On June 6, 2023, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency(collectively, the “Agencies”) issued final guidance on managing risks associated with third-party relationships, including relationships with fintechs.[1]
Effective as of the June 6, 2023 issuance date, the Final Guidance replaces each of the Agencies’ existing guidance on third-party risk management and provides consistency in the Agencies’ supervisory approaches.[2]
The Final Guidance is directed to all banking organizations supervised by the Agencies and advises such organizations to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
Background and highlights
On July 19, 2021, the Agencies published proposed guidance for banking organizations on managing risks associated with third-party relationships (the “Proposed Guidance”). The Proposed Guidance was based on the OCC’s existing third-party risk management guidance from 2013[3] and included as an exhibit the OCC’s 2020 FAQs,[4] which clarified the OCC’s 2013 guidance and expanded to new industry topics and technology developments.
The Proposed Guidance provided a risk management framework, which covered various stages in the life cycle of third-party relationships, described in more detail below. The Final Guidance mirrors the Proposed Guidance.
The Final Guidance also emphasizes the required involvement, approval and oversight of the bank’s board of directors regarding third-party risk management. The board of directors should oversee third-party risk management, provide clear guidance regarding acceptable risk tolerance, approve relevant board policies and ensure the establishment of appropriate bank procedures and practices.
The Final Guidance states that a bank’s board of directors should be aware of and as appropriate, approve contracts involving higher-risk activities. For example, where a third-party relationship involves “critical activities,” a bank may present plans to and seek the approval of the board.
Overview of Final Guidance
The Final Guidance applies to all third-party relationships, specifically “any business arrangement between a banking organization and another entity, by contract or otherwise.”[5] Further, such relationships “may exist despite a lack of a contract or remuneration” and may include “outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures.”[6]
The Final Guidance provides an overview of risk management and explains that not all relationships present the same level of risk, and therefore, not all relationships require the same level or type of oversight or risk management. Accordingly, a banking organization must tailor risk management practices, commensurate with the banking organization’s size, complexity, and risk profile with the nature of the third-party relationship. Similarly, critical activities may require banking organizations to engage in more comprehensive and demanding oversight and management of third-party relationships. Such critical activities may include activities that may:
- Cause a banking organization to face substantial risk if the party fails to meet expectations.
- Have significant customer impacts.
- Have a significant impact on a banking organization’s financial condition or operations.
Like the Proposed Guidance, the Agencies reference third-party relationship life cycle in the Final Guidance, acknowledging that effective third-party risk management generally follows a “continuous life cycle for third-party relationships.”[7] The stages of the life cycle include planning; due diligence and third-party selection; contract negotiation; ongoing monitoring; and termination.
The Final Guidance provides a brief overview of each Agencies’ supervisory reviews, emphasizing that each Agency will review its supervised banking organizations’ risk management of third-party relationships as part of its standard supervisory processes.
The Final Guidance provides typical activities conducted by examiners while reviewing third-party risk management. The Final Guidance closes by stating legal authority or corrective measures, including enforcement actions, may be used depending on a party’s ability to fulfill its obligations in a safe and sound manner and in compliance with applicable laws and regulations.
Key developments and changes
While the Final Guidance is similar to the Proposed Guidance, it also involves key developments and changes. The Final Guidance suggests that “[m]aintaining a complete inventory of all third-party relationships,”[8] and completing periodic risk assessments for each third-party relationship may be supportive of a bank’s determination of whether risks have changed over time and if any updates to such risk management practices are needed.
Unlike the Proposed Guidance, the Final Guidance does not specifically exclude customer relationships from the definition of “business arrangement.” The preamble states that the Agencies implemented such change to reduce ambiguity as “some business relationships may incorporate elements or features of a customer relationship.”[9] The Final Guidance revises the definition of “critical activities,” and eliminates “significant investment” and “significant bank function” from the term to avoid imprecise concepts.
The Agencies emphasize that the considerations provided in the Final Guidance are intended to be merely illustrative rather than impose actual requirements and may not be applicable or material to each banking organization or third-party relationship. The Agencies further announced that they plan to engage with community banks and develop additional resources to assist “smaller, non-complex community banking organizations” in the future to help these organizations manage relevant third-party risks.[10]
Dissent by Governor Michelle Bowman
FRB Governor Michelle Bowman was the sole dissenting vote on the Final Guidance. In her statement, Governor Bowman stated that unlike the Proposed Guidance, which was supplemented by several implementation aids and tools that provided clear, practical, and tailored expectations for small banks, the Final Guidance fails to take comparable measures to mitigate regulatory burden on smaller institutions.
Further, Governor Bowman expressed that while the Final Guidance recommends that a sound third-party risk management framework should be tailored according to a bank’s level of risk, complexity, and size, the Final Guidance, nonetheless, fails to provide the “necessary clarity or supplemental tools to facilitate small bank implementation.”[11]
Governor Bowman expressed disappointment in the Agencies’ failure to make the “upfront investment to reduce confusion and burden on community banks” and further noted that she expects community banks will find the Final Guidance challenging to implement.[12]
Implications for banks
- Banks may want to consider whether enhancements to documentation related to third-party risk management would be helpful to formalize or evidence existing processes or procedures. Banks should consider implementing or enhancing their existing inventory of all third-party relationships.
- While most banks already tailor policies and procedures to ensure they reflect a risk-based approach to third-party risk management (even if not formally documented), banks may want to review/update their process for identifying “critical activities” as defined in the Final Guidance.
- The preamble to the Final Guidance clarifies that the intended scope of third-party relationships covered by the Final Guidance is broad, and banks may want to review their current third-party risk management framework and consider whether any changes are needed. For example, the Federal Reserve’s previous guidance on third-party risk management was limited to outsourcing relationships with service providers.
- Community banks should be on the lookout for additional resources from the Agencies intended to assist smaller, non-complex community banks in managing relevant third-party risks.
- Community banks should also consider that entering more involved fintech partnerships (especially those where the bank will be the issuing bank for products and services marketed and supported by the fintech) will result in complex and costly onboarding and monitoring and oversight for the fintech partners. For example, in many bank-fintech partnerships, the bank is continuously reviewing and approving the fintech’s marketing materials and has ongoing obligations for any BSA/AML and OFAC components that are outsourced to the fintech partner.
- With respect to bank-fintech partnerships, it remains to be seen whether the Agencies’ Final Guidance and specific “in-scope” coverage of fintech partnerships will result in an increased number of exams of service providers under the Bank Service Company Act, which is an act that authorizes the Agencies to regulate and examine the performance of services authorized under the Act provided to banking organizations by third-party service providers.
Additional Takeaways and Practical Advice
The Final Guidance illustrates the Agencies’ increased focus on relationships between banking organization and third parties, including both traditional service providers and fintechs. Because the Final Guidance generally aligned to the Proposed Guidance, it does not impose significant changes to a banking organization’s third-party risk management framework; however, it does provide new considerations and factors for banking organizations to consider when monitoring and maintaining such third-party relationships. Banking organizations should review the key developments and changes from the Proposed Guidance, as discussed above, and identify any policies or procedures that may need to be updated to meet the expectations outlined in the Final Guidance.
[1] “Interagency Guidance on Third-Party Relationships: Risk Management,” 88 FR 37920 (June 6, 2023).
[2] See SR Letter 13–19/CA Letter 13–21, “Guidance on Managing Outsourcing Risk” (December 5, 2013, updated February 26, 2021); FIL–44–2008, “Guidance for Managing Third- Party Risk” (June 6, 2008); OCC Bulletin 2013–29, “Third-Party Relationships: Risk Management Guidance” and OCC Bulletin 2020–10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013–29.” The OCC also issued foreign based third-party guidance, OCC Bulletin 2002–16, “Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance.”
[3] OCC Bulletin 2013–29, “Third-Party Relationships: Risk Management Guidance.”
[4] OCC Bulletin 2020–10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013–29.”
[5] “Interagency Guidance on Third-Party Relationships: Risk Management,” 88 FR 37920 (June 6, 2023) at 37927.
[6] Id.
[7] Id. at 37928.
[8] Id.
[9] Id. at 37922. See also Statement by Jonathan McKernan, Director, FDIC Board of Directors, on Third-Party Risk Management Guidance (“As originally proposed in July 2021, the third–party risk management guidance generally excluded a bank’s customer relationships from its scope. This exclusion of customer relationships was consistent with existing guidance at the time. Today’s final joint guidance has removed the proposal’s exclusion of customer relationships. According to the agencies, this change ‘is intended to reduce ambiguity.’ In my view, the exclusion’s removal itself creates ambiguity. The final guidance is now unclear as to whether or when it applies to arrangements involving depositors, borrowers, or other customers of traditional banking services.”)
[10] Id. at 37926.
[11] Board of Governors of the Federal Reserve System, Statement on Third Party Risk Management Guidance by Governor Michelle W. Bowman, (June 6, 2023) https://www.federalreserve.gov/newsevents/pressreleases/bowman-statement-20230606.htm.
[12] Id.
