Large Bank Supervision Forum eBook

Internal Use Only

Banks should conduct independent reviews for third-party relationships that perform critical activities. . .

 The bank’s internal auditor or independent third party may perform the reviews  Senior management should confirm that results are reported to the Board  Reviews should address the adequacy of the bank’s process for the following: 1. Alignment with Business Strategy 2. Third Party Risks 3. Concentration Risk (especially if foreign-based or use of subcontractors)

4. Material breaches, service disruptions, or other material issues 5. Involvement of multiple bank departments throughout life cycle 6. Appropriate staffing level and expertise 7. Oversight and accountability of third-party relationship 8. Conflicts of Interest

81

© 2023 – FinPro, Inc.

Internal Use Only Proper documentation and reporting facilitate the accountability, monitoring, and risk management associated with third parties . . . 1. A current inventory of all third-party relationships − Does it involve critical activities and what are the key risks 2. Approved plans for the use of third-party relationships 3. Risk assessments

4. Due diligence results, findings, and recommendations 5. Cost/benefit analysis for each third-party relationship 6. Executed contracts 7. Regular risk management and performance reports from third party 8. Reports from third parties

− Service disruptions − Security breaches − Other critical issues

82

© 2023 – FinPro, Inc.