Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > News & Events > Financial Institution Letters

Financial Institution Letters

Third-Party Risk
Guidance for Managing Third-Party Risk
June 6, 2008

Summary: The attached FDIC guidance describes potential risks arising from third-party relationships and outlines risk management principles that may be tailored to suit the complexity and risk potential of a financial institution's significant third-party relationships.

Financial institutions often rely upon third parties to perform a wide variety of services and other activities. An institution's board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.
Management should tailor the principles contained in this guidance to each significant third-party arrangement, taking into consideration such factors as the complexity, magnitude, and nature of the arrangement and associated risks. This guidance outlines the potential risks that may arise from the use of third parties and addresses the following four basic elements of an effective third-party risk management program:

  • Risk assessment
  • Due diligence in selecting a third party
  • Contract structuring and review
  • Oversight
This guidance is based on and supplements the principles contained in policy guidance that has previously addressed third-party risk in the context of specific functions, such as information technology. This guidance is intended to assist in the effective management of third-party relationships, and should not be considered as a set of required procedures.

FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:
Chief Executive Officer
Chief Financial Officer
Chief Compliance Officer
Chief Risk Officer

Related Topics:
Risk Management
Third-Party Contracts
Outsourcing Arrangements
FFIEC IT Handbook on Outsourcing Technology Services (June 2004)
Required Notification for Compliance with the Bank Service Company Act

Guidance for Managing Third-Party Risk
Guidance for Managing Third-Party Risk (PDF Help)

Senior Examination Specialist Kenyon
T. Kilber (Risk Management) at or
(202) 898-8935, or Policy Analyst Victoria Pawelski
(Compliance) at or (202) 898-3571

Printable Format:
FIL-44-2008 (PDF Help)

FDIC financial institution letters (FILs) may be accessed from the FDIC's Web site at

To receive FILs electronically, please visit

Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).

Last Updated 6/6/2008

Skip Footer back to content