On June 6, the FDIC, FRB & OCC issued final interagency guidance intended to assist their respective supervised banking organizations in identifying and managing risks associated with third-party relationships and in complying with applicable laws and regulations. The final guidance replaces and supersedes each agency’s existing third-party guidance “and promotes consistency in the agencies’ supervisory approaches toward third-party risk management,” and incorporates changes based on comments on the proposed guidance from July 2021 (see our previous blog post on the proposed guidance here). The prior sets of guidance from each of the agencies the final guidance rescinds and replaces includes the FDIC’s FIL-44-2008, FRB’s SR Letter 13-19 and CA Letter 13-21, and OCC’s Bulletins 2013-29, 2020-10. The final guidance is effective immediately.
The final guidance is intended to provide sound principles that support a risk-based approach to third-party risk management that banking organizations may consider when developing and implementing risk management practices for all stages in the life cycle of third-party relationships. Key details include the following:
-
The use of third parties does not diminish or remove a bank’s responsibility to perform all activities in a safe and sound manner, in compliance with applicable laws and regulations, including those related to consumer protection and security of customer information.
-
The guidance provides examples of considerations in the planning, due diligence, contract negotiation, ongoing monitoring, and termination stages of managing third-party relationships. Sound risk management involves conducting due diligence on third parties prior to engaging them.
-
Sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization, as well as the nature of the specific third-party relationship.
-
Relationships with third parties, fintechs in particular, should be evaluated using both the third party risk management guidance and the various risk management processes and rules that apply to traditional lending and deposit relationships.
Putting It Into Practice: Federal bank regulators are increasingly attentive to third-party relationships and, in particular, bank partner programs. Regulators continue to make third-party risk management a key element of focus in supervisory examinations. To be prepared, banking organizations should consider: (i) evaluating current third-party risk management programs against the final guidance; (ii) determining what incremental enhancement or foundational third-party risk control uplift may be required; and (iii) formulating an implementation plan to realize control effectiveness and ultimately strengthen adherence to the final guidance.