On May 3, 2024, three of the federal banking agencies published a new Third-Party Risk Management Guide for Community Banks. This guide was published as a supplement to the agencies' Third-Party Relationships: Risk Management guidance ("TPRM Guidance"), published in June 2023.
Let's take a look at why we have a new guide and explore what it says.
The Origins
While some new guidance releases can come as a surprise, this one was as planned as Christmas dinner. Last year's TPRM Guidance stated, "the agencies plan to develop additional resources to assist smaller, non-complex community banking organizations in managing relevant third-party risks."
What this means is that the agencies have followed through on their promise. If you'd like to see the agencies' announcements and press releases, check out these pages:
The Guide's Sections
This guide is split into four primary sections.
Section |
Description |
Risk Management |
This is a one-page summary that describes why managing third-party risk is important for banks. |
Third-Party Relationship Life Cycle |
This is the heart of the guidance, diving into each stage of the lifecycle: planning; due diligence and selection; contract negotiation; ongoing monitoring; and termination. |
Governance |
This section digs into concepts related to oversight and accountability; independent review; and documentation and reporting. |
Appendix |
This section provides links to resources published by the federal agencies, including CISA, FFIEC, NIST, and NSA. |
These sections largely correspond to sections in the TPRM Guidance. This gives you a point of reference if you'd like to learn more about a certain topic. For example, the Risk Management section in the guide corresponds directly with section B. Risk Management in the bigger TPRM Guidance (Page 31).
The Guide's Subsections
Each section also includes several subsections.
Subsection |
Description |
Introduction |
The paragraph(s) at the start of each section introduce the topic and paraphrase ideas from the TPRM Guidance. |
TPRM Guidance |
These blue callouts emphasize direct quotes from the TPRM Guidance which apply to the topic being discussed. |
Potential Considerations |
A list of sample questions is provided to help community banks recognize key areas which need to be evaluated for each relationship. |
Potential Sources of Information |
A list of sample sources is provided to help community banks know where answers to the questions may be found. |
Examples |
Sample case studies are provided to show what the principles could look like in action. These examples are not comprehensive, but they are well-written and paint an illustrative picture of the guide's intent. |
Each of the subsections is designed to clarify and explain topics introduced in the TPRM Guidance.
For example, one of my favorite Potential Considerations in this guide was the question, "How has the third party performed in the past during periods of economic or financial stress?" This question was not explicitly stated in the TPRM Guidance, but the answer to this question can provide some excellent insight into a vendor's financial stability, which is addressed in the TPRM Guidance (Page 39).
Conclusion
This guide is a helper. It is built on, largely echoes, and sometimes directly quotes last year's TPRM Guidance. This means it is a supplement, not a replacement. You can use this guide to inform your vendor management practices, but should not base your program solely on it.
Your north star should always be about making sure your third-party relationships are safe, sound, and compliant, regardless of whether the guide says anything about it or not. If you can do that, you are likely meeting the objectives of the guide, too.
Learn More about Third-Party Risk Management
Download the Tandem Vendor Management Workbook to learn more. This is intended to be a helpful resource, introducing vendor managers to foundational third-party governance, risk management, and compliance topics. Get your digital copy today at Tandem.App/Vendor-Management-Workbook.