Season 2 | Ep 29: Optimizing Third-Party Risk Management: Due Diligence, Contracting, and Monitoring

Season 2 | Ep 29: Optimizing Third-Party Risk Management: Due Diligence, Contracting, and Monitoring

July 9, 2024


In the latest episode of the Risk Intel Podcast, host Ed Vincent delves into the intricacies of third-party guidance and risk management with expert Shawn Ryan. This insightful discussion focuses on the Third-Party Risk Management Guidance released in May 2024. Shawn sheds light on critical aspects of due diligence, contracting, and monitoring that financial institutions must navigate, especially when dealing with FinTech and RegTech firms.

The May 2024 guidance from the Federal Reserve, FDIC, and the OCC included five critical aspects of third-party risk management: planning, due diligence, contract negotiation, ongoing monitoring, and termination. In Part 1 of this series, Shawn discussed in detail the Planning and Termination stages of third-party engagement. Listen or watch the full episode below or read the summary to learn more.

The Importance of Due Diligence

Shawn Ryan emphasizes that due diligence is a cornerstone of effective TPRM. Regulators are increasingly scrutinizing how Financial Institutions assess the capabilities and reliability of their third-party partners. Shawn advocates for the active involvement of frontline business staff in the due diligence process, rather than relying solely on procurement teams. This hands-on approach ensures that the unique requirements and potential risks of each third-party relationship are thoroughly understood.

“Engaging a third party does not diminish or remove a bank’s responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including consumer protection laws and regulations, just as if the bank were to perform the service or activity itself”  - Third-Party Risk Management: A Guide for Community Banks, May 2024

However, Shawn also acknowledges the challenges posed by partnering with less mature organizations, such as start-ups, which may lack comprehensive documentation like SOC2 reports. Flexibility is key in these scenarios, balancing the need for robust due diligence with the practical constraints faced by smaller firms. Shawn also recognizes that a lot of the times, when working with FinTechs, the Financial Institution will have to do a lot of educating to ensure compliance on risk management practices and regulatory expectations.

“I would never suggest that you shouldn’t work with less mature organizations. I think that’s where a lot of creativity and innovation is going to come from … but you have to establish good guard rails and you can do that through due diligence” – Shawn Ryan

Contracting: Striking the Right Balance

Contract negotiations can often be a contentious stage in third-party risk management. Shawn points out that Financial Institutions frequently impose numerous redlines, which can complicate the negotiation process. To mitigate these challenges, he advises focusing on critical elements such as risk management controls, performance expectations, and dispute resolution mechanisms.

Jurisdiction and liability thresholds are often areas of significant negotiation. Shawn recommends approaching these discussions with a balanced perspective, aiming to create a win-win scenario that fosters a positive long-term partnership. Building strong, cooperative relationships from the outset can pave the way for smoother interactions and better risk management outcomes.

Effective Ongoing Monitoring Practices

“Without proper evaluation, failure is inevitable” – John Wooden

Once a third-party relationship is established, ongoing monitoring is essential to ensure compliance with risk management practices and performance expectations. Shawn stresses the importance of clear roles, responsibilities, and communication channels for effective monitoring. Financial Institutions should have mechanisms in place for escalating and remediating any issues that arise during the course of the partnership

While some institutions may consider outsourcing aspects of their risk management to specialized firms, Shawn reminds us that the ultimate responsibility for managing third-party risk always remains with the Financial Institution itself. Continuous evaluation and adjustment of third-party relationships are crucial to maintaining effective risk management over time.

Final Thoughts

Shawn Ryan’s insights highlight the delicate balance that Financial Institutions must strike between regulatory compliance and practical flexibility. By fostering strong, cooperative relationships with FinTech and RegTech partners, institutions can navigate the complexities of third-party risk management more effectively. Continual evaluation and adaptation are key to ensuring these partnerships remain beneficial and compliant in an ever-evolving regulatory landscape.

Shawn Ryan also recently spoke on this same topic at the Independent Bankers Association of Texas, Connecting Leader Conference. You can download the full presentation below.

Download Presentation

If you are evaluating your Fintech partnership program or BaaS strategy, reach out to the SRA Watchtower team who can provide the knowledge, tools, and strategies needed to navigate regulatory guidance and foster successful third-party relationships.

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
risk maturity framework


Book an


discovery session

enterprise risk management for credit unions
Three ways to tap into the people, technology and insights of SRA Watchtower.
We're focused exclusively on the serving the financial & Insurance industries.


Discovery Session
Schedule a 30 minute discovery call with an SRA Watchtower risk expert to understand your challenges or opportunities ahead to see how Watchtower's holistic risk intelligence platform can support your goals.


watchtower demo
Look inside Watchtower, the holistic risk intelligence platform to learn how it helps executives navigate risk and drive growth.

Risk Intel

Risk Intel Podcast
Listen and learn from SRA Watchtower risk enthusiasts, customers, and experts across the financial industry through our weekly risk focused podcast.


Watchtower News

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
risk maturity framework