On June 6, 2023, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency jointly released final guidance on managing risks associated with third-party relationships. The guidance is intended to promote consistency in supervisory approaches and replaces each agency’s existing guidance on the topic.

According to the guidance, a bank’s use of third parties to deliver products and services to its customers may present new risks or elevate existing operational, compliance, and strategic risks. This is particularly the case when new or novel technologies “such as those observed in relationships with financial technology (fintech) companies” are used for the delivery of the products and services. The use of a third-party service provider does not reduce or shift the bank’s compliance responsibilities to the third party. The bank remains responsible for ensuring that “activities are performed in a safe and sound manner and in compliance with the applicable laws and regulations, including but not limited to those designed to protect consumers . . . and addressing financial crimes” to the same extent as if the activities were performed by the bank itself. Thus, having a sound third-party risk management program is of paramount importance for banks.

The guidance recognizes that each third-party relationship is unique and may present a different type or level of risk. As such, sound risk management practices require a bank to “analyze each third-party relationship and tailor [its] risk management practices, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of the third-party relationship.” Third-party relationships which present a higher degree of risk, or which relate to a “critical activity,” should be subjected to “more comprehensive and rigorous oversight and management.”

The term “critical activity” is not precisely defined in the guidance. Instead, it is characterized generally as activities that could:

• Cause a banking organization to face significant risk if the third party fails to meet expectations;
• Have significant customer impacts; or
• Have a significant impact on a banking organization’s financial condition or operations.

As such, banks are encouraged to implement a sound and consistent methodology in making the determination as to which activities constitute critical activities and should be subjected to more comprehensive and rigorous oversight.

The management of risks associated with third-party relationships is not a one-time event. As described in the guidance, it is a process that follows a life cycle. The life cycle includes planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and, ultimately, termination.

Going forward, banks should anticipate that the scope of their supervisory agency’s review of their management of third-party relationships will be based upon the “degree of risk and the complexity associated with the banking organization’s activities and third-party relationships.” Because of this, the bank’s risk management process in this arena should be well documented and easily accessible in anticipation of questions or review by examiners. Further, banks should be aware that future regulatory examinations may include a heightened review of their third-party risk management processes and include assessments of the ability of the bank’s management to oversee and manage third-party relationships, assessments of the impact of third-party relationships on the bank’s risk profile and performance, and transaction testing with respect to activities performed by third parties.