Last week, the federal banking agencies—Federal Reserve Board (Board), Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC)—issued proposed interagency guidance ("Proposal") on risk management for banks and their third-party relationships. As part of the Proposal, the agencies have requested information and comments from industry and the public.
The nondescript term "third-party relationships" covers a wide swath of vendor and outsourcing activities, including everything from a bank's janitorial contractors to the sophisticated service agreements banks use to support FinTech platforms. The Proposal provides an opportunity for banks and FinTech companies alike to help shape an effective risk management framework that is harmonized across the banking agencies—something that has been lacking among the regulators.
Summarized below are key takeaways from the Proposal, which was published in the Federal Register on July 19, 2021.
The Proposal is an opportunity for participants in the banking and FinTech ecosystems to highlight challenges and issues, including any unnecessary regulatory burdens imposed on bank-FinTech relationships. As a joint issuance from the banking agencies, the Proposal contains guidance that uniformly impacts all insured depository institutions other than credit unions, given that the National Credit Union Administration did not join the Proposal.
Currently, each of the federal banking agencies has its own version of third-party risk management guidance, including the FDIC's Guidance for Managing Third-Party Risk (2008), the OCC's Third-Party Relationships: Risk Management Guidance (2013), and the Board's Guidance on Managing Outsourcing Risk (2013).
While existing agency guidance materials generally address similar issues, there is divergence in the approach and focus of each agency, which often creates confusion and difficulties for vendors and FinTechs working with multiple banks. The agencies are using the OCC's risk management guidance as the baseline to create a single, harmonized guidance document that will be applicable to all insured depository institutions (except credit unions).
By technology standards, the agencies' current guidance materials are ancient. The OCC's version, which is being used as the model, is eight years old. Meanwhile, the FDIC has not updated its guidance since the original iPhone's first birthday. The Proposal recognizes that the nature and scope of bank outsourcing relationships with third parties have changed dramatically during this time.
Furthermore, none of the agencies envisioned the types of arrangements that are now instrumental to the FinTech ecosystem. Thus, the Proposal provides the opportunity for a much-needed facelift to existing third-party vendor risk management guidance.
After a few years of chilly interagency relationships, the Proposal appears to be a good sign for the return of interagency collaboration and cooperation among the Board, OCC, and FDIC. This could bode well for the future of other rulemakings, such as updated Community Reinvestment Act regulations, where the agencies' long history of joint action and uniform rulemaking activities appears to be at an end.
Principles and Scale
A common theme highlighted in the Proposal is that a bank's risk management procedures should apply to every third-party service provider relationship, regardless of size. The Proposal references principles that can be scaled to address a wide range of business arrangements. The Proposal directs banks to tailor their risk management practices for each third-party service provider relationship to reflect the nature, complexity, and criticality of the service being performed for, or on behalf of, the bank.
While the Proposal takes an approach substantially similar to that set forth in the OCC's 2013 guidance, there are some notable additions in the Proposal not found in the original guidance, including the following:
Planning Guidance for Third-Party Relationships
"As with all other phases of the third-party risk management life cycle, it is important for planning and assessment to be performed by those with the requisite knowledge and skills. A banking organization may involve experts across disciplines, such as compliance, risk, or technology officers, legal counsel, and external support where helpful to supplement the qualifications and technical expertise of in-house staff."
Consideration of Gaps in Due Diligence
"In some instances, a banking organization may not be able to obtain the desired due diligence information from the third party. For example, the third party may not have a long operational history or demonstrated financial performance. In such situations, it is important to identify limitations, understand the risks, consider how to mitigate the risks, and determine whether the residual risks are acceptable."
Guidance for the Use of Third Parties to Assist in Due Diligence
"In order to facilitate or supplement a banking organization's due diligence, a banking organization may use the services of industry utilities or consortiums, including development organizations, consult with other banking organizations, or engage in joint efforts for performing due diligence to meet its established assessment criteria. . . . Use of such external services does not abrogate the responsibility of the board of directors to decide on matters related to third-party relationships involving critical activities or the responsibility of management to handle third-party relationships in a safe and sound manner and consistent with applicable laws and regulations."
Information Security Considerations
"Consider the extent to which the third party uses controls to limit access to the banking organization's data and transactions, such as multifactor authentication, end-to-end encryption, and secured source code management."
Long Term Considerations for Operational Resilience
"Consider risks related to technologies used by third parties, such as interoperability or potential end of life issues with software programming language, computer platform, or data storage technologies that may impact operational resilience."
Recognition That Smaller Banks May Have Limited Negotiating Power
"In situations where it is difficult for a banking organization to negotiate contract terms, it is important for the banking organization to understand any resulting limitations, determine whether the contract can still meet the banking organization's needs, and determine whether the contract would result in increased risk to the banking organization. If the contract would not satisfy the banking organization's needs or would result in an unacceptable increase in risk, the banking organization may wish to consider other third parties for the service. Banking organizations may also gain advantage by negotiating contracts as a group with other users."
Emphasis That Banks Must Have Access to Their Own Data
"Confirm that the contract sufficiently addresses . . . The ability of the institution to have unrestricted access to its data whether or not in the possession of the third party . . . [and the] ability for the banking organization to access native data and to authorize and allow other third parties to access its data during the term of the contract."
These highlighted sections are among the issues that banks and FinTech firms may want to address in commenting on the Proposal. In addition, the Proposal provides an opportunity for suggesting additional changes, addressing other issues, and responding to any of the 18 questions posed by the agencies with regard to how the Proposal could be improved.
Questions Posed by the Agencies in the Proposal
| 1. To what extent does the guidance provide sufficient utility, relevance, comprehensiveness, and clarity for banking organizations with different risk profiles and organizational structures? In what areas should the level of detail be increased or reduced? In particular, to what extent is the level of detail in the guidance's examples helpful for banking organizations as they design and evaluate their third party risk management practices?
| 2. What other aspects of third-party relationships, if any, should the guidance consider?
| 3. In what ways, if any, could the proposed description of third-party relationships be clearer?
| 4. To what extent does the discussion of "business arrangement" in the proposed guidance provide sufficient clarity to permit banking organizations to identify those arrangements for which the guidance is appropriate? What change or additional clarification, if any, would be helpful?5. What changes or additional clarification, if any, would be helpful regarding the risks associated with engaging with foreign-based third parties?
| 5. What change or additional clarification, if any, would be helpful?5. What changes or additional clarification, if any, would be helpful regarding the risks associated with engaging with foreign-based third parties?
| 6. How could the proposed guidance better help a banking organization appropriately scale its third-party risk management practices?
| 7. In what ways, if any, could the proposed guidance be revised to better address challenges a banking organization may face in negotiating some third-party contracts?
| 8. In what ways could the proposed description of critical activities be clarified or improved?
| 9. What additional information, if any, could the proposed guidance provide for banking organizations to consider when managing risks related to different types of business arrangements with third parties?
| 10. What revisions to the proposed guidance, if any, would better assist banking organizations in assessing third-party risk as technologies evolve?
| 11. What additional information, if any, could the proposed guidance provide to banking organizations in managing the risk associated with third-party platforms that directly engage with end customers?
| 12. What risk management practices do banking organizations find most effective in managing business arrangements in which a third party engages in activities for which there are regulatory compliance requirements? How could the guidance further assist banking organizations in appropriately managing the compliance risks of these business arrangements?
| 13. In what ways, if any, could the discussion of shared due diligence in the proposed guidance provide better clarity to banking organizations regarding third-party due diligence activities?
| 14. In what ways, if any, could the proposed guidance further address due diligence options, including those that may be more cost effective? In what ways, if any, could the proposed guidance provide better clarity to banking organizations conducting due diligence, including working with utilities, consortiums, or standard-setting organizations?
| 15. How could the proposed guidance be enhanced to provide more clarity on conducting due diligence for subcontractor relationships? To what extent would changing the terms used in explaining matters involving subcontractors (for example, fourth parties) enhance the understandability and effectiveness of this proposed guidance? What other practices or principles regarding subcontractors should be addressed in the proposed guidance?
| 16. What factors should a banking organization consider in determining the types of subcontracting it is comfortable accepting in a third-party relationship? What additional factors are relevant when the relationship involves a critical activity?
| 17. What additional information should the proposed guidance provide regarding a banking organization's assessment of a third party's information security and regarding information security risks involved with engaging a third party?
| 18. To what extent should the concepts discussed in the OCC's 2020 FAQs be incorporated into the guidance? What would be the best way to incorporate the concepts?