Third-Party Relationships - an Update Artwork

Wrestling Payments

Wrestling Payments is a podcast for professionals working at banks, credit unions, and FinTechs who are responsible for managing ACH and payment operations. In each episode, members of NEACH guide conversations to help professionals examine the challenges of modernizing payment operations. Ultimately, the stories uncovered through guest interviews and solo episodes will highlight industry trends and identify how organizations can build their payment operations for the future.

All Episodes

Wrestling Payments

Third-Party Relationships - an Update

July 24, 2024 • Season 2 • Episode 13

Send us a text. (email us if you need a response)

In this episode of "Wrestling Payments," host Joe Casali welcomes back Nanci McKenzie for a follow-up discussion on third-party relationships within the financial industry. Nanci, an independent consultant with extensive credentials in banking and risk management, shares insights from her session at PMC 2024. She emphasizes the evolving nature of third-party relationships, particularly the regulatory changes and guidance updates from agencies like the OCC, FDIC, and the Federal Reserve Board of Governors.

Nanci and Joe dive into the specifics of interagency guidance approved in 2023, which now includes fintechs and offers consolidated advice for banking organizations. They discuss the critical aspects of these regulations, such as consumer data protection, compliance requirements, and the implications of third-party relationships on risk management. Nanci highlights the importance of identifying and managing risks associated with third-party vendors, stressing the need for comprehensive information security programs and regular audits.

Towards the end of the episode, the conversation shifts to data privacy and the potential complications arising from the CFPB's new rule under the Gramm-Leach-Bliley Act. Nanci points out that financial institutions must ensure their third parties comply with these regulations to safeguard against data breaches and financial crimes. Joe and Nanci conclude by acknowledging the increasing complexity of compliance and the ongoing need for vigilance in managing third-party risks.

To hear this episode and many more like it, listen here or subscribe to Wrestling Payments on Apple Podcasts, Google Podcasts, Spotify, or anywhere else you listen to podcasts.

For show notes, transcripts, and other resources visit www.wrestlingpayments.com.

Host: Joe Casali, EVP, NEACH

#wrestlingpayments #wrestlingpaymentspodcast #paymentspodcast

NEACH - Wrestling Payments - Nanci McKenzie- Third-Party Relationships - an Update season 2 episode 13

Joseph Casali: [00:00:00] Welcome to Wrestling Payments. I have a very special episode. If you recall, listen for a while last year, we spoke and I'm here with Nanci McKenzie and we had to stop ourselves from speaking because it just got so, so interesting. And today we're basically here for a part two. Now Nanci, we're at PMC 2024 anNancicy just got out of a session on third party relationships and once you introduce yourself.

Okay.

Nanci McKenzie: Nanci McKenzie with Nanci McKenzie, LLC. I'm an independent consultant and I have my AAP, my APRP, a couple of law degrees and

Joseph Casali: yeah,

Nanci McKenzie: Yeah, third-party relationships, risk management, what all banking organizations need to know.

Joseph Casali: Yeah. So over time, third parties kind of snuck up, right?

It was. There were [00:01:00] relationships and then regulators and agencies started going. We need more there, yeah, so last year if I recall, yes, we left off with something that was about to finalize. Can you take us from there?

Nanci McKenzie: Sure. Yeah our inter agency regulators of the OCC, the FDIC, and the Federal Reserve Board of Governors, they started looking at the guidance that had been out in our industry to help financial institutions, banking organizations, as they refer to them in the guidance about how, we really need to kind of, Give more guidance on what banking organizations need to do when it comes to the third-party relationships.

And as you had mentioned, the like changes that we've seen in third parties over the years has really kind of gotten muddy. It's very difficult to determine what that relationship [00:02:00] really looks like. It's not just for vendors anymore, right? That relationship can be in the form of any sort of service or product that you are offering to a commercial non-consumer customer or member, whether that be in your treasury management services or If they are a vendor of yours.

So yeah, the interagency guidance approved the guidance on June 6th of 2023, they had been looking at revising it since 2021. So it took them a while to actually come to it, but they'd now specify Fintechs within the document. Yeah.

Joseph Casali: It's, I mean, it seems always the case. It takes a while, do your homework and they develop their answer.

They let everyone know, and then they decide i s there an easy way? So one of the things we do at NEACH all the time is talk to people about do you have a third-party sender? Not the same. And one of the questions, [00:03:00] if you wanted to boil it down for a third party sender is if you send out entries on behalf of someone else.

Is there any sort of question to say, how do I know this is a third-party relationship or not?

Nanci McKenzie: Yeah, I think that there is a key that if you have a non-consumer possible third party relationship, that You can look at and go, are you providing a service or a product? Is that third party providing a service or a product to a consumer?

Joseph Casali: That's

Nanci McKenzie: who we're talking about. We know in today's world, consumer protection and data protection is very strict, very stringent CFPB FTC all over the place. So we need to look at those relationships and determine. Okay. [00:04:00] Are they offering a product or service that is going to affect a consumer? I think that's the major question that we need to ask.

Joseph Casali: Are they offering a good or service that relates to a consumer?

Nanci McKenzie: Correct.

Joseph Casali: Does it have to be on behalf of the institution? No. Okay.

Nanci McKenzie: So, customers being those consumers. And then going on further, the banking organization and the third party may have varying degrees of interaction with those customers.

So we're not talking about only the customers that would be within the bank, but customers of any bank.

Joseph Casali: And when you say page 30, it's of the interagency guidance. Yes. Excellent. Yeah. Is that, FFIC is funny. Yeah. Once you finish that interagency guidance, Is it going to point you to other guidance as well?

Nanci McKenzie: Yes, it does to a certain extent. So, first off, let's not confuse the FFIEC guidance with the interagency guidance that just came out. So, the interagency guidance that just came out last [00:06:00] year, June 6th, was replaced, rescinded, okay? The other guidance, Items that we had out there such as the third party relationships risk management guidance from the OCC, the third party relationships conducting due diligence on financial technology companies, a guide to community banks, OCC, third party relationships, frequently asked questions to supplement OCC bulletin 13.

2013 29 from the OCC and the automated clearinghouse activities risk management guidance from the OCC. You'll find that on page 4. Okay. Of the guidance. So, if we're still referring to those pieces of guidance that we had previously, we can't.

Joseph Casali: Is that ACH 1, the 2006 39?

Nanci McKenzie: Yeah,

Joseph Casali: It is. Really? It is. I've, oh my god, I've counted on that for so long.

Yes. So now we're replaced.

Nanci McKenzie: It's replaced.

Joseph Casali: Okay, that's good to know. Really, that's a really good document.

Nanci McKenzie: Yeah.

Joseph Casali: Really outlined a lot of things. So I'm hoping.

Nanci McKenzie: [00:07:00] So what they've done is they've really combined these into one location. So we have one piece of guidance to refer to now.

So we did bring over a lot of the information that was on those other documents. pieces of guidance. But now we have it all in basically one place. So, yeah, just know that's an important thing because there are some things in there that don't relate anymore because we have seen a change in third party relationships since 2006, since 2013.

Yeah,

Joseph Casali: I do, I do note that FFIEC and Interagency, which is a little bit less, right? It's only a few of the organizations. It is not a law, but it's really good guidance. So if you're struggling with third party relationships, do I have one? Don't I have one? This is probably the new first stop for you.

Nanci McKenzie: Yeah, you're exactly right, Joe. This interagency guidance that I'm speaking of is the interagency guidance of the OCC, the FDIC, and the Federal Reserve [00:08:00] Board of Governors, where the FFIEC is those three, as well as the state regulators, the CFPB and the NCUA. Okay. So you're really smart. Yeah. Yeah. So, one thing that I just want to point out that is really important and what I really have been trying to, what I've been saying, preach this year is that on page 66 of this guidance for those that are regulated by those three regulators, it states specifically Each agency will review its supervised banking organization's risk management of third party relationships as part of its standard supervisory processes.

That says will. It's not maybe, or they could. No, when you're going to get your examination from one of those regulators, they will be asking for this. And we have seen that in the consent orders that have been coming out as lately, right? And a lot of them, OCC and FDIC especially, but the Federal [00:09:00] Reserve Board of Governors have done a couple as well.

Joseph Casali: Let's let's, can we dip into that for a minute, consent orders? Sure. So, it's evolving, right? We started out with, hey, this is other companies helping us out. And now we're at the really the next stage of interagency guidance on third party senders or third-party relationships.

How is, so what have those consent orders found, if you've, and where's it going?

Nanci McKenzie: Okay. Yeah. So what's very common in all of the consent orders is that they are looking at the BSA AML program, since we've had so many problems with financial crimes, especially in money laundering and those types of activities, but you know, just financial crimes overall, so the any money laundering risk management programs and the lack thereof.

Lack of compliance, lack of committees, lack of just the risk management overall. [00:10:00] Investigations may not be done properly. They're all very similar in that way and they are tying almost every single one of them. You're going to find a section and I had a sample in my session that was article number five of this particular consent order I had and it was titled third party risk management and they're all very similar that way.

So they BSA AML risk management programs into these third parties because BSA is AML requiring the financial institutions to periodically review those high risk customers or members that they may have, right? To see if there are some additional risks they're being exposed to. Are they somebody that you still want to do business with or not?

Are there some suspicious activities going on that maybe an AML technology program didn't pick up? What is that process of investigation? Are they doing it thoroughly? Is there a process in place that they are doing, [00:11:00] proving that they're doing, going through the SARS that are being produced. Are they being reviewed again to make certain that they're keeping on top of their customers that way?

They go hand in hand, and as I say, if you don't think that they go hand in hand, You better think again, my friend, because they do. And in all of those consent orders, they are tying all those things together. So it's more I believe, in my opinion, you don't necessarily see it in the consent orders, but it's more about an enterprise risk management program.

So overall, and there, they are very similar in nature, but of course very specific to the risks that are involved in a particular area of the bank, whether that be BSA, AML, whether that be ACH operations or wire transfers or merchant RDC or loan servicing. You need to look at all of those as an overall view, but also individually because they all have different risks.

Joseph Casali: So, I don't want to sound dumb. But I accept it [00:12:00] from a third-party management perspective, when you mention BSA findings, and other findings like that, to what extent is the third party responsible for having Compliance programs BSA programs.

Nanci McKenzie: I'm glad you asked that it wasn't even set up. That's awesome So, also last year we had another change in the Gramm-Leach-Bliley Act under the safeguards rule that came out on june 9th of 2023 The safeguards rule as part of the Gramm-Leach-Bliley Act requires financial institutions to have an information security program That information security program having very different specific components within it, especially a qualified individual to oversee the entire program, making certain we have, the MFAs, we do our risk assessments, all that type of thing.

June 9th of 2023, they changed it to [00:13:00] including third parties.

Joseph Casali: No way.

Nanci McKenzie: Yes, they sure, sure did. So anytime we're doing due diligence on our third parties, whether that be the vendors, whether that be our relationships that we have with third parties, We should be making certain that they are following what the safeguards rule says about having an information security program in place.

And what I really would suggest for that piece of your due diligence is to identify if they are not only having the information security program and all of the components that go along with it, and it states it very specifically within the safeguards rule. But also, if they are required to do a SOC 2 audit as a software as a service or a technology firm that's providing solutions to a financial institution, that SOC 2 audit, especially the type 2, is being done because that really is showing proof that they do have a full fledged information security program in place.

Joseph Casali: And I don't want to, [00:14:00] I don't want to pick your brain, but I will pick your reading or your reports from the industry. How big a problem is that for third parties not having it?

Nanci McKenzie: Well, that's really an interesting question because who is it that's going to come into the third party and say, shame on you, right?

They aren't regulated in the majority of the cases, right? They aren't they may have a regulatory body that's overseeing them depending on what they are doing, what kind of a Third party they are, but the important thing is that as a financial institution, to make sure that their third parties are in compliance.

is only going to help themselves make certain that the ODFI or the financial institution is in compliance because the downfall of that third party could be the downfall of the bank. And we have seen that in some of these consent orders. The reason why the examiners have come in to look at their third [00:15:00] party risk management program is because they had a third party that was doing some things that were questionable under the SEC.

Joseph Casali: I, so I try to stay away from this topic as much as I can, but when you, when Gramm-Leach-Bliley and BSA officers, those positions come with a little more risk as far as you're responsible, right? Okay. That's scary. It's

Nanci McKenzie: very scary. I've never been a BSA officer and that's the reason why.

Because they have the oversight of the program and if the program is not operating the way that it should be, because the risks aren't identified, they aren't following their own processes and practices, they aren't having all of the correct components in place. They're responsible, and we've seen that in some of the financial institutions that the BSA officers have been let go.

Some of them have even been fined civil penalties against them because they do not have their programs in place. So, [00:16:00] that qualified individual, we really want to make certain that they are a qualified individual and that they are making certain that the compliance is there. And that does include making certain that the third parties have their compliance in place.

So, there, the banks aren't the regulators over the third parties. But since the third parties need the banks to push the payments, the banks are the ones responsible.

Joseph Casali: Yeah, from a, from, so if winding down, from a conversation perspective, or from a business perspective. Let's say, let's set the scenario, you set yourself up and all of a sudden you realize, you know what?

We have been boarding more third parties lately. I think we need to take a second look at this. What are some of the best questions in approaching potentially a third party that's not aware? And, it, I'm sure it happens. We're not gonna, tell you. Name any names, but aren't aware of their BSA [00:17:00] requirements, their SOC 2 requirements.

How does that conversation begin given that we're using this third party, we want to use this third party, they have a really cool solution we want to implement. How do you begin that conversation of this thing called compliance?

Nanci McKenzie: Yeah, that is an interesting one. I think first you have to really separate the third party and what their actual relationship is with the financial institution because if it, if they're offering a CH origination, that's going to be different than if they are just a customer of theirs, or maybe they are offering a solution to them.

So there's, there's different categories that we need to be determining what those questions should be. But one of the very first things is that when it comes to compliance, I think, is their risk assessment. A company needs to do a risk assessment. Information Security Program. Within the safeguards rules says you should be [00:18:00] doing risk assessments.

Let's see When's the last time you did a risk assessment where there findings were remediation done? Has it been cleared? Have you had an audit? An audit that is either for ACH purposes or maybe an audit because of the SOC 2 When was the last time that was done? When Were there any findings? Was remediation done?

So I just recently was doing a consulting gig for a business, a fairly small business, looking for a service provider to not only do their payments, that was the main reason, but other things. They had the ability to provide reports and just give some good business information on the customers that they had.

So some of the questions I was asking as the consultant for the due diligence were just those things. I need to see your risk assessment. I need to see the last time [00:19:00] it was done. How about your business continuity plan? What about your incident response plan? I need to know that you are making certain that the service level agreements, those SLAs will be in place because we're relying on you to provide services.

Whether that be to our customers, whether that be to your customers, whether that be to us. So we have to determine what third party relationship we are actually talking about. Does that make sense?

Joseph Casali: It does make sense. And I think if we're talking to third parties out there, just a bottom line, if you're dealing, if you have a consumer solution, you're a, an app developer who's developed a, and we talked about a lot of this at this meeting, I want to I want my son to know that I'm trying to take out 10, 000 because his son is in jail.

I want to know that. In that case, consumer data would be involved.

And if I'm in that company, the technology's awesome. But the compliance stuff needs [00:20:00] to take place as well.

Nanci McKenzie: Absolutely. And in today's world it's not just the financial industry, but in today's world data protection, data privacy are huge issues that everybody has to be not just aware of, but concerned with.

And where is my data? Who has it? Who has access to it? And when you have these third-party relationships, we also need to identify. What data are we talking about that they have? It's that old saying that I think is new, but, who has the most data at the end wins, right?

Joseph Casali: No, we, no, I never heard that one actually.

I think it was toys or stuff. Do you want to, just for a second take a side road? Data privacy.

Nanci McKenzie: Yeah. Okay.

Joseph Casali: OCC, not OCC who's looking at 1033 Open Banking? That's CFPB.

Nanci McKenzie: CFPB.

Joseph Casali: The idea that my banking data is mine.

And if I want to, I took a peek at this.

It's 299 pages.

Nanci McKenzie: Yeah, I only took a peek at it too, so [00:21:00] I haven't read it

Joseph Casali: all. The idea is it's my data. And if I want to Give access to my bank account to someone else to do a company to do stuff. That should be okay. That's what they're exploring.

Nanci McKenzie: Yes.

Joseph Casali: But that's going to come with greater privacy

Nanci McKenzie: requirements.

Would you like to

Joseph Casali: elaborate on that?

Nanci McKenzie: I feel. that it's going to very much complicate things even more, make things very much more difficult for us. But on the other side of things, I said this recently about the CFPB, love them or hate them. We really need to have them in place because, the consumers of the world are their own worst enemies and, just to try to protect themselves from doing really dumb things is something that. I don't know if we're instilling the idea to people that they can be stupid and nobody has to be responsible for it themselves. They always blame somebody [00:22:00] else. But, on the other side of things, when it comes to data privacy the 1033 is, I think, Again, I haven't read all 299 pages of it, but it's trying to get us more in alignment with the GDPR.

Joseph Casali: Yes. The world, right? The really interesting, the U. S. After World War II is a leader in the world. Yeah. And then all of a sudden you hear these stories in payments of England implementing faster payments in

Nanci McKenzie: Yeah.

Joseph Casali: Europe, the EU implementing faster payments. And we don't actually have a faster payment program.

Maybe we should do that. The UK with GDPR and Yeah. The, it really was not gonna go into it here, but it was really a clamp down on data down to this. I found this example hilarious. If mail a post office has a list of houses where they have to be cautious of [00:23:00] dogs. That is protected information.

Nanci McKenzie: Yeah. That's crazy.

Joseph Casali: Crazy. But again, we're, we are leaning that way. In order to do open banking, I think we have to go that way and close down some of the data just to protect it.

Nanci McKenzie: That could be another session. We could talk about GDPR and data privacy.

Joseph Casali: Excellent. No, I, the only thing with GDPR, honestly, for the audience as well people hear GDPR as in anyone would any European what is it?

Citizen?

Nanci McKenzie: Yeah.

Joseph Casali: GDPR applies, we're in Massachusetts or Connecticut today. Well, we

Nanci McKenzie: have financial institutions that have customers that live in the You. Very

Joseph Casali: true. Very true. And

Nanci McKenzie: So it affects everybody globally and when it comes to the GDPR, it's about, no, I shouldn't say about, it is just as complicated as the Bank Secrecy Act.

And when you have your DSARS that you have to do and your DPIAs that you have to do, it's just like, whoa, are we going to get into [00:24:00] that too? It's like. But so again, when it comes to the 1033, I think that it's got a long way to, maybe that could be another session for us too, because it's going to probably take some time for things to get weeded out.

So here's

Joseph Casali: the plan. Yeah. You go ahead and read all those pages and then we'll have a session. Okay.

Nanci McKenzie: Okay.

Joseph Casali: We can do

Nanci McKenzie: that.

Joseph Casali: All right. So tune in when we cover that. But thank you for joining me. Yeah.

Nanci McKenzie: Thanks for having me.

Joseph Casali: I will have you again. I enjoy talking to you all the time. Thanks, everyone. All right.

Thanks.