4/26/17 - New Challenges in Managing Third-Party Relationships
Home > News & Insights > Insights & Publications

4/26/17 - New Challenges in Managing Third-Party Relationships

Regulators in recent years have shared definitions of “third party,” as well as offered lengthier and more detailed guidance on managing risks arising from third-party relationships. Meanwhile, financial institutions face the considerable challenge of interpreting and applying this new guidance, even as their business models evolve and the marketplace grows in complexity. 

What Counts as a Third-Party Relationship?

In today’s regulatory environment, critical third-party relationships extend beyond contracts with traditional vendors (e.g., information-technology providers) to encompass all external business arrangements. Effective programs for managing third-party risk now cover banks’ relationships with third parties that assist in account opening, product sales, servicing arrangements, collections, payments, and all other significant bank functions.

The nature of these relationships continues to evolve along with the marketplace. Financial-technology startups and specialty vendors now offer outsourced operations that affect critical parts of the customer life cycle — or even, in certain instances, the entire customer interaction, from initial referral through product and service delivery. These evolving business models and relationships have led regulators to adopt a new approach for overseeing banks and their service providers. In certain instances, regulators increasingly expect third-party risk management to be reciprocal. In this oversight model, a banking entity that issues credit (for instance) will monitor the service providers that manage front-end product sales and provide back-end servicing — and the service providers will in turn monitor the bank and each other. 

Oversight Expectations

The primary federal banking regulators have issued the most relevant guidance on third-party risk management. The Office of the Comptroller of the Currency’s Bulletin 2013-29, which is often cited as the most comprehensive guidance on the subject to date, offers firms some latitude in how they interpret and apply it depending on the nature of the third-party activities in which they engage.1 Large financial services organizations, therefore, face a particular challenge in applying the guidance to their complex business models and numerous relationships with third-party providers of key customer banking functions.

Banks’ evolving business models are bringing more and more of their third-party relationships within the scope of the regulations, and financial institutions are thus adapting to meet some key expectations from the regulatory issuance:

OCC Bulletin 2013-29: “Third-Party Relationships”

  • A bank’s risk management and oversight of relationships should be “commensurate with the level of risk and complexity of its third-party relationships.”
  • “The OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities.”

Federal Reserve Supervisory Letter SR 13-19: “Guidance on Managing Outsourcing Risk”2

  • “The use of service providers does not relieve a financial institution’s board of directors and senior management of their responsibility to ensure that outsourced activities are conducted in a safe-and-sound manner and in compliance with applicable laws and regulations.”

Consumer Financial Protection Bureau Compliance Bulletin and Policy Guidance 2016-02: “Service Providers”3

  • “The Bureau expects that the depth and formality of the entity’s risk management program for service providers may vary depending upon the service being performed … and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations.”

Industry Challenges

Financial institutions confront several key challenges when applying the established regulatory guidance to their evolving business operations and various third-party relationships:


1. Knowing their providers

Identifying and vetting a comprehensive set of third parties with which they may enter different types of business arrangements

2. Contract negotiation


Negotiating contracts that allow for a sufficient level of ongoing oversight and access to the data necessary for effective risk management

3. Incentivizing vendor behavior

Ensuring that performance measures and compensation reward and encourage desirable vendor conduct, compliance with requirements, and customer satisfaction

4. Providing oversight and training


Ensuring active oversight of service providers — including assessments of their compliance, operational, credit, and other risks — along with regular training to help the third parties manage those risks

5. Establishing exit strategies

Developing realistic contingency plans that establish measures for exiting the relationship in a timely manner and remediating customers who are negatively impacted by the provider change

6. Managing evolving business models


Adapting programs for managing third-party risk to changing business models or new third-party relationships

7. Formalizing roles and responsibilities

Establishing formal roles and responsibilities, across the three lines of defense, to allow for comprehensive oversight of all applicable third-party risks

While some of these challenges stem from ongoing issues facing the industry, many firms risk compliance lapses due to an inability or unwillingness to adapt their third-party oversight programs to shifts in the regulatory landscape. A bank that periodically evaluates and enhances these programs will ensure that its oversight is “commensurate with the level of risk and complexity of its third-party relationships,” in the words of the OCC guidance. This effort will include an evaluation of all aspects of the risk management life cycle — from planning, due diligence, and risk rating, through termination of the relationship.

How Promontory Can Help

Promontory, an IBM Company, helps clients create, evaluate, and enhance programs to manage their third-party risks. Our expertise in third-party oversight derives from extensive client work, industry experience, and regulatory knowledge. Promontory works with clients to develop programs that meet their individual needs and offers assistance with implementing all phases of third-party risk management. We also advise clients on creating formal roles and responsibilities; developing policies and procedures; documenting process flows; establishing risk-assessment methodologies; and developing management, committee, and board reports.

Contact Promontory

Please contact a senior member of our consumer protection practice for more information about how your firm can enhance its third-party oversight:

Linda Gallagher
Managing Director, Global Head of Consumer Protection Practice
+1 202 370 0411

Eric Ferri
+1 202 384 0611

Mathew Ondus
+1 202 370 0395


1. “OCC Bulletin 2013-29,” Office of the Comptroller of the Currency (Oct. 30, 2013): https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.

2. “Guidance on Managing Outsourcing Risk,” Federal Reserve Board (Dec. 5, 2013): https://www.federalreserve.gov/bankinforeg/srletters/sr1319a1.pdf.

3. “Compliance Bulletin and Policy Guidance; 2016-02, Service Providers,” Consumer Financial Protection Bureau (Oct. 31, 2016): https://s3.amazonaws.com/files.consumerfinance.gov/f/documents/102016_cfpb_OfficialGuidanceServiceProviderBulletin.pdf.