Agencies issue final guidance on third-party risk management

The Board of Governors of the Federal Reserve System (FED) has published a press statement to announce that the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the FED itself have finalized their [Interagency Guidance on Third-Party Relationships: Risk Management](https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20230606a2.pdf).
The guidance is addressed at supervised institutions seeking to outsource specific functions to third-party service providers. It covers various issues ranging from the identification of risks associated with such outsourcing arrangements, to the factors to consider in the selection process for a potential provider, to aspects that must be a central part of ANY contract negotiation between a bank and a third-party service provider, to issues regarding regulatory accountability and oversight.
The final guidance is the result of a joint effort of the three regulators to harmonize their approaches. In the end, the final version is primarily based on the OCC’s Bulletin 2013-29 which contains the “Third-Party Relationships: Risk Management Guidance“ and the FAQs set out by the OCC in 2020 relating to this issue.
This final version – as it will soon be published in the Federal Register – contains the feedback the regulators have received to the proposed version and contains some changes as compared to the proposed version. These changes are briefly noted below:
(1) Tailoring risk management: The final version explicitly points out that a sound third-party risk management framework for banking organizations should consider factors such as risk level, complexity, size, and the nature of each third-party relationship. Not all relationships pose the same risks, so banking organizations should customize their practices accordingly.
(2) Supervisory approach: The final version states that supervisory reviews of a banking organization’s third-party risk management will be tailored based on the level of risk and complexity associated with the organization’s activities and third-party relationships – which is equivalent to the approach that banks shall take when developing an adequate third-party risk management framework.
(3) FinTech partnerships: The guidance explicitly includes bank-FinTech partnerships, even those involving novel or complex structures. This includes cases where the FinTech firm interacts directly with end clients, acting as an intermediary „on behalf of“ institutions.
(4) Support for community banks: The guidance acknowledges the challenges faced by smaller banks with limited technical resources. Suggestions from commenters as regards collaborative industry efforts (e.g. for the sharing of resources) and reliance on independent third-party certifications to reduce due diligence burdens have been incorporated in the guidance.
And finally, in an effort to enhance comprehension and compliance with the guidance, the regulators have included numerous illustrative examples, such as examples for adequate recordkeeping of third-party relationships.