After a nearly two-year notice and comment period, the Comptroller of the Currency, Federal Deposit Insurance Corporation and Federal Reserve have published much-anticipated final guidance for banks on managing risks associated with third parties. The guidance provides direction to banks that work with fintechs, service providers or other third parties.

The guidance addresses 19 topics, from pre-contractual due diligence and licensure to key terms in contracts, such as “indemnification” and “confidentiality of consumer information.” It also addresses matters that apply after a contract is executed, including monitoring, subcontracting and termination.

Although the document technically rescinds and replaces prior guidance from each agency, in practice it aligns all three federal banking regulators’ approaches to third-party relationships while highlighting the agencies’ longstanding view that banks ultimately are responsible for the actions of third parties.

Here are the top ways the guidance may impact your business, regardless of whether you are a bank, fintech or service provider:

1. Planning. The guidance says banks should prepare for third-party relationships by gathering information to assess risk. The agencies acknowledge that certain third-party relationships may be riskier than others and say banks should adjust contracting and oversight accordingly, taking into account the potential impact on customers and bank systems. The guidance emphasizes that higher risk activities (i.e., critical activities) should undergo comprehensive and rigorous oversight, involving the bank’s board of directors where appropriate. Third parties engaged in critical activities should anticipate increased scrutiny from banking partners.

2. Due Diligence and Third-Party Selection. The guidance advises banks to conduct extensive due diligence before entering third-party relationships. Due diligence should incorporate subject matter experts from the bank’s compliance, risk and/or technology departments, as well as legal counsel. In conducting its due diligence assessment, banks should consider a third party’s:

Fintechs and bank service providers should review business processes with an eye towards meeting bank-level standards.

• Legal and regulatory compliance;
• Financial condition;
• Business experience;
• Risk management;
• Information security;
• Operational resilience;
• Incident reporting;
• Physical security; and
• Reliance on subcontractors.

3. Contract Negotiation. The agencies advise banks to seek modifications and add provisions or addendums as appropriate when negotiating contracts with third parties. Where a bank has limited negotiating power, the guidance cautions that it should first understand the risks in proceeding with the relationship and that it consider other third parties if the risk is too great. Banks should consider factors during contract negotiations that include:

• The nature and scope of the arrangement;
• Performance measures or benchmarks;
• Responsibility for compliance with applicable laws and regulations;
• Confidentiality;
• Dispute resolution; and
• Customer complaints.

In light of this guidance, third parties may see banks push more strongly on contractual provisions than they would otherwise in order  to meet regulatory expectations.

4. Ongoing Monitoring. In addition to conducting a thorough due diligence at the outset, agencies expect banks to monitor third parties throughout the relationship. The guidance gives banks the flexibility to choose between periodic or more continuous monitoring but notes that more frequent monitoring may be necessary for third parties engaged in critical activities. The guidance suggests banks monitor third parties through:

• A review of reports regarding the third party’s performance and the effectiveness of its controls;
• Periodic visits and meetings with third-party representatives to discuss performance and operational issues; and
• Regular testing of the bank’s controls that manage risks from its third-party relationships.

The guidance adds that direct testing of a third party’s own controls may be warranted in certain circumstances. Fintechs and others should prepare for potentially more structured and rigorous oversight as they work with banks.

5. Termination. The agencies acknowledge that banks may terminate third-party relationships for a variety of reasons and advise they do so efficiently. In addition to other factors, banks should consider the impact on customers, particularly if the termination is due to a third party’s failure to meet expectations. Third parties likewise should know that regulators expect them to ensure that consumers are protected if a third party terminates the relationship.

6. Governance. The guidance says proper oversight and accountability are important aspects of third-party risk management, noting that the board of directors has the “ultimate responsibility” for oversight and holding management accountable. The guidance also outlines factors the board and management should consider in carrying out their duties. In addition to board involvement, the guidance advises banks to conduct periodic independent reviews to assess third-party risk management practices, including properly documenting and reporting on the process.

As banks increase their use of fintechs and third parties to streamline operations and improve customers’ experiences, examiners will seek to ensure that their policies and procedures are consistent with the above risk management practices. Because all three agencies invested the time and resources to create a unified set of expectations, we anticipate scrutiny of third-party relationships to increase.