The Board of Governors of the Federal Reserve System (Board)[1], the Federal Deposit Insurance Corporation (FDIC)[2], and the Office of the Comptroller of the Currency (OCC), Treasury[3], issued comprehensive joint guidance[4] on managing risks associated with third-party relationships. This guidance provides pertinent information for banking institutions to readily address the complexities and potential risks that could arise from these relationships, including those with affiliations to financial technology (fintech)[5] companies.

Key Themes of the Guidance:

Implementation of a Risk-Based Approach:

The guidance emphasizes a risk-based approach to third-party risk management, which involves tailoring risk management practices to the specific risks posed by each third-party relationship. This approach ensures that banking organizations can effectively manage and mitigate risks throughout the life cycle of third-party engagements.

Life Cycle Management Vantage point:

The guidance outlines risk management practices for all stages of the third-party relationship life cycle, including:

        I. Planning: Identifying the purpose, scope, and risk profile of the third-party relationship.

      II. Due Diligence: Conducting thorough background checks and evaluations of the third party’s capabilities, financial condition, compliance with legal and regulatory requirements, complaints, and enforcement actions.

    III. Contract Negotiation: Establishing clear expectations and requirements in contractual agreements to manage risks and responsibilities.

   IV. Ongoing Monitoring: Continuously assessing the performance and risk profile of the third party, ensuring compliance with contractual terms, identifying emerging risks, and implementing corrective action as warranted.

     V. Termination: Effectively managing the end of the third-party relationship to ensure a smooth transition and mitigate any residual risks.

Accountability:

Banking organizations retain ownership (i.e., ultimate responsibility) for the activities conducted through third-party relationships. This means that while third parties can perform certain functions, the banking organization must ensure that all activities comply with applicable laws and regulations, including those related to consumer protection, data security, privacy limitations, and other factors.

Examples and Best Practices:

The guidance provides examples of considerations and best practices that banking organizations can leverage to enhance their third-party risk management frameworks. This includes:

• Setting up robust governance structures,
  
• Implementing comprehensive risk assessment processes, and
  
• Establishing clear communication channels with third parties.

Regulatory Uniformity:

This joint guidance replaces previous guidance issued by each agency individually, promoting a consistent approach to third-party risk management across the banking industry. This unified framework is intended to help banking organizations navigate regulatory expectations more effectively and reduce inconsistencies in risk management practices.

For more detailed information, refer to the full text of the guidance available on the FDIC, Federal Reserve, and OCC websites​ (FDIC)​​ ​ (Federal Reserve)​ and (OCC).

About the Author

Vincent Coe, JD, CRCM is a Director with Asurity Advisors. He has over 15 years in both banking and regulatory sectors. He is an expert in regulatory compliance, including fair and responsible banking, enterprise risk management, and financial institutions regulations.

Prior to joining Asurity, Vincent  led a specialized advisory firm, assisting clients with matters spanning enterprise risk management, risk reporting, dashboarding and business planning, UDAP/UDAAP, and Fair Lending. Vincent understands the nuances of complex regulatory matters, having worked at the FDIC, Federal Reserve System, U.S. Department of Justice (Northern District of Ohio), FTC (East Central Regional Office) in various examination and legal roles. Serving as a bank advisor and senior examination consultant, he has supported large organization’s management of complex data, analytics, legal defense, and remediation activities.

[1] https://www.federalreserve.gov/

[2] https://www.fdic.gov/

[3] https://occ.gov/

[4] https://www.fdic.gov/news/press-releases/2023/pr23047.html (June 8, 2023)

[5] Financial technology (also known as fintech) is used to delineate new technology that either improves or automates the delivery and use financial services.