The FRB, FDIC, and OCC jointly issued proposed guidance on managing risks associated with third-party relationships, including relationships with financial technology-focused entities. As proposed, the joint guidance would be based on the OCC’s existing 2013 third-party risk management guidance with applicable changes to extend the scope to banking organizations supervised by the FRB and FDIC. The agencies are also considering whether to incorporate guidance from the OCC’s 2020 Frequently Asked Questions (FAQs) on Third-Party Relationships into the proposed guidance.
When finalized, the joint guidance would replace each agency’s existing guidance on third-party risk management.
The proposed guidance:
- Describes third-party relationships as business arrangements between a banking organization and another entity, by contract or otherwise.
- Stresses the importance of a banking organization appropriately managing and evaluating the risks associated with each third-party relationship throughout the life cycle of the relationship including i) planning, ii) due diligence and selection, iii) contract negotiation, iv) oversight and accountability, v) ongoing monitoring, and vi) termination.
- States that a banking organization’s use of third parties does not diminish the responsibilities of its board of directors to provide oversight of senior management to perform an activity in a safe and sound manner and in compliance with applicable laws and regulations, including addressing consumer protection, information security, and other operational risks.
- Indicates that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk complexity from the third-party relationships, and with the organizational structure of each banking organization.
- Is intended for all third-party relationships and is especially important for relationships that a banking organization relies on to a “significant extent,” relationships that entail greater risk and complexity, and relationships that involve “critical activities.”
Topics covered in the FAQs include:
- Cloud providers and data aggregators as third parties.
- Responsibilities regarding a third-party’s subcontractors.
- Risk management related to the use of third-party models.
- Risk management is related to obtaining alternative data from a third party.
- Fintech arrangements and critical activities.
- Collaboration with banks sharing the same service providers.
The agencies note that “as the banking industry becomes more complex and technologically driven, banking organizations are forming more numerous and more complex relationships with other entities to remain competitive, expand operations, and help meet customer needs.” They add, the “use of third parties can reduce management’s direct control of activities and may introduce new risks or increase existing risks, such as operational, compliance, reputation, strategic, and credit risks and the interrelationship of these risks.”