On June 6, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Federal Reserve), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the Banking Agencies) released final interagency guidance on third-party relationships1 (Guidance).
Focused on risk management, the Guidance represents an effort by such agencies to ensure that there is consistency in third-party risk management guidance regardless of charter type and federal regulator. It also describes the obligations that apply to all banking organizations supervised by the Banking Agencies. Notably, the Guidance highlights that it is not "law" and "does not have the force and effect of law," a point that was raised in numerous comment letters received by the Banking Agencies in connection with the comment period as well as previous bank agency "guidance" related to certain banking activities, such as banks' relationship with providers of crypto-related products and services.
In terms of prescriptive requirements, the Guidance takes a well-honed view premised in a "risk-based approach," particularly with respect to operational, compliance, and strategic risks such relationships may pose for banking organizations. Specifically, the Guidance makes clear that each banking organization is required to "analyze the risks associated with each third-party relationship and . . . calibrate its risk management processes, commensurate with the banking organization's size, complexity, and risk profile and with the nature of its third-party relationships." With respect to fin tech relationships specifically, the Guidance states that banking organizations must understand how these agreements are structured in order to assess the levels and types of risks inherent in each such agreement through the use of a "sound methodology."
With respect to contractual relationships with third parties, the Guidance suggests board involvement on behalf of the banking organization. Specifically, "as part of its oversight responsibilities, the board of directors should be aware of and, as appropriate, may approve or delegate approval of contracts involving higher-risk activities." Related to this statement is the implicit point that boards of directors may be held responsible for failing to implement controls to ensure that third-party agreements involving "higher-risk activities" are reviewed at the board level. Therefore, banking organizations' boards must proactively ensure that appropriate "gating mechanisms" are implemented within the organization so that all necessary board review of such proposed arrangements occurs and is documented within the board minutes or otherwise.
Finally, the Banking Agencies noted that a determination was made "not to exclude any specific third-party relationships from the scope of the guidance [because it] is relevant to managing all third-party relationships." Relationships that certain commenters had argued should be exempt from such evaluative processes were those with affiliates and those with entities that are subject to some other form of regulation.
Why This Matters
Coming on the heels of a recently published FDIC action against a New Jersey-chartered bank that is significantly involved in bank/fin tech partnerships, as well as the numerous recent actions taken by federal and state regulators against providers of crypto-related products and services (which are facing a unique set of challenges in maintaining relationships with US insured depository institutions), the adoption of the Guidance demonstrates banking regulators' keen interest in third-party relationships. While it is obvious that insured depository institutions will need to develop policies and procedures to implement these requirements, it is equally important for fin techs and other bank service providers to understand (and therefore anticipate) the types of questions that potential bank partners will raise about the provider's operations and overall risk profile. Developing appropriate, compliant policies and procedures and implementing them enterprise-wide will be critical to ensuring that such relationships withstand supervisory review of both the banking organization and the third-party provider that may be examined by a banking regulator in connection with the functions or operations such third-party performs on behalf of the bank.
1 The Guidance lists the following as examples of third-party relationships: outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries and joint ventures.