Third-Party Relationships - an Update with Guest Nanci McKenzie
Wrestling Payments Podcast: Season 2 - Episode 13
Episode Summary
In this episode of "Wrestling Payments," host Joe Casali welcomes back Nanci McKenzie for a follow-up discussion on third-party relationships within the financial industry. Nanci, an independent consultant with extensive credentials in banking and risk management, shares insights from her recent session at PMC 2024. She emphasizes the evolving nature of third-party relationships, particularly the regulatory changes and guidance updates from agencies like the OCC, FDIC, and the Federal Reserve Board of Governors.
Nanci and Joe dive into the specifics of interagency guidance approved in 2023, which now includes fintechs and offers consolidated advice for banking organizations. They discuss the critical aspects of these regulations, such as consumer data protection, compliance requirements, and the implications of third-party relationships on risk management. Nanci highlights the importance of identifying and managing risks associated with third-party vendors, stressing the need for comprehensive information security programs and regular audits.
Towards the end of the episode, the conversation shifts to data privacy and the potential complications arising from the CFPB's new rule under the Gramm-Leach-Bliley Act. Nanci points out that financial institutions must ensure their third parties comply with these regulations to safeguard against data breaches and financial crimes. Joe and Nanci conclude by acknowledging the increasing complexity of compliance and the ongoing need for vigilance in managing third-party risks.
Download Episode Transcript
Guest-at-a-Glance
💡 Guest: Nanci McKenzie, JM, AAP, APRP
💡 What she does: Consultant
💡Company: Nanci McKenzie, LLC
💡Noteworthy: Nanci McKenzie is an independent consultant with extensive banking credentials.
💡Where to find Nanci: LinkedIn
Key Insights
Evolving Third-Party Relationship Guidelines
Regulatory guidelines for third-party relationships have evolved significantly, reflecting changes in the financial landscape. The interagency guidance approved in June 2023 consolidates previous directives, including those from the OCC, FDIC, and Federal Reserve Board of Governors, into a comprehensive document. This updated guidance now specifically addresses fintechs, illustrating the growing complexity and scope of third-party relationships beyond traditional vendors. Financial institutions must navigate these regulations to ensure compliance, manage risks, and protect consumer data effectively. Understanding the roles and responsibilities in these partnerships is crucial, as they encompass various services and products offered to both commercial and non-consumer customers. Proper due diligence, risk assessments, and adherence to information security standards are emphasized as essential practices in maintaining these relationships.
Consumer Data Protection is Paramount
The increasing stringency of consumer data protection regulations highlights the necessity for financial institutions and their third-party partners to prioritize data security. Regulatory bodies such as the CFPB and FTC enforce strict compliance to safeguard consumer information. Financial institutions must ensure that their third-party vendors are not only compliant with these regulations but also possess robust information security programs. This includes performing regular risk assessments, maintaining business continuity plans, and having incident response protocols in place. The integration of these measures within the Gramm-Leach-Bliley Act's safeguards rule, updated in June 2023, extends these requirements to third-party entities. Ensuring these compliance measures helps mitigate risks associated with data breaches and financial crimes, ultimately protecting both the institution and its customers.
Consent Orders Highlight Compliance Failures
Recent consent orders issued by regulatory bodies reveal common compliance failures within financial institutions, particularly concerning BSA/AML programs and third-party risk management. These orders typically identify deficiencies such as inadequate risk management, insufficient compliance committees, and flawed investigative processes. The integration of BSA/AML requirements with third-party risk management emphasizes the need for comprehensive oversight of high-risk customers and transactions. Financial institutions must ensure that their third-party vendors adhere to strict compliance standards to avoid regulatory penalties and safeguard their operations. The emphasis on enterprise risk management underscores the interconnectedness of various risk factors across different areas of the bank, from ACH operations to loan servicing, highlighting the importance of a holistic approach to managing these risks.
Episode Highlights
Introduction to Third-Party Relationship Guidelines
Timestamp: [00:01:56]
The episode opens with Joe Casali welcoming Nanci McKenzie and providing an overview of the ongoing discussion about third-party relationships in the financial sector. They delve into the complexities and evolving nature of these relationships, particularly how they are no longer limited to traditional vendors but include a variety of service providers and products offered to commercial and non-consumer customers.
"It's very difficult to determine what that relationship really looks like. It's not just for vendors anymore, right? That relationship can be in the form of any sort of service or product that you are offering to a commercial non-consumer customer or member, whether that be in your treasury management services or if they are a vendor of yours."​​
Compliance and Data Protection
Timestamp: [00:20:01]
The discussion highlights the critical importance of compliance and data protection in today's financial industry. Emphasis is placed on the need for robust information security programs and adherence to the updated Gramm-Leach-Bliley Act safeguards rule, which now includes third parties. Ensuring these entities have proper compliance measures is vital to mitigate risks associated with data breaches and financial crimes.
"And in today's world it's not just the financial industry, but in today's world data protection, data privacy are huge issues that everybody has to be not just aware of, but concerned with. And where is my data? Who has it? Who has access to it?"​​
The Role of Consent Orders in Shaping Risk Management
Timestamp: [00:09:29]
The conversation shifts to the impact of consent orders issued by regulatory bodies, focusing on how these orders often highlight deficiencies in BSA/AML programs and third-party risk management. The integration of these compliance requirements underscores the necessity for financial institutions to periodically review and manage high-risk customers and transactions effectively.
"So what's very common in all of the consent orders is that they are looking at the BSA AML program, since we've had so many problems with financial crimes, especially in money laundering and those types of activities."​​
Open Banking and Data Privacy Challenges
Timestamp: [00:21:21]
Towards the end of the episode, the discussion explores the concept of open banking and the associated challenges in data privacy. The potential complications arising from the CFPB's new rule under the Gramm-Leach-Bliley Act are examined, highlighting the need for financial institutions to navigate these regulations while ensuring robust data protection measures.
"I feel that it's going to very much complicate things even more, make things very much more difficult for us. But on the other side of things, I said this recently about the CFPB, love them or hate them. We really need to have them in place because the consumers of the world are their own worst enemies."​​
To hear this episode and many more like it, subscribe to Wrestling Payments on Apple Podcasts, Google Podcasts, Spotify, or anywhere else you listen to podcasts, or listen above.