Growing Challenge: Managing Third Parties within the Banking Industry


The challenge of managing third party relationships has expanded within the banking industry. In guidance issued last year by the Office of the Comptroller of the Currency (OCC), the scope of such relations has grown to include third parties beyond suppliers and vendors – such as JV partners, channel arrangements, debt buyers, correspondent banking relationships and more.

Perhaps the biggest challenge to the scope expansion is one shared by every industry – should all third parties be included in a risk management solution or just those that pose the highest risk? And, if it is a subset, can you and should you identify the most risky relationships?

First, as a practical matter, it is a waste of time and resources to risk manage third parties who do not light up an organization’s top risk list. For example, local facility landscape contractors. While there could be a local conflict of interest or inappropriate gifts or entertainment involved to secure the contract, such misconduct – or a sudden failure of the vendor to deliver – will not cause major damage to the reputation or financial/operational viability of the engaging entity. Therefore, triaging third parties based on risk level is an overall better approach and emerging trend.

So how can you identify the riskiest third parties? The process starts outside the third party world with identifying your organizational risks and sorting them into low, medium and high risk buckets. Next decide how many buckets you will consider for full due diligence and monitoring of third parties who potentially expose your organization to those risks.

The mistake we see many companies make is the use of only one criterion in evaluating third party risk – and it is not always tied to the organization’s risk profile. For example, size of contract. Using dollars as the single filter means you potentially waste resources screening some of the largest companies that likely have great compliance programs in place (i.e. IBM, GE, Microsoft, etc.) and ignore smaller business partners that could present significant risk, especially when considering your company’s high risk areas (i.e. small consulting firm helping with business development in the Middle East).

Best practice is to use multiple criteria that are more likely to point out potential risk, including:

  1. The type of product or service provided (critical system software development vs. lawn care)
  2. Geography (Yemen vs. Canada)
  3. Length of relationship (new vs. 20 years old)
  4. Age of company (new vs. 20 years old)

Automated third party risk management systems can help with this task by utilizing client databases in combination with the external data screening sources such systems already use. This area continues to evolve, but the process must start with a good organizational risk assessment and a solid understanding of the tools available to help identify and thoroughly screen your riskiest partners.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© NAVEX Global | Attorney Advertising

Written by:


NAVEX Global on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.