On July 19, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) published the “Proposed Interagency Guidance on Third-Party Relationships: Risk Management.”
Nearly two years of consultation followed, and on June 6, 2023, the banking agencies’ proposed guidance became final guidance in the form of the “Interagency Guidance on Third-Party Relationships” (hereinafter referred to as the Guidance).
The Guidance provides banking organizations, financial institutions, and the financial technology (fintech) sector with a roadmap on how to create and implement a compliant and robust third-party relationship management system. Key to the advice given in the final Interagency Guidance is a risk-based approach to onboarding and supervising third parties.
In this article, we examine:
- The purpose of the new joint guidance on managing risks from third parties
- Third-party risk management under the new Guidance
- How to achieve sound risk management in banking and finance based on risk management principles
About the New Guidance on Third-Party Relationships
This Guidance supersedes previous guidance given by each agency on third-party risk management practices. It reminds banks and financial institutions that they are obliged to make sure they do business safely and in a compliant and sound manner that adheres to all applicable laws and regulations.
Keep in mind that the Guidance has no legal force, and it doesn’t introduce any new requirements on organizations.
The Guidance addresses the importance of oversight and accountability in business relationships. Particular emphasis is given to having a robust third-party risk management life cycle.
The interagency document sets out the principles that banks and other financial services providers should use when developing risk management processes, especially related to their risk profile (in other words, the level of risk they’re exposed to).
Although the Guidance primarily covers larger financial institutions, the agencies have outlined a desire to engage with community banks to develop additional resources to aid them in their compliance management program.
What Relationships Does the New Guidance Cover?
The Guidance covers how to achieve compliant management of third-party relationships. This is for all business arrangements between financial institutions, even if there is no governing contract between them and neither side makes payment to the other.
Examples of these types of relationships include outsourcing, consultants, referrals, merchant payment processing services, subsidiaries, joint ventures, affiliates, and other types of partnerships including subcontractors.
The Guidance advises that a company’s risk management practices should reflect the nature of each third-party relationship individually, with reference to importance, scope, and complexity. If a particular third-party relationship is riskier, the Guidance introduces the concept of criticality.
Broadly speaking, if failure to manage risks specific to an individual third-party relationship could severely and negatively affect a bank or lead to significant customer impacts, this is a “critical activity.”
The 5-Step Life Cycle of Third-Party Relationships Recommended by the Guidance
The Guidance recommends the following five steps through the risk management life cycle:
- Planning: At the beginning of the third-party selection process, the bank or financial organization should assess the risk profile for each third party to determine the specific risk management measures they need to take. For example, if a third-party relationship is classed as a critical activity during a risk assessment, the bank may want to get approval from the board of directors before proceeding.
- Due diligence: This is the stage during which banks and financial institutions assess a third party’s ability to see whether they can carry out the actions required of them safely and securely while remaining compliant with internal policies and all relevant laws and regulations. Due diligence includes an examination of a third party’s adherence to legal and regulatory standards, current certifications, robustness of information security and cybersecurity protocols, dependency on subcontractors, key personnel's qualifications and backgrounds, insurance coverage, and more.
- Contract negotiations: When negotiating, banks and financial institutions should set out in their contract terms the responsibilities and expectations of both parties in respect to risk management and supervision. The Guidance recommends the involvement of boards of directors at this stage. Factors to consider during negotiations include operational resilience and business continuity, dependence on subcontracting partners, use of foreign-based third parties, default and termination conditions, the right to audit and demand remediation, and regulatory oversight.
- Ongoing monitoring: Sometimes, third-party organizations provide the necessary reassurances during contract negotiations but can’t meet them in their performance of the contract. Banks and other financial institutions should use regular supervisory reviews to monitor for issues like audit failures, weakening financial conditions, disruptions in service, compliance failings, and information technology and data breaches. The Guidance also recommends that banks hold regular meetings and pay regular visits to third parties to discuss issues and areas of vulnerability. Banking organizations and financial institutions should also order independent reviews of their processes to ensure ongoing efficacy.
- Termination: When ending the relationship with a third party, banks and financial institutions should do this in the most efficient way possible. This should involve transferring the activities affected to another third party, bringing them in-house, or suspending those activities all together. Such a process protects the intellectual property of the organization and mitigates the risk of later enforcement action.
Interagency Guidance on Third-Party Relationships FAQs
Here are some commonly asked questions and answers about the Interagency Guidance on Third-Party Relationships.
What Are the Risks of Third-Party Service Providers?
There are many benefits to the use of third parties, but there are also many considerable and sometimes unexpected risks. These risks are what the Interagency Guidance on Third-Party Relationships is designed to help companies address. Issues caused by external parties can include issues in service provision delivery and exposure to financial and regulatory difficulties.
What Is Third-Party Relationship Management?
Management of third-party relationships allows companies to monitor, control and direct their interactions with third-party or external entities. As emphasized in the Interagency Guidance on Third-Party Relationships, this includes relationships with third parties regardless of whether there’s a governing contract or not.
Why Is It Important to Establish Clear Contractual Agreements With Third-Party Vendors Regarding Security?
The majority of third-party breaches arise because the rules and protocols put in place to stop them aren’t followed or enforced. This is particularly the case with cybersecurity where human error is at fault for most breaches. The Interagency Guidance on Third-Party Relationships provides guidelines to companies on how they can assist vendors, suppliers, and other third parties to understand and meet expectations, improving security in all areas.
Where Can I Find the Interagency Guidance on Third-Party Relationships?
You can find the text of the Interagency Guidance on Third-Party Relationships at the FederalRegister.gov site. You can also find third-party risk management guidance on the OCC website and in the regular OCC bulletin.