On Dec. 5, 2013, the Federal Reserve joined the list of regulatory agencies that have issued guidance on third party relationships. The Fed guidance supplements the FFIEC Outsourcing Technology Services Booklet (June 2004) and broadens the scope of Fed-supervised institutions’ third party guidance to all service providers, which the December 5th guidance defines broadly to include all entities that contract with financial institutions to provide business functions or activities.
The Fed’s third party guidance includes the majority of the aspects covered in the OCC’s recent third party guidance. The OCC’s risk management lifecycle was not included in the Fed guidance, although the Fed did include business continuity and contingency as important aspects in managing third party risks. For state member banks, bank and savings and loan holding companies, and U.S. operations of foreign banking organizations subject to the Federal Reserve’s supervision, this guidance should come as no surprise, as financial regulators across all sectors of the industry aim to tackle third-party risk amidst rapid innovation in the delivery of financial services. Below is a chart of the contents of regulatory guidance on third party relationships across supervisory agencies. Full text of the Fed third party guidance can be found here.
CONTENTS OF REGULATORY GUIDANCE ON THIRD PARTY RELATIONSHIPS (2001 – 2013)
|
|
Fed
Dec. 2013
Guidance
|
OCC
Oct. 2013
Guidance
|
FDIC
June 2008
Guidance
|
OCC
Nov. 2001
Guidance
|
|
Third Party Risk Factors |
?
|
?
|
?
|
?
|
|
Planning/Assessment |
?
|
?
|
?
|
?
|
|
Due Diligence/Structuring |
?
|
?
|
?
|
?
|
|
Contract Issues |
?
|
?
|
?
|
?
|
|
Monitoring |
?
|
?
|
?
|
?
|
|
Oversight Accountability |
?
|
?
|
—
|
—
|
|
Business Continuity/Contingency |
?
|
?
|
—
|
—
|
|
Incentive Comp. Review |
?
|
—
|
—
|
—
|
|
Documentation/Reporting |
—
|
?
|
?
|
?
|
|
Termination |
—
|
?
|
—
|
—
|
|
Independent Reviews |
—
|
?
|
—
|
—
|
We have discussed other agency guidance on third party relationships in previous PLA posts, including the following:
FDIC Clarifies its Supervisory Approach to Payment Processor Relationships (Oct 2013)
FTC Order Against Fraudulent Payment Processor Joins Growing List of Regulatory Actions Involving Third Party Service Providers (Mar 2013)
Regulatory Action Against First Bank of Delaware Reinforces BSA and AML Concerns with Third-Party Relationships (Dec 2012)
FFIEC Releases New Booklet for the Supervision of Technology Service Providers (Nov 2012)
CFPB’s First Enforcement Action Warns Financial Institutions About Liability for Third Party Activities on their Behalf; Related Compliance Bulletin Offers Guidance (July 2012)
OCC Issues Guidance on the Mechanics of Third-Party Service Agreements for Prepaid Access Programs (Sept 2011)
