to defend how you’ve finalized your program in a different way. It'll be interesting to see how the regulators interpret that. That also allows different flexibility going forward.

Kathryn, back to you: You mentioned critical activity earlier as part of your intro statement. How are you, from a Veritex perspective, focusing on those revisions to critical activity? Are you looking at additional adjustments to your program to factor that piece in?

Our program has five tiers: tier one, critical risk, down to tier five, very low risk. Within that, though, there'll be an interesting discussion on differentiating between critical risk and the risk of the vendor and the controls of that vendor versus a critical activity. We’ll have a subset within our inventory that you could have a vendor that provides a critical activity to the bank, but they might not necessarily be a tier-one critical risk. How that marries together, we’re still working on what that looks like.

There might be a subset deemed mission-critical, in a sense, where if these vendors fail, then the bank can no longer operate, or if they have access to customer data that is very large and in-depth, and there’s a breach that could be substantially damaging in all different facets — that could be a critical activity if there were a breach or an issue with that data getting out where it’s not supposed to. We have to define the difference in the risk levels, but then specifically define that a critical activity could be any of those risk levels, and those would be treated as a subset with much more in-depth due diligence and monitoring that would be required. 
 

We’ll go to Helen here for a second, but the next question builds off exactly what you were just stating, which is around the integration into broader risk management topics within the guidance, and that being a critical point of that principles-based approach the regulatory bodies have taken with this document. Helen, on that topic, how are you working with your other stakeholders to embed those risk topics throughout your program in a more meaningful or direct way going forward to be able to demonstrate that linkage to the regulatory bodies as well?

That’s gaining a lot of enthusiastic traction within our organization. For us, it starts, how are we embedding it as part of the program? That speaks to, of course, making sure at least that our policies and standards, our roles and responsibilities, are clearly articulated. This is where we’ve always been aware that TPRM is a team player. We sit in the middle of so many other parts of the organization. Whether TPRM as an organization sits in risk or not, it has lots of tentacles into the risk organization.

For us now, it’s a mapping exercise, so it’s understanding every part of that program, every part of this interagency guidance, and understanding who those key players are and creating a playbook. We’ve still got to establish that a little bit further in terms of ensuring from those playbooks and those key stakeholders, understanding how they interact when there’s an event, whether it’s an incident, who comes to the table, what did they do, how was that documented? What do we need to go back and look at?

The one area that we’re hearing here is resiliency. We saw resiliency as a key, almost defined approach, where we’ve talked about this guidance being quite broad, and not really having many definitions. Resiliency comes up an awful lot. How we interact with our resiliency teams and how we build those into our playbook and how we understand that as we think about our third parties, we think about our software, we think about how that software is hosted, our incidents, is going to be absolutely key.

Right now, at this point, how are we embedding it at the moment? It’s going to be through documentation. It’s going to be through those playbooks, and there’s going to be probably at least a year or so of those playbooks being remapped after every incident and event to ensure that we did have the right stakeholders at the party to address whatever the concerns are that came out. But the key thing for us that we took away from this is that we have a bigger presence within the resiliency team for opportunity to provide feedback and to gain information from them as to how they’re going to work through an event, whether it’s a long-term event or a short-term event, a disruption to service, or how do we get out of something if the need arises?

Helen, I’ll follow up with a quick question on that point: When you think about both the integration into the broader risk management components, but then also the day-to-day management of those risks within your organization, are you beginning to see any adjustments to that in the sense that now we now have different expectations for our third parties compared to what we maybe traditionally did at this point, or is that still to be determined?

Yes, TBD in terms of officially making that commitment, but we’re definitely seeing that as we look across the broader approach and we look across the broader documentation, the alignment does need to happen, and there are going to be changes as it relates to this interagency guidance. But I don’t think we’re ready to share what we think those changes and what the impacts of those changes are going to be at this time.

Kathryn, what are the biggest takeaways for you on the program and things that you’re going to focus on now that the guidance has been finalized over the next six to 12 months?

We’re doing a full gap assessment to take our current program and map it literally sentence by sentence to the regulatory guidance and see where we have a gap or if we are noncompliant, and then taking that and determining the next steps. The biggest piece, obviously, will be defining that critical activity and how those will be handled, how we define and defend that business arrangement, what’s in scope, what’s out of scope, and being able to come to the table with that and then ensuring that all the 14 sections are fully covered.

But as Helen mentioned earlier, the word considered, that’s nice, but we also have to sometimes anticipate that we’re going to be asked to show evidence of how we considered something. That becomes burdensome on some banks to be able to evidence, how did you consider that? That’s going to be a big takeaway so that we are able to show we did consider, and why we did or did not choose to go down a more robust due diligence or not because of our consideration.

It goes back to that principles-based approach and the defendability of it. If you’re going to not include certain elements of the guidance in your program, it’s going to be an easy question from the regulatory bodies on, why did you consider this, or why didn’t you consider this, and how can you defend that time and time again and again? That’s going to be a question that likely will get raised with a lot of organizations. Helen, same question to you: What are the big takeaways for you over the next six to 12 months, and how are you incorporating that into the program?

I cannot say it better than how Kathryn phrased it there. She hit all the high notes that we were thinking about. We’re going to be doing a roadmap. We’re going to be doing a gap analysis against that interagency guidance, prioritizing a roadmap of implementation over up to three years, depending on the scalability of what we’re trying to achieve.

The big takeaway is exactly what we just mentioned — justify all decisions. What we took away from this is a comprehensive inventory, and the need for that. What that does is open Pandora’s box. That means everything is in, from a payee to what was traditionally a nonvendor third party, which is the original guidance — or nontraditional is often heard about. It’s about documentation, and justifying all those decisions and methodologies in that risk-based approach, which, again, is organizational specific to the risk appetite — exactly the same pieces that Kathryn picked up on their criticality. For us, it is quite different this time around in terms of distinction, that we can separate a critical activity from a vendor. The vendor may not be critical, but the activity may. That then dovetails nicely back into where we started, which was that resiliency plan. We’re going to have to be getting a look at those business-continuity plans, those resiliency plans, and the last piece that we took away that isn't identified specifically — concentration risk. That’s embedded within resiliency, so that comes back to understanding our concentration at a vendor level, an individual vendor, the subs, the geographical risk, and now, specifically, the cloud providers, because there are only two big cloud providers, and we’re all using them. That’s where our resiliency plans need to go — that one step further is understanding that impact. 
 

Helen, you raised the question there: Were there other topics that weren’t in the guidance that you were expecting in the final guidance?

It was interesting because it changed quite a lot right before the draft to here. The draft was a lot more prescriptive, so I was a bit surprised about some of the elements that didn’t make it into the final cut, and that it did become this more holistic approach of interpretation. In terms of anything else that I expected to see in there, I was expecting to see more specificity around cyber risk. There’s no mention of sourcing, even though there is mention of contracts. But the biggest thing for us was the change in where the draft went to the final and what was removed in terms of that specificity and how it became much broader in its approach.

I was surprised concentration wasn’t specifically called out, especially given what has happened in the last 24 months in the world in all different facets and in the financial space, specifically. Moving from the FRB guidance, it was very specific on the risk assessment, on the front end of the service, and you didn’t see that in this interagency guidance. It’s almost mute, and so it leaves it up to your bank’s interpretation and your organization to decide, how are you going to risk-assess that front-end service to then dictate your risk-based approach so that everything that follows it is at the same level as what that inherent risk of the service is. It didn’t mention that. It leaves some ambiguity to be able to decide for yourselves and then have to defend that to the regulators.

I would go a step further, even, Kathryn, on that point, to say that even within the guidance, specifically as it relates to the risk assessment methodology, it does allow for flexibility between what you were talking about earlier, which is a risk assessment methodology with critical incorporated within it, and risk assessment methodology with critical as an additional data point. Rather than being hard and fast in terms of how they would like people to interpret that, they left it open for everybody’s own programs and flexibility there.

On the concentration-risk piece, for any listeners out there, in the revised version of B10, the Canadian regulator recently released their revisions to their third-party guidance, and there is a relatively prescriptive version of what they expect from a concentration-risk perspective. I would use that as a good baseline. If I’m building a program, these are the types of data points that should be considered. Again, it’s coming from a Canadian regulator, so likely not applicable to most organizations in the U.S. But for those that need to address it, it would be better to have that data model built so you can demonstrate that going forward, too.

Kathryn, we talked about critical activity and the impacts to resiliency and the linkage to resiliency. Some of the conversation around that also includes the linkage to subcontractor management and fourth-party management. How did you react to the interagency guidance and how they defined, or maybe didn’t define, expectations around fourth-party management and subcontractor management?

I was surprised — slightly pleasantly — that it wasn’t super prescriptive based on historical experience, and banks needing to know the fourth, the fifth, the sixth parties, in some cases. It’s mentioned, but it’s not very robust, so it can be left up to interpretation. For us, what the approach would be is, if there’s a critical activity that that vendor or third party is providing, do they have themselves a critical fourth party that could impact us? In those situations, it would be best practice to go look at those fourth parties, or at least understand what that risk brings, and then, what kind of resiliency plans do we have, or backups, in case that were to fail? While I was surprised it wasn’t more robust, at least we do have some reprieve, in a sense, of going down to the fifth, sixth parties, at least right now. We’ll see.

What’s interesting too, about fourth-party management, the guidance gives a bit of a reprieve to organizations in the sense that it focuses more so on how a bank or how a third party manages their fourth parties versus the direct oversight that was implied previously with either critical subcontractors and going down that never-ending list of fourth and fifth parties, as you mentioned.

Are there any other topics that we want to add?

The only one that jumped to mind was a financial health piece. It gives a bit more clarity. It’s interesting because my position, picking up a bank that was a failed bank, there was a financial health aspect to that, and there is a bigger onus on financial health and having a better understanding and awareness of the financial health of the people we do business with.

That’s challenging because we’ve got private companies that we do a lot of business with that release financial statements once a year, and so it’s going to be hard to monitor them in between. And how are we going to come up with a robust way of monitoring that? Yes, there are going to be negative news alerts, but without the ability to get financials more frequently than every 12 months, it’s very difficult at a private-company level. At a public level, there are lots of tools out there that can help us and automate the financial health monitoring. A lot of organizations are already using those. A lot of TPRM software is already integrated with those.

It comes back to ensuring that you have a robust program that can monitor those changes, and, again, that you have that clarity around segment decisions. If it hits a certain threshold, what are you doing? How are you doing it? What’s the escalation, how are you reporting on it? But we’ve got a challenge as it relates to the private company sector, which often is part of fintechs as well. And fintechs have become a new buzzword, so that’s going to evolve. I don’t know that we’ve got an answer for that, Brian. If you have an answer, I’d love to hear it, but it’s certainly something we’re trying to get our arms around, and current with the methodology that we’re comfortable with.

The fintech piece — we’re getting a lot of questions already on that topic, and it goes back to the definition of “third party,” and how are we going to have this principles-based approach spread throughout the program, in a lot of ways, because there's flexibility in how the regulators have defined what a third party is in the sense that pretty much any third party is a third party.

What that also means is, from our perspective, the number-one thing that organizations need to focus on is being able to have one single-point inventory that they can manage for all third parties, all third-party types, as long as they can commingle their data across the various types of third parties and programs that they may have. To me, that’s going to be a critical component of being able to show that you have an understanding of all your third-party types, and how are you managing those third-party types? To me, it doesn’t mean they all have to follow the same program. You still have to have the elements of the programs, but you don’t have to have everything go through one cookie-cutter approach.

That, in itself, is complex because we’re now talking about having multiple programs, and that is more people, more to manage, more to QA, QC. That is quite a big undertaking. It’s the right approach. It’s ensuring that we do things in the right way for the right size risk. It creates additional complexity. Again, that’s something we just need to understand — what the impact of that is if we move to this multiple program approach-based methodology.

It leads back to the point that we’ve made a few times already, which is, you have to defend the multiple-program approach and likely be able to defend that in different ways.