5 minute read
New Bank Supervisory Guidance Brings Together Standards for Bank Vendors
By Marty Walters, Recovery Risk
June 20, 2023. Sacramento, California. One interesting aspect of bank mergers and acquisitions happens during an integration, when two banks merge their policies and procedures to create one consolidated entity. It is especially interesting when you are the acquired bank, and you get a chance to see how different organizations work from the ground up. When my New York bank employer was acquired by a bank in North Carolina, one of the first big changes I encountered was the way my new employer handled vendors, known in the banking world as third-party relationships. I came from a world of extensive vendor risk evaluations and negotiations of master service agreements that could take 6 months, and my new bank simply maintained a list of approved consultants.
Why? It took me a whole year to understand how banks develop their programs for managing vendors and what is changing in the new interagency guidance issued in June 2023. The guidance is issued jointly by the Federal Reserve, FDIC, OCC, and NCUA, and one of the first things to understand is that these different bank regulators set standards and oversee different kinds of financial institutions.
Federal Regulator Oversees These Financial Institutions
Federal Reserve Bank holding companies Office of the Comptroller of the Currency (OCC)
Nationally-chartered banks
Nationally-chartered savings and loans
U.S. branches of foreign banks
Federal Deposit Insurance Corporation (FDIC)
National Credit Union Administration (NCUA)
State-chartered banks insured by FDIC
State-chartered savings and loans insured by FDIC
Credit unions
Each of these regulators previously issued their own guidance on how financial institutions should manage the risks associated with their third-party relationships for vendors, but the jointly issued a proposal in 2021 and then the final guidance in 2023 to unify these separate standards.
For any environmental risk manager, managing vendor relationships with engineering and environmental firms is a big part of our job. We want to make sure that we have a range of firms that can work on all the different types of projects that come up during due diligence and portfolio management. In addition, some banks use the same vendors to help with purchasing and leasing their bank offices and branches. My previous vendor program also included goals for contracting work to small and disadvantaged firms.
Under the new guidance program, each financial institution will evaluate risks with third party and vendor relationships, such as engineering and environmental firms, to assess how they work with the bank and what kinds of information they use or generate. The amount of money contracted to third parties is also an important element of evaluating risk. Based on that risk evaluation, vendors are classified according to the potential risk their work carries with respect to the bank’s ability to do business and protect sensitive financial and personal information.
In my experience, engineering and environmental firms used in due diligence activities are usually ranked as a low risk by banks, and the amount of review and oversight is at the low end of the spectrum. That can still be a lot of work for vendors, who often must respond to questionnaires and provide information about their scope of work, their subcontractors, and their data security measures in order to do work for banks. In recent years, the biggest focus in my vendor management programs has been on how information is exchanged between the bank and the engineering firm, how the engineering firm uses and stores that data, and whether data considered to be personal information or sensitive is then protected by the engineering firm.
The new guidance goes into effect as of June 2023 and will drive more consistency across the financial services industry. Engineering and environmental firms should be able to develop standardized packages to submit for review to all their current and prospective bank customers. All financial institutions will be expected to have a comprehensive list of vendors, to rank them according to the risk posed from their services, have executed contracts or master services agreements, to independently evaluate performance, and properly close out relationships that are no longer appropriate or serving the bank’s needs. For state-chartered banks and smaller institutions, this may involve more robust vendor risk evaluation programs and more robust oversight and accountability of vendors.
The guidance mentions diversity policies and practices in directing banks to integrate third party management into its broader strategies and goals, but the degree of work and cost involved in meeting all the requirements (even for low-risk vendors) will exclude some small firms owned by minorities, veterans, and other under-represented groups unless they get up to speed on the standards laid out in the third-party relationship guidance. You can find the interagency guidance in the Federal Register for June 9, 2023, cited as 88 FR 37920.
Marty Walters is a 20-year bank environmental and engineering risk veteran who has recently returned to consulting, specializing in managing risks that occur during the recovery period after significant climate, hazardous materials, and economic losses.
In February 2022, at the resumed fifth session of the United Nations Environment Assembly (UNEA-5.2), a historic resolution (5/14) was adopted to develop a binding agreement to address plastic pollution, including in the marine environment, before 2024. For the first time, the international community agreed on a framework to curb the world’s growing plastic problem. This framework involved creation of an Intergovernmental Negotiating Committee (INC) to hash out details of a treaty by the end of 2024. INC’s mandate includes all phases of the plastic life cycle from design and production to waste management.
Since then, INC has met twice, first in Uruguay from November 28 to December 2, 2022 and most recently in Paris from May 29 to June 2, 2023. At the first meeting, the focus was largely on accepting stakeholder feedback and establishing procedures for respectful dialogue, including how to continue to solicit feedback throughout the process. Hundreds of stakeholders participated in addition to member country representatives. Discussion revolved around the the structure of the proposed agreement, with no definitive format resulting from the first session. Two conflicting approaches emerged. One was modeled after the Montreal Protocol, the multilateral environmental agreement that phased down the production and consumption of ozone depleting substances (ODS) in relatively prescriptive steps. The other approach followed the Paris Agreement which allowed each nation to determine for itself how best to tackle climate change and reduce its greenhouse gas emissions through non-mandatory (voluntary) nationally determined contributions.
The second session began with continued discussion about process and procedure, and hearing from stakeholders. Approximately 1,700 people attended including approximately 700 representatives of 169 member states (countries) as well as other interested parties organized in groups known as civil societies. At first it seemed negotiations would be bogged down by process. Environmentalists claimed the plastic producers and producing countries were stalling discussion with conflicts arising about the role of plastic recycling, among other things. However, by the end of the session the parties had agreed that the INC Chair, with the support of the U.N. Secretariat, would prepare a zero draft of the agreement for discussion ahead of the next session, due to take place in Nairobi, Kenya, in November 2023. Reportedly, during closed-door negotiations a majority of countries agreed that the treaty should be global and legally binding, rather than voluntary. In addition, approximately half of the country representatives agreed that some especially harmful polymers, chemicals and plastic products, which might include intentionally added per- and polyfluoroalkyl substances (PFAS), should be banned or phased out.
As stated by Inger Andersen,
Executive Director
of the UN Environment Programme (UNEP):
I look forward to INC-3 in Nairobi, and urge Member States to maintain this momentum. The world is calling for an agreement that is broad, innovative, inclusive and transparent, one that leans on science and learns from stakeholders, and one that ensures support for developing nations.
Stakeholders are invited to submit written positions by August 15, 2023 with member country statements due by September 15, 2023. Intersessional work to develop the zero draft will be critical for achieving the stated timeline. Reconciling the myriad positions will be challenging under any circumstances, but the timeline adds urgency to the work. Given the global impact, the U.N. goal of eliminating plastic pollution is ambitious but worth watching. Stay tuned.
