On July 13, the Federal Reserve, FDIC, and OCC proposed risk management guidance to help banking organizations manage risks related to third-party relationships, including relationships with vendors, FinTech companies, affiliates, and the banking organizations’ holding companies. The proposal is based on existing but disparate third-party risk management guidance from the three prudential regulators, and is intended to promote consistency across the banking agencies. If finalized, it will replace the guidance that each agency has released independently.
The proposal addresses key components of third-party risk management, including:
- Planning. Identify the banking organization’s strategy, risks associated with the business arrangement, how to select, assess, and oversee the third party.
- Due Diligence and Third-Party Selection. Assess a third party’s ability to follow policies, comply with applicable laws, regulations, and operate in a safe and sound manner.
- Contract Negotiation. Negotiate a contract that clearly specifies the rights and responsibilities of each party to the contract.
- Oversight and Accountability. Supervise risk management procedures, maintain records and reporting for oversight accountability, and conduct independent reviews.
- Ongoing Monitoring. Monitor third-party activities and performance on an ongoing basis; and
- Terminate relationships in an efficient manner and consider all contingencies as a result of the termination.
Comments on the proposed guidance must be received within 60 days of its publication in the Federal Register.
Putting it Into Practice: While third-party risk management has been a focus of bank examinations for decades, prudential regulators are unifying their efforts as banks continue to partner with companies to help with core bank processing, accounting, compliance, human resources, and loan servicing. Even though the proposed single interagency framework is based largely on the OCC Guidance (See OCC Bulletin 2013-29), banks and third-parties should review the proposed guidance with an eye towards past enforcement actions as a guide to where the prudential regulators will focus their supervision.
Financial institutions and nonbanks that fall under the supervision of the CFPB should also recall the Bureau’s guidance (See CFPB Compliance Bulletin and Policy Guidance 2016-02), which lays out steps to ensure that business arrangements with service providers do not present unwarranted risks to consumers. Like the prudential regulators, supervised entities should be aware that the CFPB has supervisory and enforcement authority over service providers, which includes authority to examine the operations of service providers onsite.