On June 6, 2023, in an effort to promote consistency and clarity across the bank regulatory landscape, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency (together, the “Agencies”) issued joint guidance offering the Agencies’ combined approach to bolstering regulated banking organizations’ risk management practices with respect to third-party relationships (the “Guidance”). While the Guidance replaces each of the respective Agencies’ preexisting materials on this subject, many of the concepts advocated for and advanced by former guidance documents and/or FAQs have been incorporated into the final form of the Guidance.
At a high level, the Guidance provides principles designed to be utilized by all banking organizations, regardless of size, to implement effective internal third-party risk management systems and procedures. In addition to being relevant to all types of banks, from large multinational investment firms to small community banking operations, the Agencies designed the Guidance to apply to a wide array of potentially risky third-party relationships. For example, the Guidance explicitly instructs banking organizations to broadly interpret the term “business arrangement” and to treat it as being synonymous with a “third-party relationship,” which the Guidance describes as follows:
-
A third-party relationship may exist despite a lack of a contract or remuneration. Third-party relationships can include, but are not limited to, outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures. Some banking organizations may form third-party relationships with new or novel structures and features – such as those observed in relationships with some financial technology (fintech) companies.
While the Agencies stress the broad relevance of the Guidance, the Guidance notes that not all relationships present the same level of risk and encourages banks to tailor their risk management procedures based on their size, complexity and risk profile as well as the nature of, and risk posed by, the third-party relationship.
Kelly Miller & Nicholas S. Zlevo contributed to this article