In the first week of June, the Board of Governors of the Federal Reserve System (Federal Reserve), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) – collectively, the “agencies” – issued long awaited third-party risk management (TPRM) guidance that was originally proposed in July 2021. The final guidance rescinds and replaces each agency’s prior third-party guidance.¹

Despite receiving a large volume of comment letters, the final guidance includes more prescriptive and clarifying language than found in the July 2021 proposed guidance , thus allowing financial institutions latitude to take a risk-based approach to accommodate varying sizes, complexity, and risk profiles. 

Specifically, the final guidance provides clarity regarding expectations on managing third-party risk associated with a financial institutions use of independent consultants, fintech partnerships, outsourcing services, merchant payment processing services, and joint ventures.²

While the specific applicability of these changes isn’t immediately known, there are important clarifications and takeaways from the original guidance that must be acknowledged. 

1. Not all third-party relationships present the same degree of risk to a financial institution’s operations. Accordingly, a risk management framework should align to specific circumstances and the level of risk presented by said third-party relationship. The final guidance regarding risk management lifecycle remains unchanged: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.³

2. The final guidance provides clarity regarding the definition and characteristics of critical activities around which third-party engagement would justify more rigorous oversight, if such critical activities would:  

• Cause a banking organization to face significant risk if the third party fails to meet expectations; 
• Have significant customer impacts; or 
• Have a significant impact on a banking organization’s financial condition or operations. 

3. Banks should have appropriate oversight over subcontractors and fourth-party relationships. The implied focus is on the bank’s assessment and ongoing effectiveness of the third-parties oversight and risk management structure. The final guidance specifies that financial institutions should “involve staff with the requisite knowledge and skills in each stage of the risk management life cycle. A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.”⁴

4. The final guidance allows for financial institutions to consider collaborative agreements (with appropriate due diligence) and use of external parties (i.e. independent contractors and vendors) to support and supplement their business as usual (BAU) monitoring activities. However, each financial institution is ultimately accountable for managing the risks associated with its own third-party business arrangements.⁵

5. The Board of Directors plays a crucial role in the governance and oversight of institutions. Accordingly, the final guidance provides clarity for how boards should oversee third party risk management activities, specifically enterprise-wide policies, procedures, practices, frameworks, and standards approved and implemented by senior management. Additionally, the final guidance indicates that financial institutions should have a process to conduct independent assessments of their TPRM processes. 

Financial institutions should prepare for heightened supervisory scrutiny on their TPRM processes. The final guidance applies equally to all financial institutions irrespective of size and complexity (e.g. community banks) as well as bank-fintech partnerships and data aggregator relationships. While TPRM is a standard component of supervisory exams, financial institutions should expect enhance scrutiny and take the opportunity to evaluate their TPRM processes and controls. 

___________________________________

1. SR Letter 13-19/CA Letter 13-21, Guidance on Managing Outsourcing Risk (Dec. 5, 2013, updated Feb. 26, 2021); FIL-44-2008, Guidance for Managing Third-Party Risk (June 6, 2008); OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance, and OCC Bulletin 2020-10, Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29. The Final Guidance incorporates changes to reflect 15 of the 27 FAQs in OCC Bulletin 2013-29, which were an exhibit to the proposed guidance. 
2.“Third-Party Relationships: Interagency Guidance on Risk Management” OCC Bulletin 2023-17, https://www.occ.gov/news-issuances/news-releases/2023/nr-ia-2023-53a.pdf 6 June 2023. 
3. “Federal Banking Agencies Issue Final Guidance on Third-Party Risk Management: Six Things to Know,” Covington, https://www.cov.com/-/media/files/corporate/publications/2023/06/federal-banking-agencies-issue-final-guidance-on-thirdparty-risk-management--five-things-to-know.pdf 12 June 2023. 
4. “Third-Party Relationships: Interagency Guidance on Risk Management” OCC Bulletin 2023-17, https://www.occ.gov/news-issuances/news-releases/2023/nr-ia-2023-53a.pdf 6 June 2023.
5. “Proposed Interagency Guidance on Third-Party Relationships: Risk Management” Federal Register https://www.federalregister.gov/documents/2021/07/19/2021-15308/proposed-interagency-guidance-on-third-party-relationships-risk-management 19 July 2021.