Interagency Guidance on Third-Party Relationships: Risk Management

Following a consultation on a proposed new Interagency Guidance on Third-Party Relationships: Risk Management in 2021, the Board of Governors of the Federal Reserve System (FED), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Company (FDIC) have now published in the Federal Register the finalized version of the guidance.
The final version includes the feedback, the regulators have received to their corresponding consultation and some minor changes as compared to the proposed version for clarification purposes. Despite the fact that several commenters requested notable changes to the document, the regulators did not proceed with most of them as they find that „supervisory guidance does not have the force and effect of law and does not impose any new requirements on banking organizations“. Instead, it is intended to provide some basic principles that financial institutions may utilize when developing their own risk management strategies based on their individual business models, complexity, and scope of third-party relationships.
The final version is addressed at all FED, OCC, and FDIC supervised institutions seeking to outsource specific functions to third-party service providers. It covers issues ranging from the identification of risks associated with such outsourcing arrangements, to the factors to consider in the selection process, to issues regarding regulatory accountability and oversight.
The final guidance is the result of a joint effort of the three regulators to harmonize their approaches. In the end, it is primarily based on the OCC’s Bulletin 2013-29 which contains the “Third-Party Relationships: Risk Management Guidance“ and the FAQs set out by the OCC in 2020 relating to this issue.
————————
The final guidance is applicable from June 6, 2023.