On June 6, 2023, the Board of Governors of the Federal Reserve System (the Federal Reserve), the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC, and collectively with the Board and the FDIC, the Agencies) issued their final version of the Interagency Guidance on Third-Party Relationships: Risk Management (the Final Guidance). The Final Guidance is intended to promulgate effective risk management practices by banking organizations with respect to all of their third-party relationships.  

The Final Guidance replaces each Agency’s existing general guidance on third-party risk management (i.e., the Federal Reserve’s SR 13-19, OCC Bulletin 2013-29 and the FDIC’s FIL 44-2008) but is foundationally based on OCC Bulletin 2013-19. The Final Guidance is generally consistent with the proposed interagency guidance released by the Agencies in July 2021 (the Proposed Guidance) but does incorporate some changes to the Proposed Guidance based on comments received from banking organizations, fintech companies, and trade associations, among others.  

What Does Effective Third-Party Risk Management for Banking Organizations Entail?

The Final Guidance addresses the typical life cycle of the third-party relationship, which the Agencies note involves several stages (planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination) and identify various factors for banking organizations to consider during each stage to effectively evaluate and manage related risks.

• Planning Stage: The initial life-cycle for any third-party relationship is the planning stage, where the banking organization evaluates the risks of the relationship and how to manage those risks, with relationships supporting higher-risk activities or critical activities at the banking organization warranting greater planning and consideration. There is a non-exhaustive list of factors banking organizations typically will consider in the planning stage. These factors are set out more fully in Addendum A but generally focus on risks and impacts to the banking organization’s strategic plans, systems and operations, employees, customers, and confidential information and the appropriate level of oversight needed for a third party. 
• Due Diligence and Third-Party Selection: The second stage of the life-cycle includes due diligence and selection of a third party that is able to perform the required activities, adhere to the banking organization’s policies, comply with laws and regulations, and ensure safe operations. While the Final Guidance notes that banking organizations may use industry utilities or consortiums, consult with other organizations, or engage in joint efforts to supplement their due diligence, the Agencies emphasized that the banking organization is ultimately responsible for managing any risk associated with its third-party relationships. Factors banking organizations evaluate during the due diligence stage are set out on Addendum A. If the banking organization encounters any limitations on its ability to obtain due diligence information, those limitations should be identified and documented. The Final Guidance further notes that in these cases the banking organization should also evaluate the need to obtain alternative information to assess the third party, implement additional controls for or monitoring of the third party, or consider use of a different third-party provider.
• Contract Negotiation Stage: While the level of detail in the contract may vary based on the complexity and risk involved in the specific third-party relationship, banking organizations should understand the benefits and risks associated with the contract, particularly for higher-risk activities. Even in instances where a banking organization has limited negotiating power, the organization should understand the risks being undertaken and reconsider whether the relationship meets the organization’s needs and whether any undertaken risks associated with entering into the contract would be acceptable. If the risks are not acceptable, then the banking organization should consider whether an alternative party is available or whether the activities should be performed in-house. The Final Guidance also addresses the role of the organization’s board of directors in having awareness of and, as appropriate, approving or delegating approvals of contracts involving higher-risk activities. After a contract is executed, the organization should conduct appropriate periodic reviews to confirm relevant risks are addressed, and, if new risks are identified, renegotiate the contract if necessary. Factors for banking organizations’ evaluation during the contract negotiation stage are set out on Addendum A.  
• Ongoing Monitoring Stage: Ongoing monitoring of third parties throughout the relationship involves (i) regularly assessing and verifying the quality and sustainability of a third-party’s controls and ability to meet its contractual obligations, (ii) escalating significant issues or concerns, such as audit findings, financial deterioration, security breaches, data loss, compliance lapses, and other indicators of increased risk, and (iii) responding to any identified issues. The Final Guidance notes that the level and frequency of monitoring should reflect the risk and complexity of the relationship, with more comprehensive or frequent monitoring required for higher-risk activities. A banking organization’s monitoring activities should include: reviewing reports, conducting periodic visits and meetings with third-party representatives, regularly testing the banking organization’s controls that manage the relationship’s risks, and, if appropriate based on the level of risk, testing the third-party’s controls. Organizations may also use external resources, refer to conformity assessments or certifications, or collaborate to enhance monitoring efforts as well. The factors the Agencies note that banking organizations should consider during the monitoring stage are set out on Addendum A. 
• Termination Stage: When assessing whether to terminate a third-party relationship, the Final Guidance notes that banking organizations should evaluate: (i) options, costs, timeframes, and capabilities for transitioning the activity to another provider or performing the activity in-house; (ii) the risks on information security and access rights and issues associated with any joint intellectual property; and (iii) the risks to the organization and its customers if the activity is being terminated due to the third-party’s inability to meet the organization’s service expectations.

How Should Banking Organizations Provide Governance Over Third-Party Risk Management?

Consistent with their approach to other aspects of the Final Guidance, the Agencies note that banking organizations have flexibility in structuring their third-party oversight functions, whether centralizing them in compliance or procurement functions or dispersing them throughout business lines. Regardless of the structural approach, the Final Guidance provides that organizations should address the following areas: oversight and accountability, independent reviews, and documentation and reporting.

• Oversight and Accountability: The board of directors is responsible for providing effective oversight of third-party risk management and holding management accountable. The board carries out these responsibilities by evaluating whether: the banking organization’s third-party relationships are consistent with its strategic objectives and risk appetite and with applicable law; there is appropriate risk management reporting over the relationships; and management is appropriately managing the relationships and evolving risks. Management is responsible for developing and implementing risk management policies, procedures, and practices that are appropriate for the banking organization’s risk profile. 
• Independent Reviews: Independent reviews are important tools for assessing the adequacy of the organization’s third-party risk management processes. These reviews allow for independent assessment of whether: the organization’s relationships align with business strategy and internal policies and procedures; risks are being properly identified and managed; risk management processes are designed properly and performing as designed; and conflicts of interest in selecting and monitoring third-party relationships are being identified and avoided.
• Documentation and Reporting: The Final Guidance addresses the importance of proper documentation and reporting of third-party relationships that is supported through a current inventory of those relationships, risk assessments of relationships, due diligence, documented relationships, assessment and remediation plans for third-party controls, risk and performance reports obtained through monitoring, customer complaint reports, service disruption reports, results from independent reviews, and periodic board reporting.

Key Changes from the Proposed Guidance

The Agencies’ overarching message to banking organizations is that the Final Guidance is intended to provide an illustrative, principles-based and risk-based approach to a banking organization’s risk management practices. As a result, many of the changes to the Proposed Guidance and discussion in the Supplementary Information accompanying publication of the Final Guidance address the Agencies’ efforts to reenforce that message: banking organizations should develop and implement third-party risk management processes that are tailored to the individual banking organization’s specific risk profile and the complexity and criticality of specific relationships.

• Definition of Business Relationship: In the Proposed Guidance, the term “business relationship” excluded customer relationships. However, recognizing that some business relationships may incorporate elements or features of a customer relationship (g., customer relationships observed with some fintech companies), the Agencies removed this exclusion from the Final Guidance. In light of the expansion of the term “business relationship” in the Final Guidance, the Agencies emphasized that the Final Guidance “does not suggest that all relationships require the same level or type of oversight or risk management, as different relationships present varying levels of risk” and that a banking organization should tailor its risk management practices commensurate with its size, complexity, risk profile and with the nature of the third-party relationship. (See Final Guidance, pgs. 7-8; 30.)     
• Definition of Critical Activities: The Proposed Guidance defined “critical activities” with reference to imprecise concepts, such as “significant bank functions”, “significant customer impacts”, and “significant investment”. Instead, the Final Guidance defines “critical activities” with respect to “illustrative, risk-based characteristics,” such as activities that could cause significant risk to the banking organization if the third party fails to meet expectations or that have significant impacts on customers or the banking organization’s financial condition or operations. The Agencies acknowledged that “an activity that is critical for one banking organization may not be critical for another.” (See id. at pgs. 31-32.) The Final Guidance appears to provide flexibility for banking organizations to assess risks presented by its third-party relationships and tailor its risk management practices accordingly. 
• Collaborative Arrangements for Due Diligence, Contract Negotiation, and Ongoing Monitoring: Commenters to the initial Proposed Guidance had raised concerns with respect to (i) the feasibility of banking organizations performing the full range of due diligence outlined in the Proposed Guidance, (ii) a smaller institution’s limited negotiation power in contract negotiations, and (iii) the feasibility of ongoing monitoring of a third-party relationship. Commenters suggested that collaboration with other banking organizations or other entities may reduce the burdens of due diligence or ongoing monitoring and could increase a smaller institution’s negotiating power. The Agencies incorporated guidance concerning collaborative efforts into the Final Guidance but cautioned that a banking organization must still evaluate collaborative efforts based on the banking organization’s own specific circumstances and that any collaborative efforts among banks must comply with antitrust laws. (See id. at pgs. 37; 46; 58-59.) 
• Managing Risks Posed by Subcontractors: Commenters to the Proposed Guidance had also requested clarification on how banking organizations could manage risks associated with a third-party’s subcontractors. The Final Guidance acknowledges the risks and complexity associated with a third party’s use of subcontractors and instructs banking organizations to evaluate a third party’s use of subcontractors “based on the risk the relationship poses to the banking organization, which may include assessing whether a third party’s use of subcontractors may heighten or raise additional risk to the banking organization and applying mitigating factors, as appropriate.” (See id. at pgs. 22-23.)

Final Thoughts

Although the Final Guidance is largely consistent with the Proposed Guidance, a banking organization should consider evaluating its third-party risk management program in light of the principles-and-risk-based approach outlined in the Final Guidance and the key changes noted above. For example, given the Final Guidance’s revisions to the definition of “critical activities,” banking organizations may want to re-evaluate which of their activities may meet the revised definition. While national banks regulated by the OCC may not need to make significant changes to their risk management programs, other banks that previously relied on guidance from the FDIC and Federal Reserve (e.g., bank holding companies, state-chartered banks and branches, foreign branch banks and other FDIC insured institutions) should ensure that their third-party risk management practices are consistent with the principles outlined in the Final Guidance.   

Please contact Todd Taylor at toddtaylor@mvalaw.com, Neil Bloomfield at neilbloomfield@mvalaw.com, Suzanne Gainey at suzannegainey@mvalaw.com, and John Stoker at johnstoker@mvalaw.com with any questions you may have about the Final Guidance or for assistance in determining whether your third-party risk management practices comply with the Final Guidance.

ADDENDUM A

The Final Guidance highlights the following factors as typical factors banking organizations should consider during the following third-party relationship life cycle stages:

Planning Stage:

• how the relationship aligns with the banking organization’s strategic goals, risk profile or corporate policies;
• the benefits and risks of the relationship and how to manage those risks;
• the nature of the business arrangement, including the volume of activity, and need and use of subcontractors or foreign-based third parties;
• any costs needed to alter the banking organization’s systems and operations as a result of the relationship;
• whether the third-party could affect the banking organization’s employees, including the transition impacts of outsourcing activities;
• the potential impact on customers, including third-party access to customer information, direct interaction with customers, and handling of customer complaints;
• security implications of the third-party accessing the banking organization’s systems, confidential information, and facilities;
• the necessary level of oversight of the third-party, including its compliance with contractual provisions and applicable legal requirements and its remediation of identified compliance issues;
• the banking organization’s ability to provide appropriate oversight and the need for any related changes to risk management structures and capabilities; and
• the banking organization’s contingency plans if the business arrangement is transitioned to another party or brought in-house.

Due Diligence and Third-Party Selection Stage:

• whether the third-party's business strategy and goals allow it to perform the activity in a manner that conforms with the banking organization’s policies and practices;
• the legal and regulatory compliance considerations associated with engaging with the third-party to determine whether the banking organization can appropriately mitigate associated risks;
• the third-party’s financial condition (e.g., audited financial statements, annual reports, filings with the SEC, and other available financial information);
• the third-party’s business experience, including depth of resources, staffing, experience with the activity, history or complaints or litigation, websites and marketing materials;
• the qualifications of the third-party’s principals and other key personnel related to the activity, including background check procedures and procedures for removing employees that do not meet suitability requirements;
• the effectiveness of the third-party’s risk management policies, processes and controls and their alignment with the banking organization’s policies;
• whether the third-party’s information security program presents risks to the banking organization;
• the third-party’s ability to deliver operations through any disruption or incidents;
• the third-party’s incident reporting and management programs to ensure there are clearly documented processes, timelines, and accountability for managing and reporting incidents;
• whether the third-party has sufficient physical security and environmental controls;
• the volume and types of subcontracted activities the third-party relies on to determine whether any subcontractors pose heightened risk to the banking organization;
• the extent and sufficiency of the third-party’s insurance coverage; and
• whether the third-party’s arrangements with subcontractors or other parties create risks to the banking organization.

Contract Negotiation Stage:

• the nature and scope of the arrangement and rights and responsibilities of the parties;
• the use of performance measures or related benchmarks;
• responsibilities for providing, receiving, and retaining information, including data access and use rights of each party, access and use rights of customer data, and notification responsibilities for compliance matters, changes of control, or assignment of rights, and provision of performance reporting;
• the right to perform audits and receive audit information and require remediation of identified issues;
• responsibility for compliance with applicable laws and regulations;
• costs and compensation arrangements;
• ownership and license to use property, including whether any data generated by the third-party becomes the banking organization’s property;
• confidentiality and integrity related to non-public information or access to infrastructure, including terms for notification of information security breaches;
• operational resilience and business continuity plans related to interruptions in delivery, protection of programs and other cybersecurity issues;
• indemnification provisions and liability limitations;
• the use of insurance requirements to protect against losses;
• dispute resolution mechanisms;
• the process and responsibility for responding to customer complaints;
• the use or prohibition of subcontracting requirements or prohibitions;
• choice of law provisions and consideration of enforceability of terms and special consideration when using foreign-based third parties;
• the use of default and termination provisions, including impact on the return or destruction of the organization’s data or information after termination; and
• regulatory supervision provision for certain stipulated activities that are subject to regulatory examination and oversight.

Ongoing Monitoring Selection Stage:

• assessment of the effectiveness of the relationship given the organization’s goals;
• changes to the third-party’s strategies and relationships that may pose new risks;
• changes in financial condition of the third-party or its insurance coverage;
• audit and testing results that reflect the ability of the third-party to meet its obligations while managing risk and contractual and compliance requirements;
• compliance with laws while meeting contractual obligations;
• changes in key personnel;
• reliance and exposure to subcontractors and processes for managing reliance and exposure;
• employee training programs;
• ability to identify and respond to emerging threats or financial, operational, or legal developments;
• ability to maintain the confidentiality of information, including customer data;
• incident response measures, including business continuity capabilities; and
• customer inquiries or complaints and the third party’s response measures.