On June 6, 2023, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FED), and the Federal Deposit Insurance Corporation (FDIC), issued the Interagency Guidance on Third-Party Relationships: Risk Management (Guidance).
The new interagency guidance supersedes prior guidance:
The Guidance rescinds (i) OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance”; (ii) OCC Bulletin 2020-10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29” (OCC FAQs); (iii) FED’s SR Letter 13-19/CA Letter 13-21, “Guidance on Managing Outsourcing Risk” (December 5, 2013, updated February 26, 2021); and (iv) FDIC’s FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6, 2008).
Regarding the OCC FAQs, concepts from most of the FAQs are expressly incorporated throughout the Guidance; concepts from other FAQs were not incorporated because they were deemed adequately covered by other agency issuances (see p. 25). The only FAQ item expressly excluded from the Guidance is OCC FAQ 4, which discussed risk management with respect to data aggregators; rather than incorporate concepts from FAQ 4, the agencies opted “to provide broad risk management guidance[.]” (See pp. 4, 15).
The staff memo requesting approval of the final guidance highlighted changes made to the following “key areas”:
•Tailoring: The Guidance emphasizes a sound third-party risk management framework calling for a banking organization to consider the level of risk, complexity, and size of the banking organization and the nature of each third-party relationship. The Guidance also notes that not all third-party relationships present the same risks and that banking organizations should tailor their practices to the risks presented. (See p. 1, 12, 15-16, 19, 21, 31, 66).
•Supervisory approach: Examiners are now directed to “consider that banking organizations engage in a diverse set of third-party relationships, that not all third-party risk relationships present the same risks, and that banking organizations accordingly tailor their practices to the risks presented, [so that] the scope of the supervisory review depends on the degree of risk and the complexity associated with the banking organization’s activities and third-party relationships.” (See pp. 66-67).
•Fintech partnerships: The Guidance explicitly brings bank-fintech partnerships within the scope of the covered business relationships, including those that may involve novel or complex structures, where the fintech may interact directly with and serve as the intermediary providing the banking service to the end customer. (See p. 30).
•Incorporating illustrative examples: The Guidance clarifies that “[e]xamples of considerations are merely illustrative, not requirements, and may not be applicable or material to each banking organization or each third-party relationship. The examples are not intended to be interpreted as exhaustive or to be used as a checklist.” (See p. 16).
•Support for community banks with limited technical resources: The Guidance acknowledges suggestions made by commenters that may help small banks reduce due diligence burden, such as resorting to collaborative industry efforts (such as pooling resources) and relying on independent third-party certifications. (See pp. 18, 21).
OTHER POINTS TO NOTE:
The Guidance Emphasizes Its Broad Applicability:
- The Guidance states that it is relevant for all third-party relationships, including situations in which a banking organization provides services to another banking organization (p. 29, fn 5);
- Confirms that the terms “business arrangement” and “third-party relationship” are synonymous with one another (p. 30, fn 6);
- After listing examples of “business arrangements” (outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures), the Guidance explicitly states that the term “business arrangement” may include:
- certain “customer relationships” based upon the elements and features of the customer relationship; and,
- bank-fintech partnerships (pp 8, 30).
New Risk-Based Approach to Identifying Critical Activities:
Banking organizations are expected to engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities (p. 31).
- Instead of focusing upon “significant investment” and “significant bank function” in determining a “critical activity”, the Guidance emphasizes illustrative, risk-based characteristics, such as activities that:
- cause significant risk to the organization if the third party fails to meet expectations;
- have significant impact on customers; or
- have significant impact on a bank’s financial condition or operation.
- The Guidance states that an activity that is critical for one may not be critical for another. (pp. 31, 32)
Agencies Adjust Guidance with respect to Subcontractors:
Recognizing industry concerns regarding the complexities around subcontracting, the agencies revised their guidance to focus on a banking organization’s approach to evaluating a third party’s own processes for overseeing subcontractors (pp. 22-23, 44-45), and to streamline the Guidance to promote flexibility and improve clarity (e.g., removing the term “critical contractor”) (pp. 23, 55‑56).
Key Considerations Remain the Same
As required today, a banking organization’s risk management practices associated with its third‑party relationships should ensure that third-party activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, including, but not limited to, those designed to protect consumers (i.e., fair lending laws, prohibitions against unfair, deceptive or abusive acts or practices. and laws and regulations addressing financial crimes) (pp. 4, 29, fn. 4).
Regulated entities and bank affiliates are not exempt from risk management considerations:
The agencies’ principles-based Guidance “provides a flexible, risk-based approach to third-party risk management that can be adjusted to the unique circumstances of each third-party relationship.” However, the agencies “do not believe it would be appropriate to prescribe alternative approaches or to broadly assume lower levels of risk based solely on the type of a third party. For example, while a third-party relationship with an affiliate may have different characteristics and risks as compared to those with non-affiliated third parties, affiliate relationships may not always present lower risks. The same is true for third parties that are subject to some form of regulation” (pp. 14, 15).
Practical Considerations for banking organizations:
- A banking organization’s monitoring of third-party relationships and the approach may differ depending on the unique circumstances of the third-party relationship but should be commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationship (pp. 31-32).
- The relevance of the considerations, including any examples, discussed in the Guidance should be determined by the banking organization based upon the unique circumstances of the bank/third‑party relationship (p. 12, 15, 31).
- A banking organization should view examples in the Guidance as illustrative only. They are not requirements and are not to be interpreted as exhaustive or used as a checklist. They may not apply or be material to each third-party relationship (p. 16).
- The level of detail and comprehensiveness of the third-party contract provisions may be tailored based upon the risk and complexity posed by the particular third-party relationship with the banking organization (p. 46).
- Due diligence should be tailored to the specific activity performed by the third party and be commensurate with the level of risk and complexity of the third-party relationship; (p. 36).
- A banking organization is advised to maintain a complete inventory of its third-party relationships (pp. 65, 31).
- A banking organization’s risk management processes should:
- take a flexible approach in assessing third-party risks, acknowledging that different relationships present varying risks and levels of risks (p 8);
- be tailored to the banking organization’s and third party’s circumstances at hand so that the activities and third-party relationships that deserve more comprehensive oversight are effectively and accurately identified and designated (a third-party relationship that poses a “critical activity” for one banking organization may not pose a “critical activity” for another banking organization) (p. 32);
- apply a flexible and tailored approach to all stages of the risk management life cycle of a relationship (p. 32);
- identify whether any of its customer relationships fall with the Guidance’s definition of “business arrangement” meriting the application of the Guidance’s considerations (p. 8); and,
- engage staff in each stage of the risk management life cycle that have the requisite knowledge and skills, including experts across disciplines (e.g., compliance, risk, technology, legal and external support) as appropriate (p. 32).