The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) have issued final joint guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies.
The final guidance describes principles and considerations for banking organizations’ risk management of third-party relationships. The final guidance covers risk management practices for the stages in the life cycle of third-party relationships:
- Planning
- Due diligence and third-party selection
- Contract negotiation
- Ongoing monitoring, and
- Termination
The final guidance includes examples to help banking organizations align their risk management practices with the nature and risk profile of their third-party relationships. The agencies plan to engage with community banks immediately, and develop additional resources in the future to assist them in managing relevant third-party risks.
The use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner, and within full compliance of applicable laws and regulations, including but not limited to those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices), and those addressing financial crimes.
The final guidance replaces each agency’s existing general third-party guidance and promotes consistency in the agencies’ supervisory approaches toward third-party risk management. The final guidance reflects streamlined language and improved clarity based on the agencies’ consideration of public comments on the proposed guidance released in July 2021.
To help solicit feedback, the agencies posed 18 questions within the request for comment, organized across the following themes: General, Scope, Tailored Approach to Third-Party Risk Management, Third-Party Relationships, Due Diligence and Collaborative Arrangements, Subcontractors, Information Security, and the OCC’s 2020 FAQs. The agencies collectively received 82 comment letters from banking organizations, fintech companies, and other third-party providers, trade associations, consultants, nonprofits, and individuals in developing the final guidance.
Click here to view the Interagency Guidance on Third-Party Relationships: Risk Management.