On June 6, 2023, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued final joint guidance addressing bank management of third-party relationship risks. The guidance incorporates feedback from public comments on the agencies' proposed guidance released in July 2021 and instructs banks to take a risk-based approach to third-party risk management. The approach is consistent with the Consumer Financial Protection Bureau's existing approach to service provider oversight and the OCC's prior guidance on management of third-party relationships. The joint guidance is expected to provide consistency in the federal bank regulatory agencies' supervisory approaches toward third-party risk management. While most banking organizations should be familiar with the principles expressed in the final joint guidance, the issuance of the guidance is an opportunity for banks to re-assess third-party relationship risks and re-evaluate their policies for managing these risks to help ensure compliance and consumer protection.

The agencies' joint guidance addresses the management of risks associated with all types of third-party relationships. This may include business relationships with third parties engaged in lending, payment, or deposit activities and may include the use of third-party service providers and independent consultants, referral arrangements, merchant payment processing services, services by affiliates and subsidiaries, and joint ventures, including with financial technology (fintech) companies. Pursuant to the joint guidance, banks should maintain an inventory of their third-party relationships and assess the risks presented by each. Based on this risk assessment, the bank must tailor its risk management processes accordingly.

Because the guidance applies a risk-based approach, the bank's risk management processes may vary depending on the nature of the third-party relationship. For relationships that support a bank's critical activities by involving customer contact or providing products or services to customers, the bank may impose more stringent or more comprehensive vetting and oversight requirements for the third party. Similarly, the bank may apply the more stringent requirements for third-party relationships having significant impact on customers or the bank's financial condition or operations or if the third party's failure might cause the bank to face significant risk or significant consumer risk.

To determine the appropriate level of vetting and oversight, banks must consider the benefits and risks of utilizing a third party. Benefits may include more efficient access to technologies, human capital, delivery channels, products, services and markets. However, the use of third parties may present operational, compliance, and strategic risks to the bank. In using a third party, the bank must still perform all activities in a safe and sound manner, in compliance with applicable laws and regulations, including those related to consumer protection and security of customer information. Depending on how a third-party relationship is structured, the bank may assess the types of risks and determine how to appropriately manage the risks associated with the relationship.

The joint guidance advises banks to consider risks at all stages in the life cycle of the third-party relationship, including during planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination. A robust third-party relationship management policy will consider the nature and risk profile of each third-party relationship, taking into account the complexity and size of the banking organization. The guidance provides several illustrative examples to help banking organizations align their risk management practices with the nature and risk profile of their third-party relationships. The bank's risk management practices should align with these components throughout the life cycle of the third-party relationship.

As noted above, the principles in the final joint guidance for managing third-party relationships are not new. Most banking organizations should be familiar with the principles expressed in the guidance. Nonetheless, with the adoption of the final joint guidance, banks may reasonably expect heightened scrutiny and oversight from the federal banking regulators. To reduce any regulatory risk associated with this heightened scrutiny, banks should review the joint guidance and take steps to ensure that they are appropriately managing their third-party relationships.