Bank Regulators Propose Guidance on Risk Management of Third-Party Relationships

Nelson Mullins Riley & Scarborough LLP

Nelson Mullins Riley & Scarborough LLP

The federal bank regulatory agencies issued a request for public comment this week on proposed interagency guidance designed to help banking institutions manage risks associated with third-party relationships.

The proposed guidance can assist banking institutions in identifying and addressing the risks associated with third-party relationships and appears to respond to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance.  In prior years, the Federal Reserve, Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have primarily issued their own guidance for their respective supervised banking institutions relating to third-party relationships and appropriate risk management practices.  However, with this proposal, the agencies look to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party management.

The guidance comes in the midst of profound expansion of bank-FinTech partnerships in recent years and appears to serve as a reminder to banking institutions of the following underlying notion that applies to those banks who engage third parties to provide products or services or to perform other activities:

Whether a banking institution conducts activities directly or through a third party, the banking institution cannot alleviate responsibility to conduct the activities in a safe and sound manner and consistent with applicable laws and regulations, including those designed to protect consumers.

Prudent banking  institutions should incorporate this underlying notion in each facet of their third-party risk management programs, including in the way that the institutions’ structure their control functions, such as audit, risk management, and compliance, to account for the management of third-party relationships.  It is also essential that institutions develop training programs for personnel at the line of business level to account for third-party relationship risks.  Institutions can strengthen their programs by completing risk assessments, regularly reviewing and updating due diligence questionnaires and documents, and evaluating the controls over the third-party relationships.  Ideally, these reviews would extend all the way up to oversight of senior management by the banking institution’s board of directors to regularly assess the adequacy of the program. 

There is no one-size-fits-all approach.  However a bank structures its third-party risk management program, the board of directors remains responsible for overseeing the development of an effective program commensurate with the bank’s size, complexity, and risk profile as well as with the level of risk, complexity, and the number of the bank’s third-party relationships.  As the regulators note, periodic board reporting is essential to ensure that board responsibilities are fulfilled.

Not all relationships will present the same level of risk to a bank, and the regulators note in their guidance that they would encourage institutions to identify those relationships that support significant bank functions, or as the regulators call them, “critical activities.” With the expectation that “critical activities” would receive more comprehensive and rigorous oversight and management as part of sound risk management.  According to the regulators, “critical activities” also include activities that:

  • could cause a banking organization to face significant risk if the third party fails to meet expectations;
  • could have significant customer impacts;
  • require significant investment in resources to implement the third-party relationship and manage the risk; or
  • could have a major impact on bank operations if the banking organization has to find an alternate third party or if the outsourced activity has to be brought in-house.

The regulators propose that an effective third-party risk management program will generally follow a continuous life cycle for all relationships and, per the proposed guidance, incorporates the following essential principles applicable to all stages of the life cycle:

Third-Party Risk Management Program Principles Considerations
Planning The regulators encourage the institution to develop a plan that outlines the institution’s strategy, identifies the inherent risks of the activity with the third party, and details how the institution will identify, assess, select, and oversee the third party.
Due Diligence and Third-Party Selection

Effective due diligence and third-party selection would consider the following issues:

  1. Strategies and Goals
  2. Legal and Regulatory Compliance
  3. Financial Condition
  4. Business Experience
  5. Fee Structure and Incentives
  6. Qualifications and Backgrounds of Company Principals
  7. Risk Management
  8. Information Security
  9. Management of Information Systems
  10. Operational Resilience
  11. Incident Reporting and Management Programs
  12. Physical Security
  13. Human Resource Management
  14. Reliance on Subcontractors
  15. Insurance Coverage
  16. Conflicting Contractual Arrangements with Other Parties
Contract Negotiation

Written contracts should be negotiated to articulate the rights and responsibilities of all parties, with consideration of the following:

  1. Nature and Scope of Arrangement
  2. Performance Measures or Benchmarks
  3. Responsibilities for Providing, Receiving, and Retaining Information
  4. The Right to Audit and Require Remediation
  5. Responsibility for Compliance with Applicable Laws and Regulations
  6. Cost and Compensation
  7. Ownership and License
  8. Confidentiality and Integrity
  9. Operational Resilience and Business Continuity
  10. Indemnification
  11. Insurance
  12. Dispute Resolution
  13. Limits on Liability
  14. Default and Termination
  15. Customer Complaints
  16. Subcontracting
  17. Foreign-Based Third Parties
  18. Regulatory Supervision
Oversight and Accountability

Oversight and accountability considerations include:

  1. Board of Directors
  2. Management
  3. Independent Reviews
  4. Documentation and Reporting
Ongoing Monitoring

Ongoing monitoring of the third party’s activities and performance should be considered

Termination Contingency plans should be developed for terminating the relationship in an effective manner


Comments to the proposed guidance, which is expected to be published in the Federal Register in the next few days, will be due sixty days after publication.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nelson Mullins Riley & Scarborough LLP | Attorney Advertising

Written by:

Nelson Mullins Riley & Scarborough LLP

Nelson Mullins Riley & Scarborough LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.