Jim Freis, co-founder of CRINDATA, talks with John Maher about the comments made during the public comment phase of recent guidance issued by federal banking regulators. He explains the industry’s reaction to this guidance and goes over some of the most common comments. Then, he explains why financial institutions need to coordinate their due diligence efforts, rather than duplicating the same due diligence tasks individually.
Podcast Transcript
John Maher: Hi, I’m John Maher. I’m here today with Jim Freis, co-founder of CRINDATA, a FinTech startup supporting financial institutions and their service providers. Today, our topic is comments on the guidance issued for public comment by the federal banking regulators on the topic of risk management for third-party relationships. Welcome, Jim.
Jim Freis: Great to be here, John.
The Purpose of Regulatory Consultation
John: Jim, I understand that you filed the public comment letter. But before we get into your recommendations, can you give me a little bit of background and explain the purpose behind this regulatory consultation?
Jim: Of course. John, the main thing to understand here is that the principle or the regulatory expectation remains unchanged. And that is a very basic one, that any banking organization if it decides to outsource certain functions… in the basic sense of instead of doing them all within your organization to contract with an external service provider to help you with that service or provide a different product to a bank, in particular, the use of different IT functions, data analysis, or even how we store data or deliver websites, you might go to different experts in that area to help the bank better deliver its services.
But the principle remains that the bank still is fundamentally responsible for those services. So this is an aspect of something critical to the overall safety and soundness of the bank that both with respect to your internal procedures, your internal departments and personnel, or some of the external third-party service providers on whom you rely, you need to have overall risk management under control.
And what this consultation is about is a revision of existing guidance that is designed to help banks meet those risk management obligations. When I say revision, we’re talking about guidance primarily that came out in 2008 from the FDIC and from 2013, that came out of Office of the Comptroller of the Currency, the OCC. And 2013 from the Federal Reserve. They’ve also issued some interpretations and FAQs over time.
We’ve seen that the technological world in which we live and the dependency on third-party service providers has only increased. So what you have now is a situation where the principles are the same, but the facts have changed and the relevance has changed. It’s an aspect of good government that the banking regulators are coming together, taking their three different versions of guidance with respect to the same principles or same goals, harmonizing them, updating them, and issuing them together.
Changes in the New Risk-Management Guidance
John: Okay. And what is new in this new guidance compared with the prior guidance that you just mentioned?
Jim: There’s a lot of details, but the one element, particularly when we talk about revising the OCC’s 2013 guidance(because basically the other regulators are following the OCC’s framework), that is entirely new is an invitation to banking organizations to look at shared solutions to meet these goals. So whether it’s a utility, a bank consortium, or external service providers that specialize in this aspect of helping banks meet their risk management or operational risk oversight of third-party service providers, the banking regulators are opening the opportunities.
And in fact, I think you can read from this, that they’re actually encouraging that. Why? When you take the fundamental aspect of due diligence of your third-party service provider, that means before the bank makes a fundamental decision that we can both more efficiently and more cost effectively purchase this service from an external provider rather than hiring the people and developing them internally.
Before you sign that contract, you’re going to know with whom you’re dealing. You’re going to know whether you feel that same level of comfort and a cost-benefit analysis that really makes sense. That’s what the due diligence process is about. But some of these services have become a type of commodity or that service provider is selling them to a hundred banks. So a hundred different banks are going to each have to make their own risk determination that it makes sense to them.
But they’re also asking for some of the same underlying information they want to know the financials, if this institutionis fundamentally sound, if it’s going to be around for the five years of my contract period. Does it have audit reports? Does it have appropriate insurance? What type of business continuity functions does it have? Where does it share my data? You’re asking some of the same questions. So you can increase efficiency by doing that together. And that’s a big aspect of this opening that the banking agencies are really creating for the banks.
Benefits of Bank Collaboration on the Due Diligence of Third-Party Service Providers
John: Okay. That sounds quite broad. Could you go into some more specifics on the main topic areas or the components?
Jim: This is really about risk management and therefore a helpful aspect drawn from the OCC’s existing guidance is to look at the entire life cycle of the risk management process, where they even have a diagram that breaks this up into stages. So start of course, with planning the internal determination that it might make sense to go to an external party. Then consider the aspects of the due diligence and the selection criteria of comparing alternative providers.
Some aspects that they recommend be part of the contracts themselves with that third provider is of course not always that easy. We know that increasingly in our modern day and age and with IT providers or data providers, you have these types of clickthrough contracts and it’s one size fits all. But it’s a question of whether the banks actually have the marketing ability to determine some of those requirements that they need for their unique risks.
And then an aspect of once you sign the contract, it is only the beginning of the relationship. You need to monitor these risks, your considerations on an ongoing basis. You need to update your analysis from time to time, and even after the end of a relationship, you have to consider how you might transfer services to another provider. So that’s the entire risk management life cycle. And there’s very helpful aspects of the guidance in terms of the overall oversight and accountability with the management team even up to the board of directors of a bank.
Because fundamentally this is a core aspect of the overall risk management and risk tolerance of the banking organization, which is a responsibility of the board of directors. And of course, there are aspects of documentation, reporting to all those parties, even external audits in that regard. So those different components are aspects of how the regulators have helpfully tried to break down different steps or stages of the risk management life cycle and give components of who has what responsibility and essentially best practices in dealing with those different aspects.
Is the Life Cycle Approach the Right Way to Deal With Risk Management?
John: And do you agree with this life cycle approach that they’ve taken in this guidance, or do you have things that you would like to see added to that?
Jim: The life cycle approach is very important because otherwise we’re not really talking about risk management, we’re talking about something narrow, like again, contractual aspects. But many contracts are signed and then filed away electronically. Risk management is a living aspect of the relationship.
And another way to think about one of the aspects of defining the applicability of this guidance and the notion of reliance on a third-party service provider, it’s an ongoing relationship. It’s not a one off transactional aspect. It’s not the aspect of dealing with a specific customer or a specific counterparty such as I’m transferring money on a one off to this other bank at the request of my customer or buying assets such as securities from this counterpart. It’s, I’m relying on this service provider on an ongoing basis. So that really is something that lends itself to changing aspects over a period of time within this life cycle.
But the one comment that I made and which I think is missing from the life cycle is that so much of it is about preparatory aspects, documentation, things to really make sure that you’ve thought through the risks of what could go wrong and do as much as you can to anticipate to prevent that. But it doesn’t bring into the life cycle the fact that as a practical matter, things will go wrong. You hope not with respect to individual third party service providers, but if you rely on hundreds of different service providers, maybe even a hundred that are providing critical activities for you, it’s only a matter of time before there’s an aspect of disruption.
It’s only a matter of time under which there could be an aspect of a data breach or that next aspect of a software upgrade doesn’t go exactly as planned. And therefore, risk management has to include aspects of business continuity management, aspects of operational resilience, aspects of how you respond to that incident. And when we talk about anticipating risks, to a certain extent it’s academic, but once we actually have a risk that’s realized, once there has been an incident, the lessons learned from that are better than any type of hypothetical discussion or preparation process.
We need to learn from that. And I think that, when we’re talking not just about individual relationships, but an overall approach and the guidance toward this overall approach to risk management, it’s critical that this link, this anchoring of the reality aspect of dealing with disruptions is part of that risk management life cycle.
What Should Regulators Add to the Guidance?
John: So what would you like to see them add to this guidance? Is it aspects of notifying customers when there’s been some sort of an incident? Is it aspects of having backups in place that you can switch to in case some part of your system goes down? Or what are some of the sort of specific things that you’d like to see them add into the recommendations?
Jim: So all of the above. Effectively within the notion of a life cycle, there is a need to add a component that deals with operational resilience. By that, I’m very specifically not saying that we need to incorporate all of the other documentation and guidance and specific rules related to business continuity management, but they’re missing, in terms of a cross reference, at that critical aspect. And it’s particularly interesting that the regulators issued at the beginning of 2021, a proposal for comment, for a new rule on the issue of incident management.
What happens in the event of a disruption of services provided by third-party service providers? So exactly the risk that this guidance is meant to manage, to more specifically create venues and create timely obligations for reporting obligations that come first from the service providers in the banking organizations, and then from the banks when it has a potential material impact on them to their regulators.
That is an aspect that takes into consideration the reality that regardless of how good your preparation occurs across the universe of service providers and across the universe of banks in this country and globally, that incidents will occur. Let’s not just prepare in advance to try and minimize them, but let’s make sure that we are prepared to deal with them in a timely manner. So as a practical matter, not only could those cross references and the integration be put into this proposed revision of the guidance in terms of a more comprehensive and frankly, a more practical rather than just theoretical life cycle.
But ideally, that regulatory consultation for a new rule, new obligations that came out in January of 2021 together with this revised guidance that was put out for public consultation in June of 2021, the two would be finalized together and be looked at as an integrated whole, because that’s exactly what they are. They are different components of the bank’s overall obligations, theoretical and practical, related to risk management of their increasing reliance on third-party service providers.
Do You Want to See an Integration of the January and June Regulatory Proposals?
John: So these were two separate proposals, the one in January and the one in June. And your recommendation is that they integrate those together in one cohesive recommendation?
Jim: That would be not only complementary, but it would further the policy goals that are described in each of the two different regulatory pronouncements.
What Are You Recommendations for Improvement?
John: Okay. And what other recommendations do you have to change or improve the guidance?
Jim: So in addition to that, some of the aspects that you also see in looking at this broader context of operational risk management is the question of being risk based, where should we prioritize? A keyword that the regulators have used in a number of aspects of operational risk management is “resilience”. So meaning how do you deal with an incident, whether it’s a shock to the markets in terms of a COVID shock or the layman failure? Now more than a decade ago, that aspect of resilience business continuity is something that needs to be an integral part of your approach.
But those examples are ones that really have a fundamental bearing on the overall operation of the institution. To putit another way, the regulatory pronouncements with respect to operational risk management could increase emphasis on activity that the institution determines is critical, meaning, that it could lead to a real loss for that institution or a negative impact on its customers.
A challenge for banks is even the word critical is used in different ways with different definitions in the different aspects of regulatory guidance. That’s confusing to banks and can be somewhat contradictory. So one recommendation is that the regulators more clearly focus on defining what they think is critical and harmonizing that definition across the different pieces of guidance. That will help the banks in their effort to prioritize.
What Do Banks Need to Respond to the Revised Guidance?
John: And what would help banks in responding to what is being called for in this revised guidance?
Jim: So coming back to my earlier comment, that the issue that singularly is new, a real change from the earlier guidance or a real addition from the earlier versions of the guidance, as opposed to little bit more elaboration, is the invitation to the industry to focus on shared solutions.
The request for comments on the guidance refers mostly to those shared solutions in the context of the due diligence process. Again, the preparatory process, the evaluation, the collection of documentation and information of which there’s a lot of duplication of efforts, meaning in parallel, people are doing the same thing.
It’s very natural that you could achieve more efficiency by working together and therefore allowing you to focus your efforts on the more value-added aspects of real risk mitigation. But the efficiency and the benefits of a type of shared approach or relying on a specialist provider also can benefit the banks throughout this entire life cycle of risk management, with respect to aspects of ongoing monitoring.
Again, not just when you’re signing a contract, but making sure that the party is continuing to perform, such as an independent party scanning aspects of: Were there data breaches? Were there rumors or evidence of leaks in the market? Is there a potential change in the service provider, even through a corporate change, such as they’re going through an M&A transaction? They’re merging with another party.
These are the aspects that any bank would benefit from learning proactively, but there’s a lot of duplication of effort to do that in parallel with all other banks that are out there. So again, it lends itself to an industry solution. And also these aspects that I think are a critical part of the life cycle management, the responses to incidents and your operational resilience. So shared solutions are going to be a big part of the future throughout the life cycle.
And they also can help the banking organizations and their banking supervisors better understand the risks of some of the pain points for the bank. Pain points related to not just your bilateral reliance on your direct third-party service provider, the one with whom you’ve signed a contract, but many of those service providers rely on further subcontractors. As a practical example, you may be contracting for a SaaS service and you’re directly dealing with the entity that designed that software, and you’re licensing it from them. But for the implementation and the rollout of that service, it’s hosted by someone, your data might be stored by others. So you have a variety of other third parties behind that chain.
It’s much more difficult for a bank to do the evaluation and understand those risks, even though it’s a good practice and the regulators point to it, that the bank needs to understand that subcontracting chain. Or even more so if that subcontracting chain or your direct contracting chain involves cross border relationships. This is something where again, shared solutions can be more effective ways for banks to better understand those risks and how it’s evolving over time.
Is It Important for Regulators to Consolidate Their Guidance?
John: And you mentioned at the beginning of our conversation that banks had previously received guidance from different organizations, the OCC, the Federal Reserve, the FDIC. How important do you think it is that those different organizations are coming together to put out this new guidance and it’s consolidated between them so that they’re all kind of on the same page, how important is that?
Jim: It’s critical. There is no reason why the banking regulators should differ in terms of the principles of this guidance based merely on the notion of the charter or who happens to be their supervisors. The principles are the same, whether you’re a national bank chartered by the OCC, a state chartered bank jointly supervised by the FDIC or the Federal Reserve, or even credit unions at a state level or national charter. The National Credit Union Administration, the NCUA needs to also take up this guidance. Something that has been echoed throughout the common period.
I personally believe it is not against this and should be for it, but they have some different legal authorities in terms of their ability to directly supervise third-party service providers. But ideally you would see not only the harmonization among the three federal banking agencies, add in the NCUA, add in a closed partnership with the state regulators. And moreover as a secondary stage, we need to see more cross-border harmonization. Not only in the US, but globally, regulators are focusing more on this aspect of risk management, increased reliance on third-priority service providers and calling on banks to put more focus into this.
In our globalized world, many of the providers themselves, call them a FinTech, they’re providing these services to financial institutions, regardless of charter, regardless of location within a group or to different organizations in different countries. Why should we be applying different standards just on those aspects, if the services and the risk related to those services are the same? But in conclusion, I’ll just say the very fact that the banking agencies are working together to harmonize this before we even go into the details, shows how much more important it is to them. And it’s a topic that we’ll see more emphasis on going forward.
Contact CRINDATA to Learn More
John: All right. Well, that’s really great information, Jim. Thanks again for speaking with me today.
Jim: My pleasure.
John: And for more information, you can visit the website at crindata.com. That’s crindata.com.
