On June 6, 2023, the FDIC, FRB and OCC collectively issued a document entitled, “Interagency Guidance on Third-Party Relationships: Risk Management” (“2023 Guidance”). Prior to this, each of these agencies had issued separate guidance on third-party risk. This 2023 Guidance replaces those separate pieces on third-party risk. The agencies have made it clear that they view third party relationship management as a key compliance issue for banking institutions, in order to address the serious operational and reputational risks that arise from third party relationships. It can be expected that the agencies will hold institutions to the requirements of this guidance, and will examine banks and engage in enforcement with that heightened expectation. Accordingly, it is imperative that intuitions review this guidance and operationalize its requirements.
The 2023 Guidance may be found here: Interagency Guidance on Third-Party Relationships: Risk Management. The prior sets of guidance from each of the agencies (which the 2023 Guidance replaces) include the FDIC’s FIL-44-2008, FRB’s SR Letter 13-19 and CA Letter 13-21, and OCC’s Bulletin 2013-29, 2020-10. This update summarizes some key points from that 68-page guidance.
Overview. To no one’s surprise, the agencies remind banking organizations that the regulatory standard remains the same, regardless of whether the banking organization internally performs an activity or outsources it. That uncompromising standard is that the banking organization must operate in a safe and sound manner and in compliance with applicable laws and regulations. According to the agencies, entering into third-party relationships may introduce new risks or increase existing risks, such as operational, compliance, and strategic risks. If an organization fails to appropriately manage those risks, the bank is exposing itself to detrimental harm, such as substantial financial loss and operational disruption. Accordingly, identifying, assessing, monitoring and controlling risks arising from third-party relationships is akin to not swimming in a pool during a lightning storm (that is, doing so is treacherously vital).
Risk Management. Since third-party relationships can (and, in our experience, often do) present different levels of risk, there is not a one-size-fits-all approach to oversight or risk management. Thus, according to the agencies, a bank’s sound risk management includes analyzing those risks from each relationship and then tailoring risk management practices to that risk. Of course, the bank must consider its size, complexity and risk profile.
Third-Party Relationship Life Cycle. After providing an overview and reiterating the variances of risk management, the agencies break down the life cycle of a third-party relationship into stages (planning, due diligence, contract negotiation, ongoing monitoring, and termination) and the risks associated with each of those stages.
Like always, sound risk management involves conducting due diligence on third parties prior to engaging them. The due diligence includes assessing the third party’s ability to comply with all applicable laws and regulations. Note that the agencies did not say that a bank could rely on the third party’s promise to do so, but the bank must actually assess the third party’s ability to do so. Nor may a bank rely solely on its prior experience with or knowledge of the third party. Other common factors to consider in this due diligence phase is the third party’s strategies and goals, legal and regulatory compliance, financial condition, business experience, qualifications and backgrounds of key personnel and other human resources considerations, risk management’s effectiveness, information security, information systems management, operational resilience, incident reporting and management processes, physical security, reliance on subcontractors, insurance coverage and contractual arrangements with other parties.
Governance and Supervisory Reviews. The agencies go on to discuss each step of governance – oversight and accountability, independent reviews, and documentation and reporting. Last, they explain the supervisory reviews of third-party relationships. Each agency promises to review its supervised banking organizations’ risk management of third-party relationships as part of its standard supervisory processes. Supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.
As to the third parties, when circumstances warrant, an agency may use its legal authority to examine functions or operations that a third party performs on a banking organization’s behalf. Such examinations may evaluate the third party’s ability to fulfill its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect customers and to provide fair access to financial services. The agencies may pursue corrective measures, including enforcement actions, when necessary to address violations of laws and regulations or unsafe or unsound banking practices by the banking organization or its third party.