How Community Banks Are Tackling Third-Party Risk—One Hat at a Time

Managing third-party risk is tough for any bank—but for community banks juggling vendors through lean teams with limited budgets, it can be especially challenging. As several members of RMA’s Community Bank Council recently shared in an RMA Journal article, staying compliant and resilient often means adding yet another “hat” to an already full rack. 

“We probably have a larger reliance on third parties for many different operational functions and oversights,” said Robert Bender, chief lending officer at The First National Bank of Elmer in New Jersey. Like many institutions of its size, his $380 million bank doesn’t have a dedicated ERM staff, yet it must meet regulatory standards that can be challenging. To meet those standards, his bank updated its third-party risk management policy, expanded staff responsibilities, and increased reporting to the board. 

At Maine Community Bank, contract owners and a vendor committee share vendor oversight, said Chief Credit Officer Thomas MacDonald, and any compliance issues are reported directly to the board or a board committee. 

Here are some practical insights community banks shared: 

• Cycle reviews by risk tier. Corvallis, Oregon-based Citizens Bank reviews its highest-risk and most critical vendors annually—“insurance, reports, financials. The whole deep dive,” Chief Credit Officer Kate Salyers said. Medium-risk vendors are reviewed every two years, while low-risk vendors get a light touch. “Our regulators have liked that approach,” she noted. 

• Fourth-party risk is real. “[Vendors] are contracting with other vendors,” said Dawn Mugford, senior vice president for risk at Norway Savings Bank in Maine. “So, you end up getting in those fourth-party relationships, even though that may not be how you set out.” The challenge, she said, “is trying to figure out how you get your arms around that fourth party’s details, and making sure that your third party is then managing their third-party relationships similarly to the way you would do it.” 

• Outsourcing vendor management? You’re still on the hook. Many banks use outside software and vendors to help manage third-party risk. But as Salyers emphasized, the bank still must “review and render an opinion on” any outsourced risk management work. 

• Culture matters. “It’s about culture and people knowing that they’re not empowered to just go sign contracts,” said David Stewart, chief credit officer at Kleberg Bank. “We worked for the last 15 months to better formalize this process, and we established a third-party risk committee.” 

Bottom line? You don’t need a massive team—but you do need a structured, visible process, strong internal culture, and clear coordination across roles. 

For more tools and insights, visit RMA’s Community Bank Resource Center.