Federal bank regulatory agencies issued final joint guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies. The agencies are the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.
The agencies invited comment on all aspects of the proposed guidance across several themes, including third-party risk management, due diligence, collaborative arrangements and information security. The agencies collectively received 82 comment letters from banking organizations, financial technology (fintech) companies and other third-party providers, trade associations, consultants, nonprofits, and individuals.
Several commenters suggested that the agencies use their existing authorities (such as under the Bank Service Company Act20) to address the risks of what those commenters perceived as “systemically important” third-party service providers, or to otherwise assist banking organizations’ third-party risk management efforts.
The final guidance describes principles and considerations for banking organizations’ risk management of third-party relationships. The final guidance covers risk management practices for the stages in the life cycle of third-party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.
The final guidance includes illustrative examples to help banking organizations align their risk management practices with the nature and risk profile of their third-party relationships.
From the guidance: “It is important for each banking organization to assess risks presented by each of its third-party relationships and tailor its risk management processes accordingly. To the extent that specific laws and regulations may be applicable, for example, recovery or resolution planning to large banking organizations, those banking organizations may desire to leverage definitions and approaches in those laws and regulations when developing and implementing third-party risk management, such as identifying third-party relationships that support higher-risk activities, including critical activities. Moreover, to the extent that other guidance may be relevant to certain banking organizations, such as the Sound Practices Paper, which is intended for the largest and most complex banking organizations, such organizations may choose to reference relevant terms and concepts contained in those other issuances when implementing their third-party risk management processes.”