The final guidance is intended to provide sound principles that support a risk-based approach to third-party risk management that banking organizations may consider when developing and implementing risk management practices for all stages in the life cycle of third-party relationships. Key details include the following:

• The use of third parties does not diminish or remove a bank’s responsibility to perform all activities in a safe and sound manner, in compliance with applicable laws and regulations, including those related to consumer protection and security of customer information.
• The guidance provides examples of considerations in the planning, due diligence, contract negotiation, ongoing monitoring, and termination stages of managing third-party relationships. Sound risk management involves conducting due diligence on third parties prior to engaging them.
• Sound third-party risk management takes into account the level of risk, complexity, and size of the banking organization, as well as the nature of the specific third-party relationship.
• Relationships with third parties, fintechs in particular, should be evaluated using both the third party risk management guidance and the various risk management processes and rules that apply to traditional lending and deposit relationships.

Putting It Into Practice: Federal bank regulators are increasingly attentive to third-party relationships and, in particular, bank partner programs. Regulators continue to make third-party risk management a key element of focus in supervisory examinations. To be prepared, banking organizations should consider: (i) evaluating current third-party risk management programs against the final guidance; (ii) determining what incremental enhancement or foundational third-party risk control uplift may be required; and (iii) formulating an implementation plan to realize control effectiveness and ultimately strengthen adherence to the final guidance.