On June 6, 2023, the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, Agencies) issued final joint guidance (the Guidance) for third-party risk management, rescinding and replacing prior guidance issued by each of the Agencies.¹

The Guidance, consistent with past guidance, reminds banking organizations (which we’ll refer to as “banks” for convenience) that a bank is required to operate in a safe and sound manner and in compliance with applicable laws and regulations, and the use of a third party does not change that requirement. In other words, a vendor or partner of a bank is effectively viewed by the Agencies as an extension of the bank.

While the Guidance signals an expectation that banks will tailor their risk management practices commensurate with the banks’ size and complexity and with the risk profile of the third-party relationship, the Guidance also presents regulatory expectations for each stage of the bank/third-party relationship, from planning, due diligence, and contract negotiation to ongoing monitoring and termination.

These expectations are couched in language that can be read as giving banks optionality, but partners of banks should read them as minimum requirements, because that is how bank examiners — and therefore banks — will view them.

The Third-Party Risk Management Lifecycle

The Guidance acknowledges that third-party relationships are a “continuous lifecycle,” beginning with planning, due diligence and third-party selection, and contract negotiation, and from there ongoing monitoring and, finally, termination.

Planning

The planning stage involves the bank’s evaluation of risk before entering into any third-party relationship. Per the Guidance, a bank should consider its business and product strategies, banking activities (including high-risk or critical activities), and the benefits and risks of performing such activities internally or through a third party. Relevant questions to answer include:

• What is the strategic purpose of the business arrangement? How does it align with the bank’s overall strategic goals, objectives, risk appetite and profile, and broader corporate policies? 
• What are the benefits and risks of the arrangement? How can the risks be appropriately managed?
• What is the nature of the business arrangement (including considerations such as volume of activity, use of subcontractors, technology needed, interaction with customers, and use of foreign-based third parties)?
• What are the estimated costs, both direct and indirect?
• How will the arrangement impact the bank’s employees?
• How will the arrangement impact the bank’s customers, including access to or use of customer information, third-party interaction with customers, the potential for consumer harm, and handling of customer complaints and inquiries?
• What are the potential information security and physical security implications of the arrangement?
• How will the bank select, assess, and oversee the third-party?
• How will the bank provide adequate oversight and management of the proposed third-party relationship on an ongoing basis?
• What are the bank’s contingency plans in the event the bank needs to transition the activity to another third party or bring it in-house?

Due Diligence and Third-Party Selection

The Guidance notes that conducting due diligence before selecting and entering into third-party relationships is an important part of sound risk management. Past experience with, or prior knowledge of, a third party is not sufficient.

While the Guidance notes that the scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship, it sets forth the following factors that a bank “typically considers” (and, it is implied, should continue to consider) as part of due diligence that it should conduct with respect to any proposed third-party relationship:

• business strategy and goals
• legal and regulatory compliance
• financial condition
• business experience
• qualifications and experience of principals and other key personnel
• overall risk management
• information security program
• management of information systems
• operational resilience, meaning the ability to operate through and recover from any disruption or incident
• incident reporting and management processes
• physical security
• reliance on subcontractors
• insurance coverage
• contractual arrangements with other parties

Contract Negotiation

While the Guidance leaves open the possibility that a bank may determine to proceed with a third-party relationship without a written contract, in practice that is never done. The Guidance also notes that a bank’s board of directors should be aware of — and, as appropriate, may approve or delegate approval of — contracts involving high-risk activities, and that legal counsel may be warranted.

The Guidance sets forth the following factors that banks should consider during contract negotiations. In practice, we anticipate that any contract governing a third-party relationship should address these items, unless the nature of the relationship makes one or more of the items below not applicable:

• identification of the rights and responsibilities of each party, including the nature and scope of the business arrangement
• performance measures or benchmarks
• responsibilities for providing, receiving, and retaining information
• the right to audit and require remediation
• responsibility for compliance with applicable laws and regulations
• costs and compensation
• ownership and license
• confidentiality and integrity
• operational resilience and business continuity
• indemnification and limits on liability
• insurance
• dispute resolution
• customer complaints
• subcontracting
• foreign-based third parties
• default and termination
• regulatory supervision — namely, a stipulation that the performance of activities by third parties for the bank is subject to regulatory examination and oversight, including appropriate retention of, and access to, all relevant documentation and other materials

Ongoing Monitoring

Per the Guidance, ongoing monitoring may be periodic or continuous and should be commensurate with the risk and complexity of the relationship and of the activity being performed. Typical ongoing monitoring activities include:

• Review of reports regarding the third party’s performance and the effectiveness of its controls.
• Periodic visits and meetings with third-party representatives to discuss performance and operational issues.
• Regular testing of the bank’s controls and management of risks from its third-party relationships, particularly when supporting higher-risk activities, including critical activities. Based on risk, a bank may perform direct testing of the third party’s own controls.

During the ongoing monitoring stage, the bank should consider the following when overseeing its third-party relationships:

• the overall effectiveness of the third-party relationship
• changes to the third party’s business arrangement or agreements with other entities
• changes in the third party’s financial condition
• changes to, or lapses in, the third party’s insurance coverage
• relevant audits or other reports and results related to the third party’s management of risks
• the third party’s ongoing compliance with applicable laws, regulations, and contractual provisions
• changes in the third party’s key personnel involved in the activity
• the third party’s reliance on, and risk management of, subcontractors and the location of such subcontractors
• training provided to employees of the bank and the third party
• the third party’s response to changing threats, new vulnerabilities, and incidents impacting the activity
• the third party’s ability to maintain the confidentiality, availability, and integrity of the banking organization’s systems, information, and data, including customer data
• the third party’s response to incidents, business continuity, and resumption plans
• factors external to the third party that could affect its performance and financial and operational standing (e.g., changing laws or economic conditions)
• the volume, nature, and trends of customer inquiries and complaints, the third party’s responses, and any resulting remediation

Termination

The Guidance signals an expectation from the Agencies that banks terminate third-party relationships in an “efficient manner,” with consideration of the following factors:

• options for transitioning services (alternative third parties or insourcing)
• transition resources, capabilities, and time frames
• termination costs and fees
• managing risks related to data retention and destruction, information systems, or other controls
• handling of joint intellectual property
• managing risks to the bank, including its customers

Conclusion

There are a variety of ways that a bank can structure a third-party risk management program and its processes to satisfy the expectations of its supervisory regulators; however, the recommendations in the Guidance are essential to consider when implementing a compliant program.

Third parties, including fintechs, should be aware of the regulatory expectations and requirements with respect to their current and potential future bank partners and should be prepared to appropriately support and manage the risks associated with the bank partnership arrangement. A third party’s ability to demonstrate appropriate and documented operations and controls, consistent with the bank’s third-party risk management policies and processes, will facilitate more efficient due diligence, potentially reducing product time to market, as well as effective ongoing monitoring, which can support more collaboration for innovations and ongoing relationships with bank partners.

^[1] Federal Reserve SR Letter 13–19/CA Letter 13–21, “Guidance on Managing Outsourcing Risk;” OCC Bulletin 2013–29, “Third-Party Relationships: Risk Management Guidance,” and OCC Bulletin 2020–10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013–29;” FIL–44–2008, “Guidance for Managing Third-Party Risk”

[View source.]