Agencies Issue Final Guidance on Third-Party Risk Management

Written By Haley Metteauer

On June 6, 2023, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of Currency (OCC) (collectively, the “Agencies”) issued a final joint guidance[1] to help all banking organizations manage risks associated with third-party relationships, including financial technology companies (fintech). The joint guidance is intended to provide consistency in the Agencies’ supervisory approaches, and it will replace each of the separate Agencies’ current guidance on the topic[2].

The guidance defines a “third-party relationship” as “any business arrangement between a banking organization and another entity, by contract or otherwise.” This may include relationships formed for outsourced services, independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates or subsidiaries, and joint ventures.

The guidance emphasizes that banks’ need to continue to use sound risk management efforts when using third-parties, especially when new technologies are involved. Utilizing third parties does not mean a bank is relieved of their duty to ensure all activities are conducted in a safe and sound manner and in compliance with laws and regulations, such as fair lending laws; prohibitions against unfair, deceptive, or abusive acts or practices; and laws and regulations that address financial crimes.

While acknowledging the broad scope of relationships covered under “third-party relationships,” the guidance suggests that the bank’s risk management approach should be tailored according to the nature of the third-party. For instance, if the nature of the relationship involves high levels of risk to the bank, then they should develop additional processes, procedures, and safeguards to ensure that the bank is adequately protected. Characteristics of activities that could be considered high-risk include those which may impact the banking organization’s customers or the financial condition or operations of the bank.

Regardless of a bank’s approach, banks should ensure that they maintain comprehensive oversight procedures that catalog an inventory of all existing third-party relationships and mandate periodic risk assessments of these outside organizations.  

The guidance also provides the stages of the “risk management life cycle,” and advises on the importance of ensuring bank staff has the necessary knowledge and skills required under each stage. The stages include:

1.  planning - evaluate and consider how to manage risks before entering into a third-party relationship;

2.       due diligence and third-party selection-  determine (1) if the relationship will achieve the bank’s goals, (2) the third-party’s ability to perform the requested activities as expected while complying with all applicable rules and regulations, and (3) whether the bank can effectively identify, monitor, and control all risks that may arise due to the relationship;

3.       contract negotiation - negotiate provisions in the bank’s contracts with third-parties that will facilitate effective risk management and oversight;

4.       ongoing monitoring - confirm the third-party meets their contractual obligations, escalate concerns as needed, and respond to the concerns when identified; and

5.       termination (if applicable) in circumstances such as breach of contract, failure to comply with applicable rules and regulations, or other activity that causes the bank to discontinue the relationship. When termination occurs, it is critical that relationships are terminated efficiently with risk management in mind.

The guidance also provides the following practices that banks should consider in establishing a risk management policy with a third-party:

  • Oversight and accountability. A bank’s board of directors are ultimately responsible for providing oversight and holding management accountable, while the bank is responsible for implementing third-party risk management policies and procedures.

  •  Independent reviews. Banks should conduct periodic independent assessments as to the adequacy of the third-party risk management.

  •  Documentation and reporting. This may include tracking contracts, risk performance reports, remediation plans, and so on.

Additionally, the guidance provides that the Agencies may use their supervisory powers to evaluate a third-party’s ability to fulfill its obligations in accordance with applicable laws and regulations. When deemed necessary, they may pursue corrective measures to address violations by either the bank or its third-party.

 

[1] https://www.occ.gov/news-issuances/news-releases/2023/nr-ia-2023-53a.pdf

[2]    

  • Board:

    • SR Letter 13-19/CA Letter 13-21, “Guidance on Managing Outsourcing Risk” (December 5, 2013, updated February 26, 2021)

  • FDIC:

    • FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6, 2008)

  • OCC:

    • OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance"

    • OCC Bulletin 2020-10, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29"

    • Additionally, the OCC also issued foreign-based third-party guidance, OCC Bulletin 2002-16, “Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance,” which is not being rescinded but instead supplements the final guidance

 

Haley Metteauer
Previous

OCC Addresses Banks with Persistent Weaknesses
Next

CRS Reviews Proposed CFPB Regulation on Credit Card Late Fees