Yesterday, the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC, and together with the Federal Reserve and the FDIC, the Agencies), finalized previously proposed interagency guidance on how banking organizations should manage the risk associated with their third-party relationships.
Third-Party Risk Management Expectations
The finalized guidance will harmonize the third-party risk management expectations for banking organizations supervised by the FDIC, Federal Reserve and OCC. The guidance represents a joint effort by the Agencies to respond to the continued and growing prevalence of relationships between banking organizations and third parties, including both traditional outsourcing relationships with service providers and partnership arrangements with financial technology (fintech) companies.
The guidance states that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each banking organization. The guidance is intended for all third-party relationships and is especially important for relationships that a banking organization relies on to a significant extent, relationships that entail greater risk and complexity, and relationships that involve critical activities as described in the guidance.
Third-Party Risk Management Life Cycle
The guidance describes the third-party risk management life cycle and identifies principles applicable to each stage of the life cycle, including:
(1) Developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party;
(2) Performing proper due diligence in selecting a third party. Some important factors to consider and assess when performing due diligence include but are not limited to:
- The third party’s financial condition
- The third party’s information security posture
- The third party’s ability to comply with applicable legal and regulatory requirements
- The third party’s disaster resilience and incident monitoring practices
(3) Negotiating written contracts that articulate the rights and responsibilities of all parties. Some important factors to consider when negotiating contracts include but are not limited to:
- The nature and scope of the arrangement with details of the services to be provided
- The right to audit
- Limitations of liability
- Requirement for compliance with laws and regulations
(4) Having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews;
(5) Conducting ongoing monitoring of the third party’s activities and performance; and
(6) Developing contingency plans for terminating the relationship in an effective manner.
Even if your Institution is not regulated by these agencies, we recommend monitoring this guidance and industry reaction to it, as other regulators may release similar guidance in the future. FoxPointe Solutions would be happy to answer any questions you may have or provide you with additional information.