On July 13, 2021, the Board of Governors of the Federal Reserve (the "Fed"), the Federal Deposit Insurance Corporation (the FDIC) and the Office of the Comptroller of the Currency (the OCC), with the Fed and the FDIC collectively referred to herein as the "Regulators") proposed for comment new interagency guidance on managing risks with third-party relationships (the "Proposed Guidance"). The Proposed Guidance would replace each Regulator's existing guidance on vendor management and would be directed to all banking organizations.
The Proposed Guidance is similar in many ways to existing regulatory guidance but includes some new and different requirements banks will need to implement. It is the Regulators' position that the Proposed Guidance provides a framework of sound risk management principles that banks may utilize to address the risks involved in third-party relationships.
As part of that process, the most comprehensive and rigorous oversight and management of third-party relationships should apply to third parties that support critical activities – those whose failure would result in material loss of revenue, profit or franchise value; those whose failure poses other significant risk; those who could have significant customer impact; those who require significant investment of resources; and those who could have a major impact on bank operations if the bank had to find an alternative.
The Proposed Guidance outlined six steps in identifying and mitigating the risk from third-party vendors and service providers:
- Planning – outlining the bank's strategy and risks involved with the third party and detailing how the bank will identify, assess, select and oversee the third party.
- Due Diligence and Third-Party Selection – performing appropriate due diligence in selecting the third party commensurate with the level of risk and complexity of the activity and the third-party relationship.
- Contract Negotiation – negotiating and documenting contracts that articulate the responsibilities of all parties.
- Oversight and Accountability – responsibility for the bank's risk management process including:
- Board of directors
- Management
- Independent reviews
- Documentation and reporting
- Ongoing Monitoring – appropriately monitoring and documenting the third party's activities and performance
- Termination – developing contingency plans for terminating the relationship
The Proposed Guidance, which goes into great detail on factors to be considered under each of the six steps, also includes the OCC's FAQs from March 2020 as an exhibit and seeks comment on which of the concepts discussed therein should be incorporated in the final version of the guidance.
Board members and senior management are responsible for managing the risk posed to an institution through its third-party service providers. Therefore, it is incumbent upon every bank's management team to have a vendor management process commensurate with its size, complexity and risk profile as well as the level of risk and number of third-party relationships. The Proposed Guidance specifically states that a bank's failure to have an effective third-party risk management process commensurate with the level of risk, complexity of the third-party relationships and organizational structure may be an unsafe or unsound practice.
It is anticipated that the Proposed Guidance will be published in the Federal Register in the next few days and any comments will be due 60 days after publication.
