September 2016
In recent years, financial institutions have worked tirelessly to adjust their third party risk management (TPRM) programs to promote compliance with regulatory guidance, including issuances from the Consumer Finance Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), Federal Reserve Bank (FRB), and Federal Financial Institutions Examination Council (FFIEC) guidance.
While the supervisory guidance contains some specificity in terms of objectives and methods, they are not entirely prescriptive. Financial institutions are often challenged to understand the exact expectations of what is not written: What does a risk-based approach look like for nontraditional third parties?
Certain third party relationships do not fit traditional “vendor” profiles. Variances from typical risk profiles can be the result of the greater complexity in identifying and managing relevant risks as compared to traditional third party relationships.
Traditional TPRM processes may not be the most efficient or effective methods to identify, measure, or monitor risk associated with these types of relationships.
In this paper, we discuss how “one size doesn’t fit all” when it comes to TPRM, and we explore how financial institutions can address risks that arise from special category relationships.