“Banking Matters” is a series written for banks and the companies that want to work with them. The goal is to share knowledge and best practices about how to build a compliant, scalable digital financial services ecosystem.

In a recent post, we outlined how to structure these partnerships to enable strong bank oversight. Today, we’ll discuss the importance of third party-risk management—and what that means for banks. We’ll also share our perspective on three key principles providing the foundation for strong third-party risk management practices.

The importance of third-party risk management

Who has the primary responsibility for ensuring that financial products distributed through bank partnerships are safe and compliant? The answer, for regulators, is simple: the bank.

Banks have long relied on third-party service providers to support a wide variety of functions in connection with their banking programs. For example, banks often rely on:

• payment networks to power card payments
• core vendors to maintain their ledgers of record  
• compliance solutions to help verify customer identities  
• information technology companies to keep their systems safe  
• consulting firms to provide advisory services or staff support 
• partners to distribute their products

Each of these service providers has an obligation to the bank to operate lawfully and in compliance with the terms of their agreement with the bank. But ultimately, the bank has the primary responsibility for ensuring that its products are offered and delivered in a safe and sound and compliant manner.

Interagency guidance on third-party relationships

The same principle applies to third-party program managers, which function as a digital distribution channel for the bank’s financial products. 

This was reiterated in June 2023, when the three prudential bank regulators (the Federal Reserve Board, the FDIC, and the OCC) published interagency guidance on managing the risks inherent in third-party relationships.

They affirmed that banks are responsible for ensuring that their financial services are offered in a safe and sound manner. Thus, the bank should adopt risk-management policies commensurate with its size, complexity and risk profile, and the nature of its third-party relationships.

The guidance covers a variety of topics—discussing, for example, what constitutes “critical activities” performed by a third party and offering examples of risk management at each stage of the third-party relationship life cycle.

Three principles to ensure effective third-party risk management

Given the number of service providers banks rely on every day, running a bank can feel like conducting an orchestra. 

The stakes are high, and success depends on each instrument playing its part well. Here are three principles for effective third-party risk management that can help ensure that each banking function is performing in harmony. 

1. Transparency. Improving information flows among key stakeholders enables more contemporaneous risk management, sharing of best practices, and productive collaboration. For example, it’s critical that banks have easy access to data about their customers and how they’re using the bank’s financial products. This data should be accessible both in real-time via a dashboard and in aggregate form via reports. For example, Unit's platform enables audit logs, which can be used to track changes to products, customers, and accounts.

2. Consistency. To reduce the surface area of oversight, it’s helpful to maintain a consistent approach to overseeing third parties. That can mean standardizing terms, vendors, compliance workflows, and legal documents. It can also be a good idea to use the same approved vendors across your program management relationships, as this can streamline the amount of third- and fourth-party due diligence and monitoring required. For example, the Unit platform allows banks to manage programs using a consistent set of KYC/KYB solutions and legal agreement templates and a consistent approach to statement generation, dispute handling, and card production.  

3. Control. Banks must maintain control over the partnerships they support. That means selecting the right program partners, setting limits and restrictions on those programs, and determining and adhering to a risk appetite. To that end, a modern technology stack is essential. For example, with Unit, banks have direct digital access to all program partners via a single system of record, as opposed to navigating multiple platforms.

‍