Bank Regulators Propose Third-Party Risk Management Guidance

The FRB, FDIC, and OCC recently published and invited comments on a proposed interagency guidance document on risk management in third-party relationships.  The proposed guidance is directed at all banking organizations supervised by these agencies and, if adopted, would replace each agency’s existing guidance on this topic.

While each agency currently has existing guidance on third-party risk management for their respective supervised banking organizations, the proposed guidance aims to create consistency among the agencies and clarify principles on third-party risk management. The notice states that the proposed guidance is based off of the OCC’s existing third-party risk management guidance from 2013.

The proposed guidance aims to provide risk management principles that banking organizations may use to address risk throughout all stages of third-party relationships.  The guidance emphasizes the importance of banking organizations managing the risks that are associated with all third-party relationships, but, in particular, exercising more comprehensive oversight and management of third-party relationships that the guidance describes as supporting “critical activities” or significant bank functions.

The guidance describes the life cycle of third-party risk management and is divided into six principles that apply to all stages of the life cycle including, as described in further detail in the text:

1. Planning.  Evaluating the nature of the risks in the relationship and developing a plan to manage the relationship and the risks.
2. Due Diligence and Third-Party Selection.  Conducting due diligence before entering into a third-party relationship, including the consideration of certain factors including, but not limited to legal and regulatory compliance, financial condition, and operational security.
3. Contract Negotiation. Negotiating a contract that specifies the rights and responsibilities of each party.
4. Oversight and Accountability. Having the banking organization’s board of directors and management responsible for overseeing the risk management process, as well as conducting periodic independent reviews of the risk management process, and properly documenting and reporting on the risk management process and business arrangements.
5. Ongoing Monitoring.  Monitoring throughout the course of the third-party relationship.
6. Termination.  Considering how to transition services and developing plans to terminate relationships in an efficient manner.

In addition to the general request for comments on the language in the proposed guidance, the notice includes 18 specific questions that the agencies are seeking comment on, including, among others, the extent that the OCC’s 2020 FAQs on third-party relationships should be incorporated into the final version of the guidance and whether additional comments, beyond those in the 2020 OCC FAQ document, would be helpful to incorporate.  The questions also address the scope of the relationships covered by the guidance.  The proposed guidance defines a third-party relationship broadly, requiring neither a written contract nor a monetary exchange in order to establish a business arrangement between a banking organization and another entity.  The notice requests comment on this definition and whether the proposed guidance provides sufficient clarity to allow banking organizations to identify the types of relationships that the guidance pertains to.

The comment period on the proposed guidance ends September 17, 2021.