Implementing, assessing and monitoring third-party risk-management practices to meet FDIC and OCC regulatory requirements
Implementing, assessing and monitoring third-party risk-management practices to meet FDIC and OCC regulatory requirements
As technology expands for financial institutions and their extended enterprises, the number and complexity of third parties and their services has increased. As entities increase their reliance on third parties, it reduces their direct operational control over key activities and may introduce new risks or increase existing risks to operations, compliance, financial and strategic risks.
As these varied risks inherent with third-party relationships evolve and increase, financial institutions must appropriately identify, assess, monitor and control these risks and ensure compliance with applicable state and federal laws and regulations.
Our team will help you design, implement and monitor third-party risk to ensure compliance with FDIC, OCC and state banking regulatory requirements. Whether your organization has yet to develop a formal third-party risk management program, or already has an established methodology in place, our team has the knowledge and experience to help.
Designing, implementing and executing a comprehensive third-party risk-management program has become increasingly demanding as recent regulatory requirements have become more austere and comprehensive. In June 2023, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued the Interagency Guidance on Third-Party Relationships.
Financial institutions' managers and executives often "wear many hats," resulting in a leaner, experienced resource management pool that leverages shared operational and compliance responsibilities across business units. This strategy can sometimes lead to siloed decision-making, whereby business unit managers use their tribal knowledge in the selection of third-parties without considering the implications for other business units or the organization as a whole. Our approach to process development and implementation will ensure the appropriate levels of involvement and oversight to eliminate inefficiencies and other effects of this cross-functional approach.
With our managed services offering, our team builds your third-party risk-management program by creating governance documentation that includes policy, roles and responsibilities. We develop risk-assessment process documentation that includes risk tiers, assessment criteria, artifact requirements and due diligence assessment activities necessary for each level of risk ranking. We also establish a continuous monitoring process that includes documentation, reporting and tracking of critical third-parties.
At TPRM-Texas, we have over 50 years combined experience providing audit, enterprise risk management, consulting and compliances services to over 50 community and regional banks in Texas. We've had the unique experience and perspective of being internal risk managers, as well as external auditors and consultants for our clients. We can discern venerable auditors from the pretentious and inexperienced variety from miles away and have no reservations or fear in contacting personnel and senior leadership to achieve our stated objectives. We pride ourselves on being professional, knowledgeable and distinct from other CPA and consulting firms; never again will you have to subsidize the learning curve of inexperienced, pedantic consultants ('empty suits') that plague the payrolls of our competitors.
Our objective for our clients is twofold:
1) Becoming a trusted, strategic partner that integrates and works with your staff, management and senior leadership teams, obtaining buy-in and consensus at each step along the way.
2) Driving value by providing our services on-demand at extremely competitive price points while simultaneously leveraging our extensive experience in audit, enterprise risk management and compliance.
With over 50 years of combined experience in audit, enterprise risk management and compliance, we provide assistance in all stages of the third-party risk-management life cycle including:
Engaging and coordinating with all involved parties including legal, information security, IT, compliance, internal audit, accounting and executive management.
Our due-diligence process is tailored to the risk of the third party and includes gathering contract approvals, requisite signatures, maintaining contracts and assessment documentation.
Assessing third-party compliance, determining external events of impact to your organization, monitoring reputational risks, data breaches, SLA performance, adverse media and credit risks.
Tracking contract renewal and expiration dates, managing communications and notifications with business unit owners and third-party representatives.
Tracking regulatory developments and requirements, amending policies and procedures to ensure continued compliance with industry standards and guidance.
Third-party attestation report interpretation, reconciling applicable complimentary user entity controls against your internal control universe, identifying control gaps and residual risks.
Full documentation must be maintained and organized to support initial due-diligence, approvals, ongoing monitoring, risk acceptance actions and third-party communications.
Liaising with bank regulators and facilitating external and internal audits pertaining to TPRM; including gathering evidence, facilitating walkthroughs, managing policies and procedures and meeting compliance requirements.
Generating and providing requisite deliverables to affected parties including annual reporting to the Board regarding TPRM program compliance, quarterly reporting to executive management and / or audit committee regarding contract renewal and expiration dates.
Third-party risk management is a very pervasive program. It involves coordination, strategy, policy development and implementation, training and organizational buy-in to be considered effective. That's where we deliver value: we'll manage all the elements of a successful and compliant TRPM program on your behalf and obtain management's buy-in each step along the way. We do not enforce a one-size-fits-all approach that ignores your organization's culture or pre-existing processes and procedures; instead, we satisfy what's required by leveraging and optimizing what you already have in place. If your TPRM process has yet to be formally developed or implemented, we can help build your program from the ground up. We become an extension of your team and shoulder the responsibilities listed above so you don't have to; we trust your schedule and compliance demands keep you busy enough as is!
Having been external auditors to financial institutions and facilitated more FFIEC / GLBA audits than we'd care to count, we're quite familiar with the process. We know what regulators and auditors look for and how they think, because we've been in their shoes for many years. Consequently, we know how to handle diplomacy when auditors overstep their boundaries or jump to unsupported conclusions. Our approach and TPRM programs are both defensible and compliant and we will defend them earnestly on your behalf. We will gladly assume the role of liaising with external auditors and regulators to defend your TPRM program throughout the entirety of the audit cycle, from planning, to walkthroughs, to deliberation and acceptance; whether in person or remotely.
We are superior to competing CPA firms in every metric. Sounds braggadocios, but it's really not. Please let us explain why:
1) Cost and Billing Structure
CPA firms use a leveraged cost model with tiered billable rates. As of 2024, billing rate estimates for mid-tier public accounting firms have been observed as follows: Associates run between of $250 - $395/hr, managers begin at $600/hr and partners command an astronomical $720/hr during their review and oversight process. Moreover, CPA firms bill their time against fixed project budgets. Billing includes time spent internally setting up the project, scheduling and hosting both internal and client-facing meetings, writing reports, performing internal reviews, performing walkthroughs, providing status updates, presenting findings and obtaining feedback. Clients end up paying the CPA firm's overhead and administrative costs as part of the billing process. We believe in fixed monthly fees without overages and given our streamlined size, we don't have any appreciable overhead or administrative costs. We choose not to nickel and dime our clients, we just work until the job's done. CPA firms cannot compete with us on cost, it's not even close.
2) Incentive Structure
In addition to a leveraged cost model, CPA firms utilize a leveraged expertise model as well. That means that the least experienced members of the team (with the smallest billable rates) do the most amount of work. This is designed to maximize their budgets and improve project realization (which their promotions, incentives and bonuses are based on). In effect, you get the unique privilege of subsidizing the learning curve of their neophyte associates. Managers and directors will put together proposals and provide a roadmap of their expertise and how they plan to facilitate the project, but it's all a bait-and-switch. As you can see from their billable rates above, experienced involvement is cost-prohibitive! They sell you on their expertise and experience in the proposal stage and send you fresh college graduates to do the work. We do not misrepresent ourselves or delegate work to anyone else; when you hire us, we're your team.
3) Transparency
One of our chief pet peeves of CPA firms since about 2016 has been their universal strategy to offshore portions of every project budget to resources in India or other countries outside the US where labor is cheaper. Ford, GM and John Deere aren't the only companies offshoring production, CPA firms have followed suit which may not be specified anywhere in their contractual service agreement boilerplate. How transparent is it to sell someone a service, offshore a portion of the work to nameless resources in another country? All of our work is performed right here in Texas between Steve and Scot, and our strategy is based on 50+ years of experience.
Copyright © 2024 TPRMTX - All Rights Reserved.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.