The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Department of the Treasury Office of the Comptroller of the Currency (OCC) have published proposed interagency guidance regarding how banking organizations should manage risks associated with third-party relationships. The guidance comes as banks are expanding their use of third parties to provide numerous products and services, such as information technology services, accounting, compliance, and platforms for mobile payments. Banks are responsible for the safety and soundness of these activities whether conducted directly by the bank or indirectly though these third-party relationships. Indeed, outsourcing these activities elevates the risk profile to the bank and its customers. Each of these relationships has a different lifecycle and specific risks that must be managed in compliance with applicable laws and regulations, including those designed to protect consumers. The proposed interagency guidance offers a framework for banks to consider in developing a tailored approach to risk management practices for these third-party relationships.
Overview of the Proposed Framework
The proposed guidance is intended to help banks identify and address risks, such as consumer protection, information security, and other operational risks. The proposed framework is intended to cover risk management practices for all stages in the life cycle of third-party relationships and takes into account the level of risk, complexity, and size of the banking organization, and the nature of the third-party relationship.
The guidance defines a third-party relationship as "any business arrangement between a banking organization and another entity, by contract or otherwise." Such relationships may include vendors, fintech companies, affiliates, and a bank's holding company, but generally exclude a bank's customers. These relationships may increase operations, compliance, reputation, strategic, and credit risks, and therefore a risk management program should be commensurate with the organization's risk profile, size and complexity. Where third parties support critical activities, more comprehensive oversight and management are needed. The guidance describes "critical activities" as significant bank functions or other activities that could:
cause a banking organization to face significant risk if the third party fails to meet expectations;
have significant customer impacts;
require significant investment in resources to implement the third-party relationship and manage the risk; or
have a major impact on bank operations if the banking organization has to find an alternate third party or if the outsourced activity has to be brought in-house
The proposal offers specific guidance and considerations for each stage of the risk management life cycle, including planning, due diligence and third-party selection, contract negotiation, oversight and accountability, ongoing monitoring, and termination.
While each agency has previously provided independent guidance, this is the first interagency guidance on risk management of third-party relationships. Previous guidance includes FIL-44-2008, "Guidance for Managing Third-Party Risk" published by the FDIC in June 2008, SR Letter 13-19 / CA Letter 13-21, "Guidance on Managing Outsourcing Risk", published by the Board in December 2013 (and updated on February 26, 2021), and OCC Bulletin 2013-29 published by the OCC in 2013. The OCC guidance was later supplemented in 2017 with Frequently Asked Questions (FAQs) in OCC Bulletin 2017-21. The 2017 bulletin was rescinded by the publication of OCC Bulletin 2020-10 in March 2020. That bulletin provided updated FAQs that incorporated the FAQs from bulletin 2017-21 with one change and expanded on the previous FAQs to "clarify the OCC's existing guidance and reflect evolving industry trends."
The interagency proposal is based on the 2013 OCC guidance and "includes changes to reflect the extension of the scope of applicability to banking organizations supervised by all three federal banking agencies." The 2020 OCC FAQs are attached to the proposed guidance as an exhibit and are separate from the proposed guidance. The proposed guidance would replace each agency's existing guidance on this topic and would be directed to all banking organizations supervised by the agencies.
The agencies are seeking public comment on all aspects of the proposed guidance, including whether any concepts from the 2020 FAQs should be incorporated in the final guidance, and other specific questions contained in the proposal. Comments must be received no later than 60 days after the proposal is published in the Federal Register. Commenters should reference the agency-specific instructions for submitting comments set forth in the proposal.