The guidance outlines principles and key considerations for banking organizations as they navigate risks associated with third parties, including fintechs.
On June 6, 2023, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) issued final supervisory guidelines for banking organizations on managing risks associated with third-party relationships (Joint Guidance). The Joint Guidance replaces existing individual agency guidelines, and harmonizes the principles- and risk-based approach of the three agencies concerning risk management of third-party relationships.
Although the Joint Guidance applies to all banking organizations that the agencies supervise, it does not create any new legal obligations or offer prescriptive requirements. It does, however, provide important considerations for banking organizations and the third parties with which they engage, and will help banks develop tailored approaches to third-party risk management.
In-Scope Arrangements and Activities
The Joint Guidance presents a series of recommended actions for banks to take when engaging in business arrangements with third parties. Importantly, the Joint Guidance does not provide a blanket exclusion for customer relationships from the definition of third-party relationships, given that “some business relationships may incorporate elements or features of a customer relationship.”
Some business arrangements present lower levels of risk, and therefore risk management may be tailored for reduced oversight. However, certain business arrangements involve critical activities, such as those that:
- pose a significant risk to the banking organization if the third party does not meet expectations;
- significantly affect customers; or
- significantly affect a banking organization’s financial conditions or operations.
Banking organizations are responsible for identifying their critical activities and the third-party relationships that support such activities. If a third-party relationship concerns critical activities, the Joint Guidance recommends that banking organizations engage in sound risk management to appropriately address the heightened risks.
The Third Party Relationship Life Cycle
The Joint Guidance presents the Third Party Relationship Life Cycle, an illustrative framework that aims to capture the unique risk management concerns that arise at different times over the course of a third-party relationship. The Third Party Relationship Life Cycle includes the following phases and considerations:
- Planning: When third-party relationships support a banking organization’s higher risk or critical activities, more robust planning and risk management may be warranted.
- Due Diligence: The scope and degree of a banking organization’s due diligence should be commensurate with the level of risk and complexity of the third-party relationship. If a banking organization cannot perform the enumerated due diligence activities, it should identify such limitations, understand the associated risks, and consider alternatives to try to mitigate those risks.
- Contract Negotiations: Banking organizations should closely consider the risks and rewards involved in executing contracts with third parties, and negotiate appropriately to address the risks, especially those involving higher-risk activities.
- Ongoing Monitoring: Banking organizations should continuously monitor third-party arrangements to “confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations,” and to escalate and respond to significant issues or concerns, commensurate with the risks that they pose.
- Termination: Banking organizations may terminate an existing business arrangement with a third party, but they should carefully consider the management of related risks.
Oversight and Accountability
A banking organization’s board of directors is ultimately responsible for overseeing and approving risk management processes, and holding management accountable for proper implementation and compliance. Boards should therefore consider the following practices:
- Ensuring that management integrates third-party risk management into its wider risk management framework; conducts appropriate planning, due diligence, implementation, monitoring, and escalation; maintains appropriate internal controls and staffing levels; and reports periodically to the board on third-party risk management activities
- Conducting independent reviews of third-party relationships
- Documenting the risk management process over the course of third-party arrangements
The Joint Guidance aims to promote a tailored approach to third-party risk management among banks. It is not, however, without its critics in the agencies.
FRB Governor Michelle W. Bowman, the first governor to fill the Dodd-Frank-created role of a governor with community banking experience, opposed the Joint Guidance, stating that it improperly applies the same expectations to all banks regardless of size and complexity. She criticized what she described as a “one-size-fits all approach” for not taking into account “the compliance and implementation burden imposed on . . . small banks,” while at the same time failing to “provide the necessary clarity or supplemental tools to facilitate small bank implementation.”
FDIC Director Jonathan McKernan stated that the Joint Guidance is “unclear as to whether or when it applies to arrangements involving depositors, borrowers, or other customers of traditional banking services.” He noted that this issue is addressed in the FDIC’s related Financial Institutions Letter (FIL-29-2023) but questioned whether more formal clarification is needed. He also stated that although the Joint Guidance is not intended to be prescriptive, he supported developing “a separate resource guide for community banks as soon as practicable.”
The FRB’s Staff Letter accompanying the Joint Guidance stated that “[t]he agencies plan to develop additional resources to assist smaller, non-complex community banking organizations in managing relevant third-party risks.” No timeline was, however, provided.
As to the criticism that the Joint Guidance promulgates a one-size-fits-all approach, the FRB Staff Letter emphasized that tailoring is the spirit of the Joint Guidance. It noted that because the level of risk, complexity, size of a banking organization, and the nature of its third-party relationships may vary, “banking organizations should tailor their practices to the risks presented.” The Staff Letter also clarified that the regulators’ supervisory approach to examining third-party risks and the effectiveness of a banking organization’s risk management will be tailored to take into account such qualitative differences among banking institutions.
Why This Matters
The Joint Guidance explicitly scopes in banking relationships with organizations such as fintech companies defined by “new or novel structures and features” when (according to the FRB’s Staff Letter) “the fintech may interact directly with and serve as the intermediary providing the banking service to the end customer.” Fintechs, however, are not singled out for any particular risk as a class, and banking organizations are not precluded from considering fintech relationships within their overall tailored approach to risk management. Although banking organizations are expected to analyze the risks associated with each third-party relationship, risk management vis-à-vis any particular fintech relationship should be commensurate with the banking organization’s size, complexity, and risk profile. The Joint Guidance therefore affords Banking organizations “flexibility in their approach” to assessing third-party risks, and in their adoption and application of the principles described therein.
This post was prepared with the assistance of Sam Taylor.
 The FDIC’s Financial Institutions Letter states that “[r]elationships that are only between banks and their direct customers of traditional bank products and services (such as deposit accounts or retail or commercial loans) would not be addressed in a third-party risk management framework and are covered by the various risk management processes and rules that apply to traditional lending and deposit relationships.”