Regulatory Requirements for Third-Party Risk Management
March 27, 2025
4
minute read

This issue's key takeaways:

  • Banks in the US and EU have clear expectations and guidelines for managing third-party risk: the Interagency Guidance on Third-Party Relationships and the Digital Operational Resiliency Act (DORA).
  • These regulations expect banking organizations to perform diligent financial oversight and analysis of third-party partnerships.
  • Banks must manage third-party financial conditions throughout the entire relationship lifecycle to maintain regulatory good standing and avoid financial danger.
  • Comprehensive assessment and analysis tools are key to proactively mitigating risk.

________________________________________

Snapshot: The Impact of Banking Regulations On Financial Risk Management

By James H. Gellert, Executive Chair, RapidRatings

Rules. Regulations. Guidelines.

Not necessarily words that inspire people to jump to their feet in passionate fits of joy.

And yet, all financial institutions that clearly understand current regulations deserve at least an emphatic high five, if not a dance party.

That’s because formal guidelines ―specifically those relating to third-party relationships― give banking institutions a much-needed framework for mitigating risk and avoiding operational disruptions. They also keep compliance top-of-mind, helping companies operate normally and ensuring they steer clear of regulatory repercussions and reputational damage.

At a macro level, these regulations represent a view from governments that what banks do is of such consequence that they require oversight.

To supply chain risk and other non-bank counterparty risk managers, these regulations are a loud statement that governments think managing risks of third parties is a component of strength and resilience at a systemic level—for Wall Street and Main Street.

I’ll focus on what I think are the pivotal elements of these criteria, and how they impact banks and other institutions.

Guidelines: Purpose, intention, and audience  

The two sets of guidelines are the Interagency Guidance on Third-Party Relationships, applicable in the US, and the Digital Operational Resiliency Act (DORA), which covers the European Union.

The Interagency Guidance pertains to all banking and financial services organizations operating in the US, while DORA applies to a broader range of financial institutions, including banks, investment firms, insurance companies, and payment institutions.

They both outline expectations and principles for financial institutions to follow while managing all stages of the lifecycle of third-party relationships.

Both have the overarching goal of helping organizations avoid financial disaster and operational disruption caused by insufficient third-party risk management and of creating resilient third-party ecosystems.

The proposed guidance has several core elements by which the banks are expected to abide.

Take financial condition seriously

Prominent in both criteria is an expectation of diligence when it comes to evaluating the financial condition of all third parties.

Financial condition is a top risk factor for banking institutions, and for good reason.

As discussed in previous newsletters, a third party in poor financial health can cause revenue disruption, financial loss, reputational risk, inefficiencies in triaging teams, underinvestment by third parties in cybersecurity, R&D and product development and more.

Said differently, thinking of third parties only in terms of whether they are going to file for bankruptcy is a radical mistake. A business reliant on that third party can suffer tremendously from the financial health decline irrespective of bankruptcy.

However, not all risks are the same, so companies need to understand  ―and properly manage― different types of risk to avoid damaging outcomes.

For example, inherent risk and residual risk focus on separate stages in the risk lifecycle, and each requires its own strategic plan.

Some aspects of inherent risk are outside your control, such as the location or sector a supplier operates in, but assessing a third party’s financial stability provides a barometer of other risk domains you may be exposed to, including delays, disruptions, or regulatory violations.

Residual risk can be minimized by having reliable systems and processes for ongoing monitoring of third parties. By actively managing both, companies make better decisions, protect their operations, and maintain trust with regulators.

Thus, both DORA and the Interagency Guidelines expect organizations to prioritize financial condition oversight by embracing the following:

  • Due diligence pre-onboarding
  • Financial health assessments
  • Ongoing monitoring
  • Proactive risk management

Always be assessing

Please bear with me as I workshop a metaphor.

If you want to get in better shape you don’t just buy a treadmill, go for a run and call it a day. You have to keep running. Test the different settings. If you decide to keep it, you need to find a workout you like. Create a routine, set goals, and track your progress. Keep using it, or else it’s a waste of your time and money and a great excuse for having a second serving of dessert.

The same is true of managing risk. It’s not enough to do an initial financial health analysis, like what you see, and think your work is done.

The assessment needs to be ongoing and comprehensive. You need to analyze audited financial statements and create systems for identifying, reporting, and responding to third-party risk.

Staying up to date also matters. A clear expectation from the Interagency guidance is for companies to analyze the most current information available and not trade payment data, which is a lagging and often superficial metric. That means using contemporary financial statements of your third parties.

As the regulations emphasize, managing third-party risk should be a full-time priority, performed with predictive assessment tools to maximize the effort and results.

Only then can you be confident that your organization is in the best shape possible by embracing a consistent and vigorous approach to monitoring financial health.  

I personally don’t like treadmills, and I’m not sure I like this metaphor, but I appreciate you humoring me as I fleshed it out.

Build your toolkit

It takes organizational buy-in to develop an infrastructure that can properly manage third-party financial health.

You also need a platform ―and the right tools― capable of executing a financial oversight strategy.

As you reflect on your organization’s current approach, consider whether your operation can handle these essential functions:

  • The ability to gather public AND private financial statements, and synthesize them into accurate, predictive ratings and reports
  • Ongoing monitoring and visibility into third-party financial health for every stage of the relationship
  • A compliance-first system, built to ensure all regulatory obligations are met
  • In-platform customizations that allow you to segment, monitor, and manage cohorts of third parties according to criticality and your business needs

If the answer is no, you’ll struggle to meet these regulatory guidelines. You’ll also likely struggle to detect a third party's shaky financial health until it’s too late.

________________________________________

SIG Summit: April 1st-4th

Join me, James Gellert, Executive Chairman of RapidRatings, and Matt McKillop, Global Head of TPRM at OKX, as we take the stage at the SIG Summit in April 2025 to discuss how supplier portfolio analytics drive operational excellence in today’s risk environment.

Register Now

________________________________________

Stat of the Month: March  

92% of public companies that defaulted in 2024 were already flagged as high or very high risk by their FHR® scores- proving that early risk indicators matter.

Source: RapidRatings Annual Default Review 2025.

________________________________________

The Time Machine: 15th Century Financial Health Rating

The Medici Family was a powerful presence in politics, banking, and trade in 15th—and 16th-century Europe.

Based initially in Florence, Italy, the Medicis introduced the use of a letter of credit, which acted as a guarantee from a buyer’s bank to a seller’s bank and enabled international trade to flourish during a time when moving large sums of money was dangerous, impractical, and slow.

Essentially the letter of credit rated the financial health of the buyer and acted as a thumbs up for a short-term loan. To be paid back with interest of course.

So yes, the Medici Family was Rocket Mortgage from Quicken Loans six hundred years ago.

________________________________________

If you’re curious about how RapidRatings offers the most accurate and comprehensive financial data analytics in the industry, check out RapidRatings.com to learn more.

Newsletter
Third Party Risk
up arrow